Cisco Live 2018 Cap by Completing the Overall Event Evaluation and 5 Session Evaluations

How to Defend Against Ransomware Threats So You Don’t Become a Hostage

Matt Kaneko Solution Tech lead architect BRKSEC-2140 Agenda

• Introduction

• Ransomware 101

• Ransomware Defence Overview

• Solution Architecture

• Layers of Defence

• Conclusion Ransomware: A Growing Threat for Government Agencies

“On average, more than 4,000 ransomware attacks have occurred daily since January 1, 2016. This is a 300-percent increase over the approximately 1,000 attacks per day seen in 2015.”

US Department of Homeland Security, July 11, 2016 IBM report, “Ransomware: How Consumers and Businesses Value Their Data”

“NHS (National Health Service) organisations have reported they have suffered a ransomware attack. This is not targeted at the NHS. It is an international attack. A number of countries and organisations have been affected.”

Theresa May, British Prime Minister May 12th, 2017 CNN: More than 45,000 malicious computer attacks across 74 countries in the initial 10 hours of outbreak.

Internet of Things A Top Cybersecurity Ransomware Makes Firm Says Is Targeting Ransomware Big Ransomware Attacks US Companies Of Business for Are Getting Worse All Sizes Cyber Criminals

BRKSEC-2140 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 5 *Malwarebytes State of Malware Report 2017 BRKSEC-2140 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 6 Ransomware Trends 1 year ago - Industry Top Targets for Ransomware

28% Manufacturing 54% Healthcare

29% Education

Tech

35% 44% Banking

Ransomware Victims by Industry

Source: Oct 2016 survey of 1138 companies by KnowBe4

Business & Professional Services 23% 28% Government

Healthcare

15% Retail

19% Other 15%

NTT Security Global Threat Intelligence Report

Smaller Aim for 2016 scale profit

Global scale Professional & timing uplift 2017 (fame)

Target 2017- Decoy Business attacks 2018 disruption

➢ Down Time Impact – How Much Money do you lose with every hour of downtime? ➢ How much Information (customer, production, patient, client, service, sales, …) can you afford to never get back? ➢ Level of Business Disruption until it factors into your quarterly earnings?

• Most profitable malware in history • Lucrative: Direct payment to attackers! • Markets and Markets predict ransomware will be a $17 billion business by 2021 • A relatively new development in this criminal industry is RaaS: o No coding skills needed by attacker o Developer receives a monthly payment and/or a percentage of profits • It’s not about just the ransom any longer, criminals use ransomware to distract the company while they spread through the network and steal information

BRKSEC-2140 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 14 The Evolution of Ransomware Variants The confluence of easy and effective encryption, the popularity of exploit kits and phishing, and a willingness for TeslaCrypt victims to pay have caused an explosion of ransomware Locky variants. Cryptowall

73V3N Keranger WannaCry CRYZIP First commercial Fake Petya /Nyetya PC Android phone Cryptolocker Teslacrypt 3.0 Cyborg Antivirus Redplus Teslacrypt 4.0 Virlock Teslacrypt 4.1 Lockdroid Reveton

1989 2001 2005 2006 2007 2008 2012 2013 2014 2015 2016 2017 >

Worm type ransomware CryptoDefense Koler Tox QiaoZhaz Reveton Kovter Cerber GPCoder Cryptvault Radamant SamSam Ransomlock Simplelock DMALock Cokri Hydracrypt Chimera Rokku Bitcoin CBT-Locker Hidden Tear TorrentLocker Jigsaw network launched Dirty Decrypt Lockscreen Powerware Cryptorbit Virlock Teslacrypt 2.0 Cryptographic Locker CoinVault Urausy Svpeng BRKSEC-2140 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 15 BRKSEC-2140 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 16 Nyetya Ransomware

Problem: People and Businesses can be taken hostage by malware that locks up critical resources

Infection C2 Comms & Encryption Request Vector Asymmetric of Files of Ransom Key Exchange

Ransomware Ransomware Ransomware holds Owner/company frequently uses takes control of those systems files challenged to pay the web and email targeted systems ‘hostage’ ‘ransom’ (bitcoins) to free the system

Emotional Something Personal Customers, important patients, clients, taken, and students – you don’t have Panic ‘Why Me’ PEOPLE SUFFER the control to get it back Trust is Violated

Pay – or Else Crisis

Customers can be taken hostage by This can be catastrophic to businesses for a malware that locks up critical resources – period of time Ransomware • Hospitals taking care of patients and losing • Ransomware gains access to systems the ability to give them real-time care through web and email (admittance, surgeries, medications, etc.) • Ransomware takes control of those • Public safety not being able to respond systems, and holds those systems to emergency incidents ‘hostage’ until the owner/company • Financial banking systems offline agrees to pay the ‘ransom’ (bitcoins) to from trading or banking activities free the system • Manufacturing production downtime – direct hit to bottom line

BRKSEC-2140 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 21 Ransomware Defence Overview Cisco Ransomware Defence Solution Solution to Prevent, Detect, and Contain Ransomware Attacks

Cisco Ransomware Defence Solution is not a silver bullet, and not a guarantee. It does help to:

Prevent Stop it at Detect Work to Perform incident ransomware the systems contain it response from getting into before it gains when it is from expanding to to fix the vulnerabilities the network command present in additional systems and areas that where possible and control the network and network areas were attacked

Recommends best practice backup and recovery policies be implemented and tested This solution helps to keep business operations running with less fear of being taken hostage and losing control of critical systems

User Clicks a Link Initial Exploit Command & Ransomware Key retrieval or Malvertising Ad Using Angler or Control callback payload and payment other malware kits downloaded information Email w/ Malicious and installed Attachment Encryption Key Web Infrastructure redirect COMPROMISED EXPLOIT KIT SITES AND C2 DOMAINS MALVERTISING C2 Web Angler Malicious link Infrastructure Nuclear PHISHING File RANSOMWARE Neutrino SPAM drop PAYLOAD

Email attachment

Encryption Key Web Infrastructure redirect COMPROMISED EXPLOIT KIT SITES AND C2 DOMAINS MALVERTISING C2 Web Angler Malicious link Infrastructure Nuclear PHISHING File RANSOMWARE Neutrino SPAM drop PAYLOAD

Email attachment

Encryption Key Payment MSG

NAME* DNS IP NO C2 TOR PAYMENT Locky DNS SamSam DNS (TOR) TeslaCrypt DNS CryptoWall DNS TorrentLocker DNS PadCrypt DNS (TOR) CTB-Locker DNS

FAKBEN DNS (TOR) PayCrypt DNS KeyRanger DNS

*Top variants as of March 2016

TARGET COMPROMISE BREACH

RECON STAGE LAUNCH EXPLOIT INSTALL CALLBACK PERSIST

ATTACKER INFRASTRUCTURE FILES/PAYLOADS USED BY ATTACKER USED BY ATTACKER

Threat intelligence – Knowledge of Client Security – Inspect files for existing Ransomware and Ransomware and Virus’s, communication vectors quarantine and remove E-mail security – Block Segment infrastructure – Ransomware attachments and links Authenticate access, separate traffic based on role and policy Web Security – Block web Intrusion Prevention - Block communication to infected sites attacks, exploitation and and files intelligence gathering DNS Security - Break the Monitor Infrastructure DNS Command & Control call back communications – Identify and alert on abnormal traffic flows

TARGET COMPROMISE BREACH

RECON STAGE LAUNCH EXPLOIT INSTALL CALLBACK PERSIST

Host DNS DNS End–to–End DNS Anti- DNS Security Security Infrastructure Malware Defence Network Email Anti- Threat Security Malware Intelligence

FW Web FW Web Security Security

Flow IPS IPS IPS IPS Analytics

SALESMAN RESEARCHING Outbound web access NEW PRODUCTS

ENGINEER OPENING Opening E-mail E-MAIL FROM VENDOR

EMPLOYEE ACCESSING Accessing new shared files FILES ON SERVER

Capabilities needed to protect your business functions

Salesman researching Secure outbound new products web access

Ransomware Downloaded

DNS

Webpage retrieval requested

Anti- Anti- DNS TrustSec Flow Threat NextGen NextGen Web Virus Malware Security Segmentation Analytics Intelligence Intrusion Firewall Security Prevention

Access Distribution Core Local Services

Malware Policy Threat DNS-Layer Command Web Security Sandbox (AMP4E) Intelligence Security & Control (ThreatGrid) (Talos) (OpenDNS)

CLOUD SERVICES

Switch

Ransomware Downloaded

DNS

Webpage retrieval requested Web Browsing Corporate Access Distribution Core Firepower Switch Router Device Switch Switch Switch Appliance

Access Distribution Core Local Services

Malware Sandbox Threat Intelligence Endpoint Policy Cloud Security (ThreatGrid) (Talos) (AMP4E) (Umbrella) CLOUD SERVICES

DNS Disaster Recovery DC1

Accessing Corporate Access File Share Web Security Device Switch Disaster Recovery DC2

DNS

Secure Infrastructure Backups Redundancy Web Core Firepower Corporate Access Distribution Switch Router Browsing Switch Appliance Device Switch Switch

Standardised System Images

DNS

Open Email Corporate Access Switch File Server Attachment Device Switch

Monitoring Policy Identity CMX (Stealthwatch) (FMC) (ISE) E-mail Security DATA CENTre SERVICES

RECON STAGE LAUNCH EXPLOIT INSTALL CALLBACK PERSIST

Umbrella on/off-net Quick Defence ODNS intel AMP + TG AMP + TG Umbrella TALOS (for content) (for endpoint) on/off-net With Cloud! research CES + TG on/off-net on/off-net all ports off-net TALOS intel

Advanced SWG/WSA SWG/WSA off-net & CTA WEB Defence proxy all on/off-net proxy all

Layered Defence FTD FTD FTD with containment FTD, ISE+ Investigate WSA/ESA FTD & on-net ISE+TrustSec Protect Me- TrustSec Internet-wide on-net AMP network all ports Stealthwatch on-net visibility TALOS on-net on-net Once They’re In! IP layer segmentation intel & netflow Backup and Recovery

Backup strategies include both on-site and off-site methods: • Tape rotation / Optical Disc / Disconnected Storage • Secure write – no delete or changes • Accelerating from weekly to daily and hourly, or real-time duplication Standardised desktop and server images ensure a clean system is returned to service more quickly and with less risk than trying to fix an infected system. Re-image after any desired forensics are recorded.

Redundant infrastructure and hot standby data services for critical systems can enable key services to be restored quickly after infected systems are quarantined and taken off-line.

A secure enterprise backup solution could easily be defeated through password reuse and/or poor password management.

1. What are your critical priorities to running your business? Can they be impacted if your systems are locked down? 2. Do you have good disaster recovery? Train to implement it on a regular basis. 3. Do you have good back ups? Test them regularly. 4. What people/process/tools do you have in place to handle a critical disruption or event? 5. Do you have a baseline of applications, information, running network performance?

BRKSEC-2140 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 36 Simplified Solution Architecture view Prevent, Detect and Contain Ransomware with Cisco Email Security, Umbrella, and AMP Threat Grid

Encryption Key Web Infrastructure redirect COMPROMISED EXPLOIT SITES AND DNS KIT DNS C2 MALVERTISING DOMAINS C2 Web Angler Malicious link DNS Infrastructure Nuclear DNS PHISHING File RANSOMWARE Neutrino SPAM drop PAYLOAD

Email attachment

Blocked by Cisco Blocked by Blocked by Cisco Cloud Email Security DNS Cisco Umbrella AMP for Endpoints with AMP Threat Grid (Cloud Security) (Host Anti-Malware) Detection with Threat Grid

Stealthwatch SW ISE Notifies ISE DETECT AND CONTAIN IN NETWORK Talos Security ISE pushes Intelligence containment policy Stealthwatch using TrustSec and detects and alerts Firepower Malicious C2 callbacks Worm propagation Infrastructure ISE+TrustSec NGFW blocks dynamic SGT NGFW protects inbound and outbound Zero-day Attack containment and segments and Infection connections RANSOMWARE clean systems INFECTED RANSOMWARE CONTAINED CLEAN SYSTEMS Detection and Segmentation with Detection with Cisco Containment with Cisco Firepower Threat Defence Stealthwatch Cisco Identity Services Engine and Management Centre Network visibility & Security Analytics (ISE) and TrustSec

Show sending of phishing e-mail with ransomware CES – malware link getting replaced on CES, show CES log and console

Umbrella – Demo of bad link getting blocked, Show Umbrella Console log

Show new Ransomware getting submitted to TG, TG AMP4E – Report, and Ransomware now blocked on different system.

Email attachment

Blocked by Cisco Cloud Email Security with AMP Threat Grid

Hidden URL HTML formatted emails hide the true URL link.

Counterfeit message footer Realistic phishing e-mails copy content from messages sent to customers.

BRKSEC-2140 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 45 When CES identifies an unknown URL that is potentially malicious, the URL is re-written using the Outbreak Filters feature and users can be re-directed to a confirmation page. This behaviour is configurable.

Decision Buttons These are the decision options presented before continuing to the underlying web page previewed in the background.

BRKSEC-2140 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 48 The CES policy in this example was set to strip Ransomware attachments, and send the remainder of the message so that our testing could be validated. Cisco recommends to configure the policy to drop the entire message, not just remove the attachment.

Encryption Key Web Infrastructure redirect COMPROMISED EXPLOIT DNS KIT SITES AND DNS C2 DOMAINS MALVERTISING C2 Web Angler Malicious link DNS Infrastructure Nuclear PHISHING DNS File RANSOMWARE SPAM Neutrino drop PAYLOAD

Email attachment

Blocked by DNS Cisco Umbrella (Cloud Security)

BRKSEC-2140 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 56 BRKSEC-2140 BRKSEC-2140 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 58 The Last Layer – Host Anti-Malware Prevent, Detect and Contain Ransomware with Cisco AMP for Endpoints

Email attachment

Blocked by Cisco AMP for Endpoints (Host Anti-Malware)

BRKSEC-2140 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 60 AMP Immediately Blocks Known Ransomware BRKSEC-2140 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 62 AMP Device Trajectory Shows Activity of the Users System BRKSEC-2140 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 64 Prevent, Detect and Contain Ransomware with Cisco AMP Threat Grid

Email attachment

Zero-Day Detection by Cisco AMP Threat Grid (Sandbox Analysis)

Report BRKSEC-2140 © 20182017 Cisco and/or its affiliates. All rights reserved. Cisco Public 69 Analysis results are propagated back into the AMP Cloud and out to the endpoints. AMP will quarantine the file wherever it is known to be stored.

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-2140 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 71 On the next system to download the Ransomware…. AMP Immediately Block’s it BRKSEC-2140 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 73 BRKSEC-2140 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 74 Early bird gets the new zero-day Ransomware. Files encrypted, and most likely all mapped share drives. AMP+TG Learns New Ransomware and Blocks Future Infections

Summary Ransomware Defence Prevention Validation

Tested against >20 REAL Ransomware Attack families to validate the solution

• Cisco Umbrella • Cloud Email Security w/AMP • AMP for Endpoints • AMP ThreatGrid

Cloud and software solution that enables quick deployment and protection

• Ransomware is a problem that will continue to grow and impact more organisations, it is the most profitable malware ever seen!

• Thousands of individuals and corporations are being targeted.

• Cisco Ransomware Defence focuses on prevention where possible, quick detection and rapid containment to reduce the impact of a ransomware attack.

• Cloud services are the quickest and easiest deployments to start defending against ransomware. www.cisco.com/go/ransomware

Course Description Cisco Certification Understanding Cisco Cybersecurity The SECFND course provides understanding of CCNA® Cyber Ops Fundamentals (SFUND) cybersecurity’s basic principles, foundational knowledge, and core skills needed to build a foundation for understanding more advanced cybersecurity material & skills. Implementing Cisco Cybersecurity This course prepares candidates to begin a career within a CCNA® Cyber Ops Operations (SECOPS) Security Operations Centre (SOC), working with Cybersecurity Analysts at the associate level. Securing Cisco Networks with Threat Designed for security analysts who work in a Security Cisco Cybersecurity Detection and Analysis (SCYBER) Operations Centre, the course covers essential areas of Specialist security operations competency, including SIEM, Event monitoring, security event/alarm/traffic analysis (detection), and incident response Cisco Security Product Training Courses Official deep-dive, hands-on product training on Cisco’s latest security products, including NGFW, ASA, NGIPS, AMP, Identity Services Engine, Email and Web Security Appliances, and more. For more details, please visit: www.cisco.com/go/securitytraining or http://learningnetwork.cisco.com Questions? Visit the Learning@Cisco Booth

Course Description Cisco Certification New! CCIE Security 5.0 CCIE® Security

Implementing Cisco Edge Network Security Configure Cisco perimeter edge security solutions utilising Cisco CCNP® Security Solutions (SENSS) Switches, Cisco Routers, and Cisco Adaptive Security Appliance (ASA) Firewalls Implementing Cisco Threat Control Solutions (SITCS) v1.5 Implement Cisco’s Next Generation Firewall (NGFW), FirePOWER NGIPS (Next Generation IPS), Cisco AMP (Advanced Malware Protection), as well as Web Security, Email Security and Cloud Implementing Cisco Secure Access Web Security Solutions (SISAS) Deploy Cisco’s Identity Services Engine and 802.1X secure Implementing Cisco Secure Mobility network access Solutions (SIMOS) Protect data traversing a public or shared infrastructure such as the Internet by implementing and maintaining Cisco VPN solutions Implementing Cisco Network Security Focuses on the design, implementation, and monitoring of a CCNA® Security (IINS 3.0) comprehensive security policy, using Cisco IOS security features

For more details, please visit: www.cisco.com/go/securitytraining or http://learningnetwork.cisco.com Questions? Visit the Learning@Cisco Booth

Course Description Cisco Certification NEW! Managing Industrial Networks for An associate level instructor led lab based training focuses CCNA® Industrial Manufacturing (IMINS2 v1.3) on common industrial application protocols, security, wireless and troubleshooting designed to prepare you for the CCNA Industrial certification Managing Industrial Networks with This instructor led lab based training addresses foundational Cisco Industrial Cisco Networking Technologies (IMINS) skills needed to manage and administer networked industrial Networking Specialist control systems for today's connected plants and enterprises. It helps prepare plant administrators, control system engineers and traditional network engineers for the Cisco Industrial Networking Specialist certification. Control Systems Fundamentals For IT and Network Engineers, provides an introduction to Pre-learning for IMINS, for Industrial Networking (ICINS) industry IoT verticals, automation environment and an IMINS2 training & overview of industrial control networks (E-Learning) certifications Networking Fundamentals For Industrial Engineers and Control System Technicians, Pre-learning for IMINS, for Industrial Control Systems (INICS) covers basic IP and networking concepts, and introductory IMINS2 training & overview of Automation industry Protocols. certifications

For more details, please visit: http://learningnetwork.cisco.com Questions? Visit the Learning@Cisco Booth

• Give us your feedback and receive a Cisco Live 2018 Cap by completing the overall event evaluation and 5 session evaluations. • All evaluations can be completed via the Cisco Live Mobile App.

Don’t forget: Cisco Live sessions will be available for viewing on demand after the event at www.CiscoLive.com/Global.