THE RISE OFRANSOMWARETHREE CRITICAL STEPS TOPREVENT AN OUTBREAK INYOUR ORGANIZATION
Pez ZivicGlobal Systems Engineer
CISSP, CISA
How do we feel?
5 | © 2015,Palo Alto Networks. Confidential and Proprietary.
Research and Learn!
Source: PaloAltoNetworks.com/solutions/initiatives/ransomware
Cooperation and Partnership in Research and Learning
7 | © 2015,Palo Alto Networks. Confidential and Proprietary.
44% Victims Paid Up
$325MEstimated Damages Across the Globe
30.7% Exploit Delivery
CryptoWall v3 Investigation
Source: http://go.paloaltonetworks.com/cryptowall
Palo Alto Networks Intel SecuritySymantecFortinet
Co-Founded by
What We Learned?
9 | © 2015,Palo Alto Networks. Confidential and Proprietary.
To Prevent Ransomware:
10 | © 2015,Palo Alto Networks. Confidential and Proprietary.
1. Attack Vectors
2. Delivery Methods
3. How to Block
Hidden Attack Vectors!
11 | © 2015,Palo Alto Networks. Confidential and Proprietary.
12 | © 2015,Palo Alto Networks. Confidential and Proprietary.
1. A
ttac
k Ve
ctor
s
Exploits ExecMacros
13 | © 2015,Palo Alto Networks. Confidential and Proprietary.
1. A
ttac
k Ve
ctor
s
Exploits ExecMacros
14 | © 2015,Palo Alto Networks. Confidential and Proprietary.
1. A
ttac
k Ve
ctor
s
Exploits ExecMacros
15 | © 2015,Palo Alto Networks. Confidential and Proprietary.
1. A
ttac
k Ve
ctor
s
Exploits ExecMacros
Delivery Methods
16 | © 2015,Palo Alto Networks. Confidential and Proprietary.
17 | © 2015,Palo Alto Networks. Confidential and Proprietary.
ExploitKits
Drive-by Downloads
EmailAttachments
2. D
eliv
ery
Met
hods
18 | © 2015,Palo Alto Networks. Confidential and Proprietary.
ExploitKits
Drive-by Downloads
EmailAttachments
2. D
eliv
ery
Met
hods
19 | © 2015,Palo Alto Networks. Confidential and Proprietary.
Exploit Kits
2. D
eliv
ery
Met
hods
User visits a compromised website
Malicious code or ad redirects to exploit kit landing
page
Exploit kit page loads;; determines best way to compromise user
endpoint
Exploit kit compromises user
endpoint
Exploit kit delivers ransomware
Ransomware encrypts data and holds it for
ransom
20 | © 2015,Palo Alto Networks. Confidential and Proprietary.
ExploitKits
Drive-by Downloads
EmailAttachments
2. D
eliv
ery
Met
hods
21 | © 2015,Palo Alto Networks. Confidential and Proprietary.
Email Attachments
2. D
eliv
ery
Met
hods
User receives targeted email with
infected file
User opens file, thinking it is a
legitimate document
Office runs macro, downloads
ransomware from URL embedded in doc
Ransomware encrypts data and holds it for
ransom
22 | © 2015,Palo Alto Networks. Confidential and Proprietary.
ExploitKits
Drive-by Downloads
EmailAttachments
2. D
eliv
ery
Met
hods
23 | © 2015,Palo Alto Networks. Confidential and Proprietary.
Drive-by Download
2. D
eliv
ery
Met
hods
User visits a compromised website
Website serves exploit to compromises user
endpoint
Exploit downloads ransomware
Ransomware encrypts data and holds it for
ransom
24 | © 2015,Palo Alto Networks. Confidential and Proprietary.
Multiple Attack Vectors
Multiple Delivery Methods
Perimeter
Cloud/SaaS
Endpoints
The Problem – Prevent & Detect Ransomware
How to Block and Detect?
25 | © 2015,Palo Alto Networks. Confidential and Proprietary.
26 | © 2015,Palo Alto Networks. Confidential and Proprietary.
Reduce Attack Surface
3. H
ow t
o B
lock
Prevent Known Threats
Prevent Unknown Threats
27 | © 2015,Palo Alto Networks. Confidential and Proprietary.
Reduce Attack Surface
Block unknown traffic
Stop dangerous file types
Block malicious URLs
Micro-segmentationN-S & E-W
Extend zero-trust policies to endpoints
Block dangerous file types
Disallow non-org access
Extend threat intelligence from network to SaaS apps to endpoints
Reduce Attack Surface
28 | © 2015,Palo Alto Networks. Confidential and Proprietary.
Prevent Known Threats
Block storage or transmission of files containing exploits
Scan cloud storage & SaaS apps for malicious files
Extend threat intelligence from network to SaaS apps to endpoints
Block all known exploits
Block execution of known malware
Stop known exploits, malware & command-and-control traffic
Block malicious URLs
Prevent Known Threats
Block Virus & Vulnerabilities
29 | © 2015,Palo Alto Networks. Confidential and Proprietary.
Prevent Unknown Threats
Block all unknown and zero-day exploits
Block execution of unknown malware
Extend threat intelligence from network to SaaS apps to endpoints
Control unknown traffic
Detect and prevent threats in unknown files and URLs
Add context to threats and create proactive
protections
Scan cloud storage & SaaS apps for malicious files
Prevent Unknown Threats
30 | © 2015,Palo Alto Networks. Confidential and Proprietary.
Exploit Kits Email Attachments Drive-‐by Download
Network & Perimeter
––––––
––––––
––––––
SaaS Applications
––––––
––––––
––––––
Endpoint
––––––
––––––
––––––
Automated Ransomware Prevention Across
Multiple Attack Vectorsand Delivery Methods is Only Possible with an Integrated
Security Platform
How to Block and Detect?
31 | © 2015,Palo Alto Networks. Confidential and Proprietary.
32 | © 2015,Palo Alto Networks. Confidential and Proprietary.
Traps
WildFireAperture
Threat-ID
App-ID
AutoFocus
User-ID
URL Filter
Implementing Contextual Security
Traps
Enhancing Contextual Security with Partners
GlobalProtect
WildFire
AutoFocus
Aperture
Threat Prevention
URL Filtering
10 | © 2015,Palo Alto Networks. Confidential and Proprietary.
AppID, UserID
SocialPatrol
TANIUM
TANIUM Mgmt.
RESOURCES
Unit 42 Ransomware Report:http://Go.PaloAltoNetworks.com/ransomware2016
Ultimate Test Drives:http://Go.PaloAltoNetworks.com/TestDrive