CONTAINING
CRYPTOLOCKER
How Predictive Analytics
Combat Emerging Threats

OpenDNS Confidential
AGENDA

1

CYBER ATTACKS & THREATS
multiple stages, varying tactics

2

CRYPTOLOCKER IN-DEPTH
how it works, what can stop ...
CYBER ATTACKS
AND THREATS

OpenDNS Confidential
CYBER-ATTACKS ARE MULTI-STAGE

A BUSINESS MAY OBSERVE
UP TO FIVE STAGES

1 2 3 4 5
RECON
& PREP

#4

Ÿ

LURE
USER

11-Dec...
LURE & INFECTION

MULTIPLE ATTACK VECTORS
EMAIL ONLY
SociallyEngineered
Content

Links in
Forums or
Search
Engines

(busin...
PHONE HOME (to CnCs)

INCREASING SOPHISICATION
STATIC

FAST FLUX
23.4.34.55

23.4.24.1

23.4.24.1

DGA

(domain generation...
BREACH & MOTIVE

MOST BREACHES YOU DON’T SEE
DISRUPTS

YOUR BUSINESS

HIJACKS

YOUR INFRASTRUCTURE

MANIPULATES
YOUR DATA
...
CRYPTOLOCKER
IN-DEPTH

OpenDNS Confidential
BUSINESSES OFTEN MISS SEEING THE THIRD STAGE

IT IS TARGETING BUSINESSES

EMAIL-ONLY

1 VECTOR
#9

Ÿ

11-Dec-13 Ÿ OpenDN...
SECURITY REQUIRES VISIBILITY, INTELLIGENCE AND ENFORCEMENT

WHICH SOLUTIONS CAN STOP IT?
EMAIL-ONLY

1 VECTOR

Firewalls o...
DISCOVERING WHAT IS MALICIOUS IS A COLLECT AND REACT APPROACH

IF IT’S NOT KNOWN, THEN…
COLLECT

ANALYZE

REACT
•  block n...
MALWARE ANALYSIS APPROACHES WILL NEVER STAY AHEAD

Variant G

Variant H
Variant C

Variant A

Variant E
Variant F
Variant ...
MALWARE ANALYSIS APPROACHES WILL NEVER STAY AHEAD

Variant A

#13

Ÿ

11-Dec-13 Ÿ OpenDNS Confidential
MALWARE ANALYSIS APPROACHES WILL NEVER STAY AHEAD

Variant G
Variant C

Variant A

Variant E
Variant F

Variant B

Variant...
MALWARE ANALYSIS APPROACHES WILL NEVER STAY AHEAD

Variant G

Variant H
Variant C

Variant A

Variant E
Variant F
Variant ...
MALWARE ANALYSIS APPROACHES WILL NEVER STAY AHEAD

Variant G

Variant H
Variant C

Variant A

Variant E
Variant F
Variant ...
WHAT IS A BETTER APPROACH?

DISCOVER WHERE MALICIOUS ACTIVITY
WILL ORIGINATE, BEFORE IT HAPPENS
OBSERVE

PREDICT

DGA-base...
TO OBSERVE YOU NEED SITUATIONAL AWARENESS AND GLOBAL INTELLIGENCE

#18

Ÿ

11-Dec-13 Ÿ OpenDNS Confidential
TO OBSERVE YOU NEED SITUATIONAL AWARENESS AND GLOBAL INTELLIGENCE

Live Internet Activity

#19

Ÿ

11-Dec-13 Ÿ OpenDNS C...
TO OBSERVE YOU NEED SITUATIONAL AWARENESS AND GLOBAL INTELLIGENCE

#20

Ÿ

11-Dec-13 Ÿ OpenDNS Confidential
OBSERVING CRYPTOLOCKER’S DGA-BASED PHONE ACTIVITY ACTIVITY

24-Oct

28.7M
24.6M

Unknown
Co-Occurring
DNS Requests
#21

Ÿ...
PREDICTING CRYPTOLOCKER’S DGA-BASED PHONE HOME ACTIVITY

ONE OF THOSE 999 CO-OCCURRING
DOMAINS WILL BECOME ACTIVE NEXT

CR...
OBTAIN VISIBILITY, INTELLIGENCE AND ENFORCEMENT OF STAGE 3

STOP THE ATTACK’S “KILL CHAIN”
EMAIL-ONLY

1 VECTOR

2 FAKE
EX...
WHY SECURITY
FALLS BEHIND
OpenDNS Confidential
THE PERFECT STORM HAS FORMED

INCOMPLETE
ENFORCEMENT
On-Network
Web Traffic
Roaming
Users &
Remote
Offices

#25

Ÿ

Non-W...
WANTED: SECURITY FOR THE WAY THE WORLD WORKS TODAY

EVERYWHERE

ENFORCEMENT

#26

Ÿ

11-Dec-13 Ÿ OpenDNS Confidential

G...
GLOBAL VISIBILITY

ENFORCEMENT
UMBRELLA

INTELLIGENCE

SECURITY GRAPH

PREDICTIVE SECURITY
WHAT MAKES OPENDNS’S SECURITY UNIQUE

THE ONLY CLOUD-DELIVERED
AND DNS-BASED
SECURITY SOLUTION

80M+
100K+
#28

Ÿ

11-Dec...
UMBRELLA LEVERAGES OPENDNS’S FOUNDATIONS

THE WORLD’S LARGEST
INTERNET SECURITY NETWORK
"   50M+ ACTIVE USERS DAILY
"   21...
EVERYWHERE.
#30

Ÿ

11-Dec-13 Ÿ OpenDNS Confidential

TOTAL
NEW

NEW

TOTAL

NEW

for 1,000s of our
customers daily.

TO...
CUSTOMERS PROTECTED BEFORE TRADITIONAL SECURITY APPROACHES

OPENDNS PREDICTED
CRYPTOLOCKER’S DGA
before others could rever...
OPENDNS WILL HELP YOUR BUSINESS

We Predict,
Prevent And Contain
Emerging Threats

BEFORE THE INFECTION
OR BREACH HAPPENS
...
FOR A FREE INSTANT TRIAL,
VISIT WWW.UMBRELLA.COM OR
EMAIL SALES@OPENDNS.COM
FOR TECHNICAL QUESTIONS,
EMAIL ME BARRY@OPENDN...
Upcoming SlideShare
Loading in …5
×

Cryptolocker Webcast

1,841 views

Published on

Each day millions of Internet requests are made to dynamically changing Cryptolocker domains. And it only takes one successful connection from a malware-infected system to the botnet controller for your files to end up encrypted and held for ransom.

So how does Cryptolocker actually work? What is the best way to block it? And what implications does this have for security methods going forward?

In this webcast, you will learn:

-What steps are involved in a Cryptolocker attack
-How Domain Generation Algorithms enable it to evade most threat detection methods
-Why leveraging our global intelligence has been effective in containing Cryptolocker
-What you can do to avoid becoming a victim

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,841
On SlideShare
0
From Embeds
0
Number of Embeds
125
Actions
Shares
0
Downloads
82
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Cryptolocker Webcast

  1. 1. CONTAINING CRYPTOLOCKER How Predictive Analytics Combat Emerging Threats OpenDNS Confidential
  2. 2. AGENDA 1 CYBER ATTACKS & THREATS multiple stages, varying tactics 2 CRYPTOLOCKER IN-DEPTH how it works, what can stop it 3 WHY SECURITY FALLS BEHIND how OpenDNS contained Cryptolocker, why we stay ahead #2 Ÿ 11-Dec-13 Ÿ OpenDNS Confidential
  3. 3. CYBER ATTACKS AND THREATS OpenDNS Confidential
  4. 4. CYBER-ATTACKS ARE MULTI-STAGE A BUSINESS MAY OBSERVE UP TO FIVE STAGES 1 2 3 4 5 RECON & PREP #4 Ÿ LURE USER 11-Dec-13 Ÿ OpenDNS Confidential INFECT SYSTEM PHONE HOME BREACH NETWORK REALIZE MOTIVE MOVE DATA & MONEY
  5. 5. LURE & INFECTION MULTIPLE ATTACK VECTORS EMAIL ONLY SociallyEngineered Content Links in Forums or Search Engines (business sender) Malicious Attachment (ZIP and/or EXE falsely labeled as PDF) #5 Ÿ WEB ONLY 11-Dec-13 Ÿ OpenDNS Confidential Malware Drop Host (often exploits browser or plug-in vulnerabilities) EMAIL TO WEB FalselyLabeled Web Link Compromised Web Site Compromised Web Site (Javascript redirection) (Javascript redirection) Malware Drop Host (often exploits browser or plug-in vulnerabilities)
  6. 6. PHONE HOME (to CnCs) INCREASING SOPHISICATION STATIC FAST FLUX 23.4.34.55 23.4.24.1 23.4.24.1 DGA (domain generation algorithm) 44.6.11.8 23.4.34.55 44.6.11.8 87.32.4.21 129.3.6.3 83.56.21.1 34.4.2.110 bad.com #6 Ÿ 11-Dec-13 Ÿ OpenDNS Confidential 34.4.2.110 bad.com 129.3.6.3 23.4.24.1 34.4.2.110 bad.com? baa.ru? bid.cn
  7. 7. BREACH & MOTIVE MOST BREACHES YOU DON’T SEE DISRUPTS YOUR BUSINESS HIJACKS YOUR INFRASTRUCTURE MANIPULATES YOUR DATA Pay the Ransom to Unlock the Data Locks You Out of Your Data on Your Network #7 Ÿ 11-Dec-13 Ÿ OpenDNS Confidential Attacks Other Businesses Using Your Reputation Cyber-Criminals and Nation States Obtain Your Knowledge
  8. 8. CRYPTOLOCKER IN-DEPTH OpenDNS Confidential
  9. 9. BUSINESSES OFTEN MISS SEEING THE THIRD STAGE IT IS TARGETING BUSINESSES EMAIL-ONLY 1 VECTOR #9 Ÿ 11-Dec-13 Ÿ OpenDNS Confidential 2 FAKE EXECUTABLE DGA-BASED 3 PHONE HOME 4 ENCRYPT DATA COLLECT 5 RANSOM
  10. 10. SECURITY REQUIRES VISIBILITY, INTELLIGENCE AND ENFORCEMENT WHICH SOLUTIONS CAN STOP IT? EMAIL-ONLY 1 VECTOR Firewalls or Gateways 2 FAKE EXECUTABLE Endpoint Protections DGA-BASED 3 PHONE HOME Firewalls, Gateways or Endpoint Protections BLOCK WHAT IS KNOWN TO BE MALICIOUS: •  by appearance •  by origin •  by behavior #10 Ÿ 11-Dec-13 Ÿ OpenDNS Confidential 4 ENCRYPT DATA Encryption or DB Security COLLECT 5 RANSOM Data Archiving
  11. 11. DISCOVERING WHAT IS MALICIOUS IS A COLLECT AND REACT APPROACH IF IT’S NOT KNOWN, THEN… COLLECT ANALYZE REACT •  block new appearances •  block new origins •  block new behaviors time 0 #11 Ÿ 11-Dec-13 Ÿ OpenDNS Confidential time 1-N time N
  12. 12. MALWARE ANALYSIS APPROACHES WILL NEVER STAY AHEAD Variant G Variant H Variant C Variant A Variant E Variant F Variant K NEW DGA Variant B Variant I #12 Ÿ Variant D 11-Dec-13 Ÿ OpenDNS Confidential Variant J
  13. 13. MALWARE ANALYSIS APPROACHES WILL NEVER STAY AHEAD Variant A #13 Ÿ 11-Dec-13 Ÿ OpenDNS Confidential
  14. 14. MALWARE ANALYSIS APPROACHES WILL NEVER STAY AHEAD Variant G Variant C Variant A Variant E Variant F Variant B Variant D #14 Ÿ 11-Dec-13 Ÿ OpenDNS Confidential
  15. 15. MALWARE ANALYSIS APPROACHES WILL NEVER STAY AHEAD Variant G Variant H Variant C Variant A Variant E Variant F Variant K NEW DGA Variant B Variant I #15 Ÿ Variant D 11-Dec-13 Ÿ OpenDNS Confidential Variant J
  16. 16. MALWARE ANALYSIS APPROACHES WILL NEVER STAY AHEAD Variant G Variant H Variant C Variant A Variant E Variant F Variant K NEW DGA Variant B Variant I #16 Ÿ Variant D 11-Dec-13 Ÿ OpenDNS Confidential Variant J
  17. 17. WHAT IS A BETTER APPROACH? DISCOVER WHERE MALICIOUS ACTIVITY WILL ORIGINATE, BEFORE IT HAPPENS OBSERVE PREDICT DGA-based phone home activity time 0 #17 Ÿ future DGA domains time 1 11-Dec-13 Ÿ OpenDNS Confidential
  18. 18. TO OBSERVE YOU NEED SITUATIONAL AWARENESS AND GLOBAL INTELLIGENCE #18 Ÿ 11-Dec-13 Ÿ OpenDNS Confidential
  19. 19. TO OBSERVE YOU NEED SITUATIONAL AWARENESS AND GLOBAL INTELLIGENCE Live Internet Activity #19 Ÿ 11-Dec-13 Ÿ OpenDNS Confidential
  20. 20. TO OBSERVE YOU NEED SITUATIONAL AWARENESS AND GLOBAL INTELLIGENCE #20 Ÿ 11-Dec-13 Ÿ OpenDNS Confidential
  21. 21. OBSERVING CRYPTOLOCKER’S DGA-BASED PHONE ACTIVITY ACTIVITY 24-Oct 28.7M 24.6M Unknown Co-Occurring DNS Requests #21 Ÿ 19.1M 22.3M 18.1M 28-Oct 29-Oct lcynqebqetamnmb.net 27-Oct dblekuaonugn.biz 26-Oct ljllkfudrvggepm.com ixslpslobkddytp.info 25-Oct ohjvagaptmlffn.info 23-Oct byeixyixhmse.biz 22-Oct dctqynvenluf.biz 21-Oct ftamfiaivpdw.biz 20-Oct shocdnhyfmdfsoj.co.uk lfdicecqjetfqrm.com Known Domains Blocked paspmnbspwijo.ru DAY FOR EVERY 1 KNOWN DOMAIN PER DAY, 999 MORE DOMAINS OBSERVED 30-Oct 26.9M 21.7M 19.6M 17.6M 20.1M 7.3M 20-Oct 11-Dec-13 Ÿ OpenDNS Confidential 21-Oct 22-Oct 23-Oct 24-Oct 25-Oct 26-Oct 27-Oct 28-Oct 29-Oct 30-Oct
  22. 22. PREDICTING CRYPTOLOCKER’S DGA-BASED PHONE HOME ACTIVITY ONE OF THOSE 999 CO-OCCURRING DOMAINS WILL BECOME ACTIVE NEXT CRYPTOLOCKER KNOWN DOMAINS tctggapprqfatc.biz uauuqfmmuwemsj.ru psnineovwogkvx.org #22 Ÿ 11-Dec-13 Ÿ OpenDNS Confidential ALL CO-OCCURRENCES INCLUDING NEWLY DISCOVERED CRYPTOLOCKER DOMAINS T-1 T+1 uwelwphpjsemxsn.info (2100), google.com (800), arjddblgbsumi.biz (575), danvawrrcgrwo.com (300), facebook.co.uk (266), frjpjcapmnvdo.ru (34)
  23. 23. OBTAIN VISIBILITY, INTELLIGENCE AND ENFORCEMENT OF STAGE 3 STOP THE ATTACK’S “KILL CHAIN” EMAIL-ONLY 1 VECTOR 2 FAKE EXECUTABLE DGA-BASED 3 PHONE HOME 4 ENCRYPT DATA At the Gateway and on the Endpoint* (*because it will not always be behind the gateway) #23 Ÿ 11-Dec-13 Ÿ OpenDNS Confidential COLLECT 5 RANSOM
  24. 24. WHY SECURITY FALLS BEHIND OpenDNS Confidential
  25. 25. THE PERFECT STORM HAS FORMED INCOMPLETE ENFORCEMENT On-Network Web Traffic Roaming Users & Remote Offices #25 Ÿ Non-Web Protocols & Ports 11-Dec-13 Ÿ OpenDNS Confidential LIMITED VISIBILITY Samples Collected by On-Premises Appliances Targeted Attacks Emerging Threats REACTIVE INTELLIGENCE Similar Appearance Different Behavior Unknown Origin
  26. 26. WANTED: SECURITY FOR THE WAY THE WORLD WORKS TODAY EVERYWHERE ENFORCEMENT #26 Ÿ 11-Dec-13 Ÿ OpenDNS Confidential GLOBAL VISIBILITY PREDICTIVE INTELLIGENCE
  27. 27. GLOBAL VISIBILITY ENFORCEMENT UMBRELLA INTELLIGENCE SECURITY GRAPH PREDICTIVE SECURITY
  28. 28. WHAT MAKES OPENDNS’S SECURITY UNIQUE THE ONLY CLOUD-DELIVERED AND DNS-BASED SECURITY SOLUTION 80M+ 100K+ #28 Ÿ 11-Dec-13 Ÿ OpenDNS Confidential REQUESTS TO ADVANCED MALWARE, BOTNET & PHISHING THREATS BLOCKED DAILY NEW THREAT ORIGINS DISCOVERED OR PREDICTED DAILY
  29. 29. UMBRELLA LEVERAGES OPENDNS’S FOUNDATIONS THE WORLD’S LARGEST INTERNET SECURITY NETWORK "   50M+ ACTIVE USERS DAILY "   21 DATA CENTER LOCATIONS "   1500+ BGP PEERING SESSIONS "   50B+ REQUESTS DAILY "   160+ COUNTRIES W/USERS "   ZERO NET NEW LATENCY EUROPE, MIDDLE EAST & AFRICA AMERICAS #29 Ÿ 11-Dec-13 Ÿ OpenDNS Confidential ASIA-PACIFIC
  30. 30. EVERYWHERE. #30 Ÿ 11-Dec-13 Ÿ OpenDNS Confidential TOTAL NEW NEW TOTAL NEW for 1,000s of our customers daily. TOTAL OPENDNS IS PREDICTING & CONTAINING CRYPTOLOCKER TOTAL USER CLIENTS ATTEMPTING TO PHONE HOME TO CRYPTOLOCKER’S CnCs
  31. 31. CUSTOMERS PROTECTED BEFORE TRADITIONAL SECURITY APPROACHES OPENDNS PREDICTED CRYPTOLOCKER’S DGA before others could reverse engineer it #31 Ÿ 11-Dec-13 Ÿ OpenDNS Confidential
  32. 32. OPENDNS WILL HELP YOUR BUSINESS We Predict, Prevent And Contain Emerging Threats BEFORE THE INFECTION OR BREACH HAPPENS #32 Ÿ 11-Dec-13 Ÿ OpenDNS Confidential
  33. 33. FOR A FREE INSTANT TRIAL, VISIT WWW.UMBRELLA.COM OR EMAIL SALES@OPENDNS.COM FOR TECHNICAL QUESTIONS, EMAIL ME BARRY@OPENDNS.COM OpenDNS Confidential

×