issa-the rise of ransomware v0 · issa-the rise of ransomware v0.3 author: predrag zivic created...

THE RISE OFRANSOMWARETHREE CRITICAL STEPS TOPREVENT AN OUTBREAK INYOUR ORGANIZATION

Pez ZivicGlobal Systems Engineer

CISSP, CISA

How do we feel?

5 | © 2015,Palo Alto Networks. Confidential and Proprietary.

Research and Learn!

Source: PaloAltoNetworks.com/solutions/initiatives/ransomware

Cooperation and Partnership in Research and Learning

7 | © 2015,Palo Alto Networks. Confidential and Proprietary.

44% Victims Paid Up

$325MEstimated Damages Across the Globe

30.7% Exploit Delivery

CryptoWall v3 Investigation

Source: http://go.paloaltonetworks.com/cryptowall

Palo Alto Networks Intel SecuritySymantecFortinet

Co-­Founded by

What We Learned?

9 | © 2015,Palo Alto Networks. Confidential and Proprietary.

To Prevent Ransomware:

10 | © 2015,Palo Alto Networks. Confidential and Proprietary.

1. Attack Vectors

2. Delivery Methods

3. How to Block

Hidden Attack Vectors!

11 | © 2015,Palo Alto Networks. Confidential and Proprietary.

12 | © 2015,Palo Alto Networks. Confidential and Proprietary.

1. A

ttac

k Ve

ctor

s

Exploits ExecMacros

13 | © 2015,Palo Alto Networks. Confidential and Proprietary.

1. A

ttac

k Ve

ctor

s

Exploits ExecMacros

14 | © 2015,Palo Alto Networks. Confidential and Proprietary.

1. A

ttac

k Ve

ctor

s

Exploits ExecMacros

15 | © 2015,Palo Alto Networks. Confidential and Proprietary.

1. A

ttac

k Ve

ctor

s

Exploits ExecMacros

Delivery Methods

16 | © 2015,Palo Alto Networks. Confidential and Proprietary.

17 | © 2015,Palo Alto Networks. Confidential and Proprietary.

ExploitKits

Drive-­by Downloads

EmailAttachments

2. D

eliv

ery

Met

hods

18 | © 2015,Palo Alto Networks. Confidential and Proprietary.

ExploitKits

Drive-­by Downloads

EmailAttachments

2. D

eliv

ery

Met

hods

19 | © 2015,Palo Alto Networks. Confidential and Proprietary.

Exploit Kits

2. D

eliv

ery

Met

hods

User visits a compromised website

Malicious code or ad redirects to exploit kit landing

page

Exploit kit page loads;; determines best way to compromise user

endpoint

Exploit kit compromises user

endpoint

Exploit kit delivers ransomware

Ransomware encrypts data and holds it for

ransom

20 | © 2015,Palo Alto Networks. Confidential and Proprietary.

ExploitKits

Drive-­by Downloads

EmailAttachments

2. D

eliv

ery

Met

hods

21 | © 2015,Palo Alto Networks. Confidential and Proprietary.

Email Attachments

2. D

eliv

ery

Met

hods

User receives targeted email with

infected file

User opens file, thinking it is a

legitimate document

Office runs macro, downloads

ransomware from URL embedded in doc

Ransomware encrypts data and holds it for

ransom

22 | © 2015,Palo Alto Networks. Confidential and Proprietary.

ExploitKits

Drive-­by Downloads

EmailAttachments

2. D

eliv

ery

Met

hods

23 | © 2015,Palo Alto Networks. Confidential and Proprietary.

Drive-­by Download

2. D

eliv

ery

Met

hods

User visits a compromised website

Website serves exploit to compromises user

endpoint

Exploit downloads ransomware

Ransomware encrypts data and holds it for

ransom

24 | © 2015,Palo Alto Networks. Confidential and Proprietary.

Multiple Attack Vectors

Multiple Delivery Methods

Perimeter

Cloud/SaaS

Endpoints

The Problem – Prevent & Detect Ransomware

How to Block and Detect?

25 | © 2015,Palo Alto Networks. Confidential and Proprietary.

26 | © 2015,Palo Alto Networks. Confidential and Proprietary.

Reduce Attack Surface

3. H

ow t

o B

lock

Prevent Known Threats

Prevent Unknown Threats

27 | © 2015,Palo Alto Networks. Confidential and Proprietary.

Reduce Attack Surface

Block unknown traffic

Stop dangerous file types

Block malicious URLs

Micro-­segmentationN-­S & E-­W

Extend zero-­trust policies to endpoints

Block dangerous file types

Disallow non-­org access

Extend threat intelligence from network to SaaS apps to endpoints

Reduce Attack Surface

28 | © 2015,Palo Alto Networks. Confidential and Proprietary.

Prevent Known Threats

Block storage or transmission of files containing exploits

Scan cloud storage & SaaS apps for malicious files

Extend threat intelligence from network to SaaS apps to endpoints

Block all known exploits

Block execution of known malware

Stop known exploits, malware & command-­and-­control traffic

Block malicious URLs

Prevent Known Threats

Block Virus & Vulnerabilities

29 | © 2015,Palo Alto Networks. Confidential and Proprietary.

Prevent Unknown Threats

Block all unknown and zero-­day exploits

Block execution of unknown malware

Extend threat intelligence from network to SaaS apps to endpoints

Control unknown traffic

Detect and prevent threats in unknown files and URLs

Add context to threats and create proactive

protections

Scan cloud storage & SaaS apps for malicious files

Prevent Unknown Threats

30 | © 2015,Palo Alto Networks. Confidential and Proprietary.

Exploit Kits Email Attachments Drive-­‐by Download

Network & Perimeter

––––––

––––––

––––––

SaaS Applications

––––––

––––––

––––––

Endpoint

––––––

––––––

––––––

Automated Ransomware Prevention Across

Multiple Attack Vectorsand Delivery Methods is Only Possible with an Integrated

Security Platform

How to Block and Detect?

31 | © 2015,Palo Alto Networks. Confidential and Proprietary.

32 | © 2015,Palo Alto Networks. Confidential and Proprietary.

Traps

WildFireAperture

Threat-­ID

App-­ID

AutoFocus

User-­ID

URL Filter

Implementing Contextual Security

Traps

Enhancing Contextual Security with Partners

GlobalProtect

WildFire

AutoFocus

Aperture

Threat Prevention

URL Filtering

10 | © 2015,Palo Alto Networks. Confidential and Proprietary.

AppID, UserID

SocialPatrol

TANIUM

TANIUM Mgmt.

RESOURCES

Unit 42 Ransomware Report:http://Go.PaloAltoNetworks.com/ransomware2016

Ultimate Test Drives:http://Go.PaloAltoNetworks.com/TestDrive