Cryptolocker Webcast
Upcoming SlideShare
Loading in...5
×
 

Cryptolocker Webcast

on

  • 713 views

Each day millions of Internet requests are made to dynamically changing Cryptolocker domains. And it only takes one successful connection from a malware-infected system to the botnet controller for ...

Each day millions of Internet requests are made to dynamically changing Cryptolocker domains. And it only takes one successful connection from a malware-infected system to the botnet controller for your files to end up encrypted and held for ransom.

So how does Cryptolocker actually work? What is the best way to block it? And what implications does this have for security methods going forward?

In this webcast, you will learn:

-What steps are involved in a Cryptolocker attack
-How Domain Generation Algorithms enable it to evade most threat detection methods
-Why leveraging our global intelligence has been effective in containing Cryptolocker
-What you can do to avoid becoming a victim

Statistics

Views

Total Views
713
Views on SlideShare
660
Embed Views
53

Actions

Likes
0
Downloads
22
Comments
0

1 Embed 53

https://twitter.com 53

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Cryptolocker Webcast Cryptolocker Webcast Presentation Transcript

  • CONTAINING CRYPTOLOCKER How Predictive Analytics Combat Emerging Threats OpenDNS Confidential
  • AGENDA 1 CYBER ATTACKS & THREATS multiple stages, varying tactics 2 CRYPTOLOCKER IN-DEPTH how it works, what can stop it 3 WHY SECURITY FALLS BEHIND how OpenDNS contained Cryptolocker, why we stay ahead #2 Ÿ 11-Dec-13 Ÿ OpenDNS Confidential
  • CYBER ATTACKS AND THREATS OpenDNS Confidential
  • CYBER-ATTACKS ARE MULTI-STAGE A BUSINESS MAY OBSERVE UP TO FIVE STAGES 1 2 3 4 5 RECON & PREP #4 Ÿ LURE USER 11-Dec-13 Ÿ OpenDNS Confidential INFECT SYSTEM PHONE HOME BREACH NETWORK REALIZE MOTIVE MOVE DATA & MONEY
  • LURE & INFECTION MULTIPLE ATTACK VECTORS EMAIL ONLY SociallyEngineered Content Links in Forums or Search Engines (business sender) Malicious Attachment (ZIP and/or EXE falsely labeled as PDF) #5 Ÿ WEB ONLY 11-Dec-13 Ÿ OpenDNS Confidential Malware Drop Host (often exploits browser or plug-in vulnerabilities) EMAIL TO WEB FalselyLabeled Web Link Compromised Web Site Compromised Web Site (Javascript redirection) (Javascript redirection) Malware Drop Host (often exploits browser or plug-in vulnerabilities)
  • PHONE HOME (to CnCs) INCREASING SOPHISICATION STATIC FAST FLUX 23.4.34.55 23.4.24.1 23.4.24.1 DGA (domain generation algorithm) 44.6.11.8 23.4.34.55 44.6.11.8 87.32.4.21 129.3.6.3 83.56.21.1 34.4.2.110 bad.com #6 Ÿ 11-Dec-13 Ÿ OpenDNS Confidential 34.4.2.110 bad.com 129.3.6.3 23.4.24.1 34.4.2.110 bad.com? baa.ru? bid.cn
  • BREACH & MOTIVE MOST BREACHES YOU DON’T SEE DISRUPTS YOUR BUSINESS HIJACKS YOUR INFRASTRUCTURE MANIPULATES YOUR DATA Pay the Ransom to Unlock the Data Locks You Out of Your Data on Your Network #7 Ÿ 11-Dec-13 Ÿ OpenDNS Confidential Attacks Other Businesses Using Your Reputation Cyber-Criminals and Nation States Obtain Your Knowledge
  • CRYPTOLOCKER IN-DEPTH OpenDNS Confidential
  • BUSINESSES OFTEN MISS SEEING THE THIRD STAGE IT IS TARGETING BUSINESSES EMAIL-ONLY 1 VECTOR #9 Ÿ 11-Dec-13 Ÿ OpenDNS Confidential 2 FAKE EXECUTABLE DGA-BASED 3 PHONE HOME 4 ENCRYPT DATA COLLECT 5 RANSOM
  • SECURITY REQUIRES VISIBILITY, INTELLIGENCE AND ENFORCEMENT WHICH SOLUTIONS CAN STOP IT? EMAIL-ONLY 1 VECTOR Firewalls or Gateways 2 FAKE EXECUTABLE Endpoint Protections DGA-BASED 3 PHONE HOME Firewalls, Gateways or Endpoint Protections BLOCK WHAT IS KNOWN TO BE MALICIOUS: •  by appearance •  by origin •  by behavior #10 Ÿ 11-Dec-13 Ÿ OpenDNS Confidential 4 ENCRYPT DATA Encryption or DB Security COLLECT 5 RANSOM Data Archiving
  • DISCOVERING WHAT IS MALICIOUS IS A COLLECT AND REACT APPROACH IF IT’S NOT KNOWN, THEN… COLLECT ANALYZE REACT •  block new appearances •  block new origins •  block new behaviors time 0 #11 Ÿ 11-Dec-13 Ÿ OpenDNS Confidential time 1-N time N
  • MALWARE ANALYSIS APPROACHES WILL NEVER STAY AHEAD Variant G Variant H Variant C Variant A Variant E Variant F Variant K NEW DGA Variant B Variant I #12 Ÿ Variant D 11-Dec-13 Ÿ OpenDNS Confidential Variant J
  • MALWARE ANALYSIS APPROACHES WILL NEVER STAY AHEAD Variant A #13 Ÿ 11-Dec-13 Ÿ OpenDNS Confidential
  • MALWARE ANALYSIS APPROACHES WILL NEVER STAY AHEAD Variant G Variant C Variant A Variant E Variant F Variant B Variant D #14 Ÿ 11-Dec-13 Ÿ OpenDNS Confidential
  • MALWARE ANALYSIS APPROACHES WILL NEVER STAY AHEAD Variant G Variant H Variant C Variant A Variant E Variant F Variant K NEW DGA Variant B Variant I #15 Ÿ Variant D 11-Dec-13 Ÿ OpenDNS Confidential Variant J
  • MALWARE ANALYSIS APPROACHES WILL NEVER STAY AHEAD Variant G Variant H Variant C Variant A Variant E Variant F Variant K NEW DGA Variant B Variant I #16 Ÿ Variant D 11-Dec-13 Ÿ OpenDNS Confidential Variant J
  • WHAT IS A BETTER APPROACH? DISCOVER WHERE MALICIOUS ACTIVITY WILL ORIGINATE, BEFORE IT HAPPENS OBSERVE PREDICT DGA-based phone home activity time 0 #17 Ÿ future DGA domains time 1 11-Dec-13 Ÿ OpenDNS Confidential
  • TO OBSERVE YOU NEED SITUATIONAL AWARENESS AND GLOBAL INTELLIGENCE #18 Ÿ 11-Dec-13 Ÿ OpenDNS Confidential
  • TO OBSERVE YOU NEED SITUATIONAL AWARENESS AND GLOBAL INTELLIGENCE Live Internet Activity #19 Ÿ 11-Dec-13 Ÿ OpenDNS Confidential
  • TO OBSERVE YOU NEED SITUATIONAL AWARENESS AND GLOBAL INTELLIGENCE #20 Ÿ 11-Dec-13 Ÿ OpenDNS Confidential
  • OBSERVING CRYPTOLOCKER’S DGA-BASED PHONE ACTIVITY ACTIVITY 24-Oct 28.7M 24.6M Unknown Co-Occurring DNS Requests #21 Ÿ 19.1M 22.3M 18.1M 28-Oct 29-Oct lcynqebqetamnmb.net 27-Oct dblekuaonugn.biz 26-Oct ljllkfudrvggepm.com ixslpslobkddytp.info 25-Oct ohjvagaptmlffn.info 23-Oct byeixyixhmse.biz 22-Oct dctqynvenluf.biz 21-Oct ftamfiaivpdw.biz 20-Oct shocdnhyfmdfsoj.co.uk lfdicecqjetfqrm.com Known Domains Blocked paspmnbspwijo.ru DAY FOR EVERY 1 KNOWN DOMAIN PER DAY, 999 MORE DOMAINS OBSERVED 30-Oct 26.9M 21.7M 19.6M 17.6M 20.1M 7.3M 20-Oct 11-Dec-13 Ÿ OpenDNS Confidential 21-Oct 22-Oct 23-Oct 24-Oct 25-Oct 26-Oct 27-Oct 28-Oct 29-Oct 30-Oct
  • PREDICTING CRYPTOLOCKER’S DGA-BASED PHONE HOME ACTIVITY ONE OF THOSE 999 CO-OCCURRING DOMAINS WILL BECOME ACTIVE NEXT CRYPTOLOCKER KNOWN DOMAINS tctggapprqfatc.biz uauuqfmmuwemsj.ru psnineovwogkvx.org #22 Ÿ 11-Dec-13 Ÿ OpenDNS Confidential ALL CO-OCCURRENCES INCLUDING NEWLY DISCOVERED CRYPTOLOCKER DOMAINS T-1 T+1 uwelwphpjsemxsn.info (2100), google.com (800), arjddblgbsumi.biz (575), danvawrrcgrwo.com (300), facebook.co.uk (266), frjpjcapmnvdo.ru (34)
  • OBTAIN VISIBILITY, INTELLIGENCE AND ENFORCEMENT OF STAGE 3 STOP THE ATTACK’S “KILL CHAIN” EMAIL-ONLY 1 VECTOR 2 FAKE EXECUTABLE DGA-BASED 3 PHONE HOME 4 ENCRYPT DATA At the Gateway and on the Endpoint* (*because it will not always be behind the gateway) #23 Ÿ 11-Dec-13 Ÿ OpenDNS Confidential COLLECT 5 RANSOM
  • WHY SECURITY FALLS BEHIND OpenDNS Confidential
  • THE PERFECT STORM HAS FORMED INCOMPLETE ENFORCEMENT On-Network Web Traffic Roaming Users & Remote Offices #25 Ÿ Non-Web Protocols & Ports 11-Dec-13 Ÿ OpenDNS Confidential LIMITED VISIBILITY Samples Collected by On-Premises Appliances Targeted Attacks Emerging Threats REACTIVE INTELLIGENCE Similar Appearance Different Behavior Unknown Origin
  • WANTED: SECURITY FOR THE WAY THE WORLD WORKS TODAY EVERYWHERE ENFORCEMENT #26 Ÿ 11-Dec-13 Ÿ OpenDNS Confidential GLOBAL VISIBILITY PREDICTIVE INTELLIGENCE
  • GLOBAL VISIBILITY ENFORCEMENT UMBRELLA INTELLIGENCE SECURITY GRAPH PREDICTIVE SECURITY
  • WHAT MAKES OPENDNS’S SECURITY UNIQUE THE ONLY CLOUD-DELIVERED AND DNS-BASED SECURITY SOLUTION 80M+ 100K+ #28 Ÿ 11-Dec-13 Ÿ OpenDNS Confidential REQUESTS TO ADVANCED MALWARE, BOTNET & PHISHING THREATS BLOCKED DAILY NEW THREAT ORIGINS DISCOVERED OR PREDICTED DAILY
  • UMBRELLA LEVERAGES OPENDNS’S FOUNDATIONS THE WORLD’S LARGEST INTERNET SECURITY NETWORK "   50M+ ACTIVE USERS DAILY "   21 DATA CENTER LOCATIONS "   1500+ BGP PEERING SESSIONS "   50B+ REQUESTS DAILY "   160+ COUNTRIES W/USERS "   ZERO NET NEW LATENCY EUROPE, MIDDLE EAST & AFRICA AMERICAS #29 Ÿ 11-Dec-13 Ÿ OpenDNS Confidential ASIA-PACIFIC
  • EVERYWHERE. #30 Ÿ 11-Dec-13 Ÿ OpenDNS Confidential TOTAL NEW NEW TOTAL NEW for 1,000s of our customers daily. TOTAL OPENDNS IS PREDICTING & CONTAINING CRYPTOLOCKER TOTAL USER CLIENTS ATTEMPTING TO PHONE HOME TO CRYPTOLOCKER’S CnCs
  • CUSTOMERS PROTECTED BEFORE TRADITIONAL SECURITY APPROACHES OPENDNS PREDICTED CRYPTOLOCKER’S DGA before others could reverse engineer it #31 Ÿ 11-Dec-13 Ÿ OpenDNS Confidential
  • OPENDNS WILL HELP YOUR BUSINESS We Predict, Prevent And Contain Emerging Threats BEFORE THE INFECTION OR BREACH HAPPENS #32 Ÿ 11-Dec-13 Ÿ OpenDNS Confidential
  • FOR A FREE INSTANT TRIAL, VISIT WWW.UMBRELLA.COM OR EMAIL SALES@OPENDNS.COM FOR TECHNICAL QUESTIONS, EMAIL ME BARRY@OPENDNS.COM OpenDNS Confidential