Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Failed Ransom: How IBM XGS Defeated Ransomware

1,541 views

Published on

View on-demand webinar: http://event.on24.com/wcc/r/1238398/409AE8848D4FF1210B56EC81538788EB

Ransomware is a growing threat impacting organizations across all industries. But not all is lost. There are preventative measures that can be taken to help protect against ransomware attacks, including deploying a next-generation intrusion prevention system (IPS), such as the IBM XGS.

Join our webinar to:

Understand the current threats associated with ransomware
Learn how leading-edge research from IBM X-Force powers the XGS to stop ransomware
Hear how IBM XGS proactively blocked ransomware at a large healthcare insurance organization

Published in: Technology
  • ⇒ www.WritePaper.info ⇐ This service will write as best as they can. So you do not need to waste the time on rewritings.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • 8 Ways to Communicate with Your Guardian Angels...  http://ishbv.com/manifmagic/pdf
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Failed Ransom: How IBM XGS Defeated Ransomware

  1. 1. Failed Ransom: How IBM XGS Defeated Ransomware Leslie Horacek IBM X-Force Threat Response, IBM Security Richard Rice, Director of Security Operations, WaveStrong
  2. 2. 2 IBM Security Agenda 1.  Monitoring the Threat Landscape 2.  The Rise of Ransomware 3.  IBM Security Network Protection (XGS) 4.  Case Study: How XGS Defeated Ransomware 5.  Questions & Answers
  3. 3. How we monitor threats THREAT INTELLIGENCE
  4. 4. 4 IBM Security IBM X-Force® Research and Development Expert analysis and data sharing on the global threat landscape Vulnerability Protection IP Reputation Anti-Spam Malware Analysis Web Application Control URL / Web Filtering Zero-day Research The IBM X-Force Mission !  Monitor and evaluate the rapidly changing threat landscape !  Research new attack techniques and develop protection for tomorrow’s security challenges !  Educate our customers and the general public !  Integrate and distribute Threat Protection and Intelligence to make IBM solutions smarter
  5. 5. 5 IBM Security Our automated technologies and research teams monitor the global threat level at all times Dynamic updates Threat intelligence databases are dynamically updated—delivering up-to- the-minute accuracy Analysis Security teams analyze the global data to identify attack trends and share insightsData capture The web is continuously scanned and categorized, identifying malware hosts, spam sources, etc.
  6. 6. 6 IBM Security IBM X-Force malware researchers retrieve malware, configuration and modules from listening points across the globe Analysis •  Monitor darknet chatter •  Maintain dedicated lab environment •  Reverse engineering •  Proprietary decryption tools •  Versioning •  Investigate malware operator motivations Protection •  Identification of incremental malware changes to develop and deploy defenses •  Constant monitoring of bypass attempts
  7. 7. 7 IBM Security Our global threat intelligence delivers a wide range of benefits HigherOrder Intelligence Observables andIndicators Actors Campaigns Incidents TTPs Vulnerabilities MalwareAnti-SpamWeb App Control IP ReputationURL / Web Filtering
  8. 8. 8 IBM Security IBM X-Force Exchange hosts X-Force threat intelligence in a collaborative platform Security analysts and researchers Security Operations Centers (SOCs) Security products and technologies X-Force Exchange enables users to: •  Research threat indicators •  Participate and build in public and private communities •  Collaborate with peers and X-Force analysts to share evidence and discoveries •  Help increase the quality of threat intelligence •  Operationalize threat intelligence to streamline security decision making Collaborative platform to consume, share and act on real-time threat intelligence
  9. 9. 9 IBM Security Will you pay the ransom?
  10. 10. 10 IBM Security Cerber ransomware operation exposed... and boy is it lucrative! $$$ 161 active campaigns 8 new campaigns launching / day Infected approximately 150,000 users worldwide in 201 countries and territories in the past month alone. Affiliate system makes Cerber one of the most lucrative RaaS platforms in the world. At only 0.3% paying ransom, still nets over $1 million USD / year Average ransom is 1 Bitcoin (~$580) Reported in August by Checkpoint Research: Source: https://www.grahamcluley.com/2016/08/cerber-ransomware-operation/ and http://blog.checkpoint.com/2016/08/16/cerberring/
  11. 11. 11 IBM Security July 2016 Client Webinar: Digital Extortion, Will You Pay The Ransom? Visit the Ransomware landing page to review the infographic and register to receive the client engagement guide •  Ransomware: The Malware Path •  By Ways of Digital Extortion •  Attack Statistics •  Will You Pay the Ransom? •  IBM Services Response Guide for Clients For a more in-depth review of ransomware, register to watch the replay.
  12. 12. 12 IBM Security IBM Security Network Protection (XGS) Next-generation intrusion prevention protects against the latest attacks IBM Security Network Protection PROTECTION Disrupt known and unknown exploits and malware attacks VISIBILITY Gain insight into network traffic patterns to detect anomalies CONTROL Limit the use of risky applications to reduce your attack surface " #
  13. 13. 13 IBM Security IBM Security Network Protection IBM XGS protects against a full spectrum of attack techniques… Web App System and Service Traffic-based User Risky Applications Protocol Tunneling RFC Non- Compliance Unpatched / Unpatchable Vulnerabilities Code Injection Buffer Overflows Cross-site Scripting SQL Injection Cross-site Request Forgery Cross-path Injection Spear Phishing Drive-by Downloads Malicious Attachments Malware Links Obfuscation Techniques Protocol Anomalies Traffic on Non- Standard Ports DoS / DDoS Information Leakage Social Media File Sharing Remote Access Audio / Video Transmission
  14. 14. 14 IBM Security IBM goes beyond pattern matching with a broad spectrum of vulnerability and exploit coverage Exploit Signatures Attack-specific pattern matching Web Injection Logic Patented protection against web attacks, e.g., SQL injection and cross-site scripting Vulnerability Decodes Focused algorithms for mutating threats Application Layer Heuristics Proprietary algorithms to block malicious use Protocol Anomaly Detection Protection against misuse, unknown vulnerabilities, and tunneling across 230+ protocols Shellcode Heuristics Behavioral protection to block exploit payloads Content Analysis File and document inspection and anomaly detection Other IPS solutions stop at pattern matching
  15. 15. 15 IBM Security Ransomware encrypting servers, endpoints, and databases Countering the attack chain ! Ransomware Installation ! Command & Control ! Encrypt the User’s Files ! Demand Ransom Specific signatures within XGS to detect ransomware C&C Trojan_CryptXXX_CnC JavaScript_Angler_Exploit_Kit_5 HTTP_Locky_Trojan_CnC
  16. 16. 16 IBM Security How IBM XGS fights Ransomware – Attack Chain broken! XGS provides URL filtering, IP Reputation, and Geo-location protection Block traffic to or from unwanted sites via network access policies Block attempted connections to the Attacker’s C&C site Integration with third party malware protection solutions (Damballa, FireEye, Trend Micro) Protocol Analysis Module (PAM) has specific decodes to identify and block malicious macros
  17. 17. 17 IBM Security The XGS appliance can operate in three modes Inline Simulation !  Active intrusion prevention !  Blocks malicious and unwanted traffic !  Allows legitimate traffic to pass unhinderedPassive Monitoring Inline Prevention !  Accurate intrusion detection !  Supports taps, hubs or SPAN ports !  Monitors traffic for malicious or unwanted traffic !  Simulates inline prevention !  No blocking !  Alerts to events it would have blocked
  18. 18. IBM XGS Ransomware Use Case Richard  Rice   August  30th,  2016  
  19. 19. WaveStrong  is  an  Informa5on  Security   Consul5ng  Company:   Since   2001,   WaveStrong   has   been   an   industry   leader   in   enterprise   and   cloud   informa?on   security   consul?ng   services.  We  pride  ourselves  in  our  ‘best  of  breed’  security   solu?ons   and   services   that   span   a   myriad   of   ver?cals,   including:  government,  educa?on  and  business.  Our  staff  is   comprised   of   elite   cer?fied   technical   and   business   professionals  who  help  our  clients  successfully  navigate  the   complexi?es   of   planning,   design,   implementa?on   and   management  of  data  security.     …Trusted  by  Industry  Professionals  for   over  15  years     19
  20. 20. WAVESTRONG  –  SECURITY  SERVICES  METHODOLOGY Plan,  Build  and  Run  successful  Cyber   Security  Programs:   WaveStrong’s   vision   is   to   become   the   most   advanced,   comprehensive   and   a   trusted   partner   for   cyber   security   solu?ons.  We  provide  complete  set  of  informa?on  security   services  and  solu?ons  to  help  our  customer  with  establishing   a   complete   cyber   security   strategy,   iden?fy   and   remediate   business   risk   and   threat,   select   and   deploy   the   right   technology   and   achieve   opera?onal   readiness   to   protect   from  latest  cyber  threats.   Cyber   Security   Strategy   Security   Program   Strategy   Architecture   and  Design   Deploy  and   Opera5onalize   Managed   Security   Services   20
  21. 21. DEPLOYMENT   SERVICES   TUNING   SERVICES   INTEGRATION   SERVICES   TRAINING   SERVICES   CUSTOM   DEVELOPMENT   PKI  SERVICES   MANAGED   SERVICES   HEALTH   CHECK   VENDORS   PRODUCT  SUITE(S)   SERVICES  PROVIDED   WAVESTRONG  CAPABILITIES  –  IBM  Security  Por@olio QRadar   Guardium   Secure  Key  Life-­‐cycle  Mgr.  (SKLM)   Endpoint  Mgr.  (BIGFIX)   XGS   AppScan   21
  22. 22. A  Ransomware  Use  Case  Background •  Customer  Profile:     •  Mid-­‐size  Pharmaceu?cal  Company  with  two  datacenters  –  one  in  Pennsylvania  and  2nd  in  New  Jersey   •  Problem  Statement:     •  Company  received  mul?ple  phishing  emails  containing  Locky  malware  throughout  their  enterprise  targe?ng  system   administrators.   •  Four  people  opened  the  a^achment  –  three  at  headquarters  and  one  at  backup  loca?on   •  The  Command  and  Control  communica?on  channel  was  blocked  for  the  three  at  the  HQ  office,  but  only  simulated  block  at  the   second  site   •  The  worksta?on  that  was  at  the  second  site  was  infected,  but  all  valuable  data  was  backed  up  so  they  reimaged  the  worksta?on.   •  Solu5on  Provided:     •  Customer  purchased  two  XGS-­‐4100  appliances  with  SiteProtector   •  Services  Provided:     •  XGS  deployed  inline  at  both  datacenters  with  one  in  protec?on  mode  and  other  in  simula?on  mode   •  Both  appliances  configured  for  moderate  protec?on  with  automa?c  signature  updates   22
  23. 23. A  Ransomware  Use  Case  Timeline PHISHING  EMAIL   A^acker  sends   email   VICTIM  OPENS   LINK   Four  people   clicked  on  link   to  download   malware   THREE  ARE   BLOCKED   XGS  blocked   outbound   communica?on     ONE  GETS   INFECTED   Site  with  XGS   in  simula?on   mode   ATTACK  NOTICED   XGS  admin   sees  ac?vity  in   primary  site   CALLED  FOR  HELP   WaveStrong   called  in  to   configure   secondary  XGS   XGS  IN  PROTECT   MODE   Secondary   site  moved  to   protec?on   mode   CONTINUE  TO   MONITOR   Did  not  see   any  more   a^ack   a^empts   23
  24. 24. A  Ransomware  Use  Case  –  RecommendaJons •  Best  prac?ce  is  to  put  newly  deployed  IPS   appliances  in  monitor  or  simula?on  mode  to   minimize  poten?al  impact  to  produc?on   traffic   **Note**     When  you  transi?on  from  simula?on  mode  to   protec?on  mode,  all  network  connec?ons  are   dropped  while  the  port  is  renego?a?ng  with   the  switch  (Lost  VPN  connec?ons  temporarily)     •  If  you  have  two  or  more  appliances,   SiteProtector  is  highly  recommended  for   ease  of  management  and  monitoring   •  Make  sure  to  maintain  con?nuous   monitoring  of  your  appliances  and  alerts   24 IBM  QRadar   IBM  XGS   IBM  AppScan   IBM  X-­‐Force  Monitor and evaluate today’s threats Detect, analyze, and prioritize threats Network Protection & Monitoring Develop more secure applications IBM  BigFix  Unified Endpoint Security IBM  Guardium  Database Auditing & Monitoring
  25. 25. Contact  InformaJon Harpreet  Walia:    President  and  CEO   Office:  925.264.8080   Email:  harpreet@wavestrong.com   Corporate  Headquarters:   5674  Stoneridge  Drive,  Suite  225,   Pleasanton,  CA    94568   Richard  Rice:    Director  Security  Opera5ons   Office:  925-­‐264-­‐8079   Email:  rich@wavestrong.com   Corporate  Headquarters:   5674  Stoneridge  Drive,  Suite  225,   Pleasanton,  CA    94568   https://www.wavestrong.com 25
  26. 26. 26 IBM Security IBM positioned in the “Leaders” Quadrant in the 2015 Gartner Magic Quadrant for Intrusion Prevention Systems Magic Quadrant for Intrusion Prevention Systems “The capabilities of leading IPS products have adapted to changing threats, and next-generation IPSs (NGIPSs) have evolved incrementally in response to advanced targeted threats that can evade first-generation IPSs.” Craig Lawson, Adam Hils, and Claudio Neiva Gartner, November 16, 2015 This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report. The link to the Gartner report is available upon request from IBM. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
  27. 27. 27 IBM Security PASS All tests related to “stability and reliability” PASS All tests related to “evasions” 99.6% Exploit block rate 0 False Positives 25.949 Tested Throughput (Gbps) NSS Labs testing of IBM Security Network Protection XGS 7100 SOURCE: NSS LABS 2016 DATA CENTER INTRUSION PREVENTION SYSTEM (DCIPS) TEST REPORT “Using a tuned policy, the IBM XGS 7100 blocked 99.6% of exploits. The device proved effective against all evasion techniques tested. The device also passed all stability and reliability tests. The IBM XGS 7100 is rated by NSS at 25.949 Gbps, which is above the vendor-claimed performance; IBM rates this device at 25Gbps.”
  28. 28. 28 IBM Security XGS protects both your network and investment Forrester determined XGS has the following three-year risk-adjusted financial impact: RETURN ON INVESTMENT 340% NET PRESENT VALUE $1,075,592 PAYBACK PERIOD 1.9 months SOURCE: THE TOTAL ECONOMIC IMPACT OF IBM SECURITY NETWORK SECURITY (XGS), FORRESTER RESEARCH, 2016 IBM Security Network Protection
  29. 29. 29 IBM Security A Global Leader in Enterprise Security •  #1 in enterprise security software and services* •  7,500+ people •  12,000+ customers •  133 countries •  3,500+ security patents •  15 acquisitions since 2005 *According to Technology Business Research, Inc. (TBR) 2016
  30. 30. Questions & Answers
  31. 31. ibm.com/security securityintelligence.com xforce.ibmcloud.com @ibmsecurity youtube/user/ibmsecuritysolutions © Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party. FOLLOW US ON: THANK YOU

×