The document discusses various techniques used in ransomware attacks and defenses against them. It covers topics like email security appliances, command and control (CnC) detection using DNS, the evolution of ransomware variants, and tools like Umbrella that can be used to block malicious domains. It also discusses how the Next Generation IPS/NGFW from Cisco called Firepower can help discover vulnerabilities, detect malware, and tune signatures based on network context.

1. Dammene Salah
Security System Engineer
Oran Apr 2018
Defense Against
Ransomware

2. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Agenda
TECSEC-2005
Ransomware
ESA (Email Security Appliance)
Technique used by CnC attack
Umbrella
Defense against CnC
Discover Vulnerabilities and Defense Against Malware
Stealthwatch
Conclusion
2

3. Ransomware

4. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

5. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
The Evolution of Ransomware Variants
The confluence of easy and effective encryption, the popularity of exploit kits and phishing, and a
willingness for victims to pay have caused an explosion of ransomware variants.
PC
Cyborg
2001
GPCoder
2005 2012 2013 2014
Fake
Antivirus
2006
First commercial
Android phone
2007
QiaoZhaz
20081989 2015 2016
CRYZIP
Redplus
Bitcoin
network launched
Reveton
Ransomlock
Dirty Decrypt
Cryptorbit
Cryptographic Locker
Urausy
Cryptolocker
CryptoDefense
Koler
Kovter
Simplelock
Cokri
CBT-Locker
TorrentLocker
Virlock
CoinVault
Svpeng
TeslaCrypt
Virlock
Lockdroid
Reveton
Tox
Cryptvault
DMALock
Chimera
Hidden Tear
Lockscreen
Teslacrypt 2.0
Cryptowall
SamSam
Locky
Cerber
Radamant
Hydracrypt
Rokku
Jigsaw
Powerware
73V3N
Keranger
Petya
Teslacrypt 3.0
Teslacrypt 4.0
Teslacrypt 4.1
Worm type
ransomware
TECSEC-2005 5

6. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Most Ransomware Relies on C2 Callbacks
NAME* DNS IP NO C2 TOR PAYMENT
Locky DNS
SamSam DNS (TOR)
TeslaCrypt DNS
CryptoWall DNS
TorrentLocker DNS
PadCrypt DNS (TOR)
CTB-Locker DNS
FAKBEN DNS (TOR)
PayCrypt DNS
KeyRanger DNS
WannaCry DNS (TOR)
Encryption Key Payment MSG
TECSEC-2005 6

7. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
What changed with WannaCry?
WannaCry takes control of
targeted systems
WannaCry holds those systems
‘hostage’
Owner/company agrees to pay the
‘ransom’ (bitcoins) to free the
system
Open SMBv1 ports on the internet
WannaCry uses known SMBv1 exploit and NSA-known
Backdoor to scan and propagate to other systems
TECSEC-2005 7

8. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Nyetya – It is a wiper, not ransomware
• Destroys the MBR without saving a copy
• No direct connection to any CnC for remote unlocking
• It was build to destroy, not to make money
TECSEC-2005 8

9. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 9TECSEC-2005
Bad Rabbit
Ransomware distributed by drive-by download
Presented as a flash player update…
Leverage a modified version of “mimikatz” to dump
password hashes from memory
Leverage TOR connection for payment
Spreading in Europe and Russia
http://blog.talosintelligence.com/2017/10/bad-rabbit.html

10. Email Security Appliance

11. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
SBRS Reputation SPF / DKIM / DMARC
Recipient Validation
Message Filters
Forged Email
Detection
Anti Spam
URL Intelligence
Graymail Detection
End User Safe /
Blocklist
Signature based AV
Sophos , McAfee
AMP
0-hour malware
detection
File Analysis
Auto Remediation
Content Filters
Forged Email
Detection
URL Reputation
URL Category
Outbreak Filter
OnBoard Phishing
DB
URL Intelligence
Outbreak Rules from
TALOS
Update: Outbreak Filter Rules
Update: AV Signatures
Update: DLP
Update: IPAS, Graymail
SBRS & URL Updates
DNS Query /
Response
ThreatGrid
SandboxFile Reputation
POKE Result to AMP
Firepower AMP4E WSA
TECSEC-2005 11

12. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Threat Intelligence
600 Billion
Email Samples
16 Billion
Web Requests
3.4 Billion
AMP Queries
About 3 threats per person
EVERY DAY
19.7 Billion Threats Blocked DAILY
7.5 Billion
Total World Population
TECSEC-2005 12

13. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Threat Intelligence
Talos threat detection and
prevention delivers threat
intelligence information
automatically to a majority of
security products
Cloud to Core Coverage
Network
Virtual
Email
Cloud
End Point
Web
TECSEC-2005 13

14. Command and Control (CnC)

15. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Command and Control (CnC)
• Typically use protocols allowed outbound : HTTP, HTTPS, (SMTP, DNS)
• Multiple proxy layers (in different countries) to make blocking and law
enforcement more difficult…
Internet Labrats.se IoT
Public
Servers
Active
Directory
Internal
Servers
Clients
NGFW
TECSEC-2005 15

16. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Malware often use DNS to find CnC
• Malware prefer DNS!
- 91.3% of malware use DNS*
• Malware may not know the IP of its
C2C server
- Dynamic IP (home computer)
Internet
NGFW
Inside
DNS
Server
DNS
Server
Register
evilcnc.xyz.xyz
74.63.17.18
.
.18
.
.20
Calling home to
evilcnc.xyz.xyz
Q:
evilcnc.xyz.xyz
TECSEC-2005 16
*Cisco Annual Security Report 2016
http://www.cisco.com/go/asr

17. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
CnC and DNS (Fast Flux)
• Setting a short time-to-live (TTL) in
DNS response allows for changing
ip/host
• …in case it is down/taken
down/blocked Internet
NGFW
Inside
DNS
Server
DNS
Server
Calling home to
evilcnc.xyz.xyz
.
.18
.
.20
A:
IP 85.231.1.18
TTL: 5 min
BRKSEC-2002 17

18. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
.
.20
CnC and DNS (Fast Flux)
• Setting a short time-to-live (TTL) in
DNS response allows for changing
ip/host
• …in case it is down/taken
down/blocked Internet
NGFW
Inside
DNS
Server
DNS
Server
Calling home to
evilcnc.xyz.xyz
Register
evilcnc.xyz.xyz
74.63.17.20
.
.18
BRKSEC-2002 18

19. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
CnC and Domain Generation Algorithms (DGAs)
• Objective: Avoid blocking of static DNS
names
• Malware writer creates “his” algorithm to
generate future DNS requests
18 Feb sk0s21blrp.aial33.com
Encoder Internet
NGFW
Inside
DNS
Server
Calling home to
sk0s21blrp.aial33.com
Register
wwgs9djz.fdlsf.com
74.63.17.20
19 Feb20 Feb dr3nszxvp.igdz.com
Calling home to
dr3nszxvp.igdz.com
Calling home to
wwgs9djz.fdlsf.com
wwgs9djz.fdlsf.com
Then registers domain just-in-time
TECSEC-2005 19

20. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
CnC using Forums
• Possible for attacker to use a
legitimate Social Media Site,
Discussion Forum etc. to control
the clients
• Purpose: Take advantage of
somebody else’s Good Reputation
• Steganography!
- open source available
Internet
NGFW
Inside
Fetch picture from
forum and extract
command
social-felines.se
Hide CnC command
in picture and post
20BRKSEC-2002

21. Umbrella

22. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Gather Intelligence, Enforce Security at the DNS Layer
Authoritative DNS logs
Used to find:
• Newly staged infrastructures
• Malicious domains, IPs, ASNs
• Fast flux domains
• Related domains
User request patterns
Used to detect:
• Compromised systems
• Command and control callbacks
• Malware and phishing attempts
• Algorithm-generated domains
• Newly registered domains
Any device
Recursive DNS
root
com.
domain.com.
Authoritative DNS
TECSEC-2005 22

23. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Umbrella – how does it work?
Intelligent proxy
DNS
HTTPS decrypt
AV
AMP
TECSEC-2005 23

24. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Policy
Did we see traffic to
certain domains that did
not have before??
What do we know about
this domain? Has it
served malware in the
past?
Is the domain using any
known DNS Tunneling
mechanism?
TECSEC-2005 24

25. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Umbrella in Action
Blocked connection to a
botnet destination
SourceDestination
TECSEC-2005 25

26. Defense Against CnC

27. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Detecting CnC: Known Bad
• IPS Signatures on known bad CnC data content
• IP based reputation (destination is known CnC server) (NGFW-WSA-NGIPS)
• DNS based reputation (destination name is known CnC server) (umbrella)
TECSEC-2005 27

28. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Detecting CnC: Suspicious…?
• DNS name looks like a DGA name
• Entropy, not like a human language
• DNS response with short TTL
• DNS to dynamic IP address, e.g dyndns.org
• Not all dynamic IP addresses are bad, but do we really need to connect to them?
• Frequent DNS requests to non existent domains (NX-DOMAIN)
• May be because domain not registered yet … or user just mistyped www.cissco.com
wwgs9djz.fdlsf.com
TECSEC-2005 28

29. Discover Vulnerabilities and
Defense Against Malware

30. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
The NG in NGIPS/NGFW ?
Malware
Client applications
Operating systems
Mobile Devices
VOIP phones
Routers & switches
Printers
C & C
Servers
Network Servers
Cisco Firepower NGFW
Users
File transfers
Web
applications
Application
protocols
Typical NGFW
Threats
Typical IPS
Context Signature
Recommendation
Threat Protection
TECSEC-2005 30

31. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Firepower Host Discovery
• Firepower uses passive fingerprinting to
automatically discover
- Operating System
- Logged in users
- Applications
- Vulnerabilities
Inside
www
Public DMZ
Public
DNS
Public
WWW
Internet
Host 10.1.42.110
OS Linux
User
Apps Apache
Vulnerabilities
TECSEC-2005 31

32. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Firepower Context Explorer
View all application traffic… Look for risky applications… Who is using them?
On what operating systems?What else have these
users been up to?
What does their traffic look
like over time?
TECSEC-2005 32

33. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Signature Tuning based on Context
TECSEC-2005 33
• Automation saves times
• Improved performance
• Reduce false positives

34. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Firepower Impact Flags
• Use knowledge of what we are
protecting to prioritize alerts
• Allows for workflow defining IPS SLAs,
e.g.
- Impact 1 : within 1 hour
- Impact 2 : within 6 hours
- Impact 3 : Monthly reporting
1
2
3
4
0
IMPACT FLAG
ADMINISTRATOR
ACTION
WHY
Act Immediately,
Vulnerable
Event corresponds
to vulnerability
mapped to host
Investigate,
Potentially
Vulnerable
Relevant port open
or protocol in use,
but no vuln mapped
Good to Know,
Currently Not
Vulnerable
Relevant port not
open or protocol not
in use
Good to Know,
Unknown Target
Monitored network,
but unknown host
Good to Know,
Unknown Network
Unmonitored
network
TECSEC-2005 34

35. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Detects if new application appears or traffic profile changes
• Identify Hacked Hosts
• Useful in static environments: Scada, DMZ, MEDTEC...
Firepower: Detecting Anomalies
Reduced Risk and
Cost
ALERT
Host has suddenly started to use SSH
client and outgoing traffic volume has
increased by 3
ssh
TECSEC-2005 35

36. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
File Analysis
Behavioral analysis
of unknown files
Retrospective alerting if
disposition changes
File Retrospection
Cisco Advanced Malware Protection
What are we actually providing with the solution?
Preventative blocking
of known suspicious files
File ReputationCapability
Function
Provided by Threat Grid
AMP &
ThreatGrid
AMP
TECSEC-2005 36

37. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
c
File Reputation
Advanced Malware Protection (AMP)
Uncover hidden threats in the environment
• Known Signatures
• Fuzzy Fingerprinting
• Indications of compromise
û
Block known malware Investigate files safely Detect new threats Respond to alerts
File & Device Trajectory
AMP for
Network Log
ü
Threat Grid Sandboxing
• Advanced Analytics
• Dynamic analysis
• Threat intelligence
?
AMP for
Endpoint Log
Threat Disposition
Enforcement across
all endpoints
RiskySafeUncertain
Sandbox Analysis
TECSEC-2005 37

38. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Sandboxing
• Sandboxing: Technology that uses
Dynamic Analysis to let code run
inside virtual machine
• Detect potentially malicious behavior:
Ø network activity
Ø persistence (registry writes, service
creation)
Ø spreading
Ø anti-debugging
Ø reading password files
Ø Key-logging
Ø ….
TECSEC-2005 38

39. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
File Trajectory
TECSEC-2005 39

40. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
AMP for End Point
Use same intelligence
as Network AMP
Very powerful in getting
visibility on the device
TECSEC-2005 40

41. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Device Trajectory
TECSEC-2005 41

42. Cisco Stealthwatch

43. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Transactional Telemetry NetFlow/IPFIX
Identifying the flows
Start Time Interface Src IP Src
Port
Dest IP Dest
Port
Proto Pkts
Sent
Bytes
Sent
SGT DGT TCP Flags
10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 100 1010 SYN,ACK,PSH
10:20:12.871 eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712 1010 100 SYN,ACK,FIN
Start Time Interface Src IP Src
Port
Dest IP Dest
Port
Proto Pkts
Sent
Bytes
Sent
SGT DGT TCP Flags
10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 100 1010 SYN,ACK,PSH
10.2.2.2
port 1024
10.1.1.1
port 80
eth0/1
eth0/2
Netflow/IPFIX is the detailed phone bill of the network.
Shows who is talking to whom for how long and when.
The network is your sensor.
• Flow Stitching and deduplication
• NAT boundaries
TECSEC-2005 43

44. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
StealthWatch
FlowCollector
StealthWatch
Management Console
Virtual
Endpoint
www
Cisco ISE
PxGrid
vSphere/ESXi SPAN/TAP
AnyConnect NVM
Intelligence Feed
Proxy
WSA, Squid,
McAfee, BlueCoat
Contextual data feeds
Known Command
and Control
Servers
User and Device
Information
Username & URL
Application
(NBAR) & URL NAT (Firewall)
Stealthwatch
Cloud
Routers, Switches,
Firewalls, WLC
User, endpoint, processes and
contextual telemetry data
StealthWatch
FlowSensor
TECSEC-2005 44

45. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Conversational Flow Record
45
TECSEC-2005

46. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Behavioral and Anomaly Detection Model
Behavioral Algorithms Are Applied to Build “Security Events”
SECURITY
EVENTS (94 +)
ALARM
CATEGORY RESPONSE
Addr_Scan/tcp
Addr_Scan/udp
Bad_Flag_ACK**
Beaconing Host
Bot Command Control Server
Bot Infected Host Attempted
Bot Infected Host Successful
Flow_Denied
.
.
ICMP Flood
.
.
Max Flows Initiated
Max Flows Served
.
Suspect Long Flow
Suspect UDP Activity
SYN Flood
Concern
Exfiltration
C&C
Recon
Data hoarding
Exploitation
DDoS target
Alarm table
Host snapshot
Email
Syslog / SIEM
Mitigation
COLLECT AND
ANALYZE FLOWS
FLOWS
Concern
Recon
TECSEC-2005 46

47. Defense Summary

48. © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Summary: Defense against CnC
ü Use state-of-art perimeter defens
Ø Email security
Ø Web security
Ø DNS security
ü NGFW (reputation)
ü NGIPS (Vulnerabilities)
ü AMP
ü StealthWatch : Behaviour (concept and CnC)
TECSEC-2005 48
WSA ESA Umbrella
AMP