cryptolocker webcast

OpenDNS Con�dential

CONTAINING CRYPTOLOCKER

How Predictive Analytics Combat Emerging Threats

#2 �� 11-Dec-13 �� OpenDNS Con�dential

AGENDA

CYBER ATTACKS & THREATS

multiple stages, varying tactics

1

CRYPTOLOCKER IN-DEPTH

how it works, what can stop it

2

WHY SECURITY FALLS BEHIND

how OpenDNS contained Cryptolocker, why we stay ahead

3


CYBER ATTACKS AND THREATS


RECON & PREP

MOVE DATA & MONEY

CYBER-ATTACKS ARE MULTI-STAGE

A BUSINESS MAY OBSERVE UP TO FIVE STAGES

1 2 LURE USER

INFECT SYSTEM

3 PHONE HOME

4 5 BREACH NETWORK

REALIZE MOTIVE


LURE & INFECTION

EMAIL ONLY

Malicious Attachment (ZIP and/or EXE falsely

labeled as PDF)

Socially- Engineered

Content (business sender)

EMAIL TO WEB Falsely- Labeled

Web Link

Compromised Web Site (Javascript redirection)

Malware Drop Host

(often exploits browser or plug-in

vulnerabilities)

WEB ONLY Links in

Forums or Search Engines

Compromised Web Site (Javascript redirection)

Malware Drop Host

(often exploits browser or plug-in

vulnerabilities)

MULTIPLE ATTACK VECTORS


STATIC FAST FLUX DGA (domain generation algorithm)

PHONE HOME (to CnCs)

23.4.24.1 44.6.11.8 23.4.34.55

23.4.24.1 129.3.6.3

34.4.2.110

bad.com bad.com

34.4.2.110

baa.ru?

44.6.11.8 23.4.34.55

23.4.24.1 129.3.6.3

bid.cn

bad.com?

87.32.4.21

83.56.21.1

34.4.2.110

INCREASING SOPHISICATION


BREACH & MOTIVE

DISRUPTS YOUR BUSINESS

HIJACKS YOUR INFRASTRUCTURE

MANIPULATES YOUR DATA

Locks You Out of Your Data on Your Network

Attacks Other Businesses Using Your Reputation

Cyber-Criminals and Nation States Obtain

Your Knowledge

Pay the Ransom

to Unlock the Data

MOST BREACHES YOU DON’T SEE


CRYPTOLOCKER IN-DEPTH


5 COLLECT RANSOM 4 ENCRYPT

DATA 3 DGA-BASED PHONE HOME 2 FAKE

EXECUTABLE 1 EMAIL-ONLY VECTOR

BUSINESSES OFTEN MISS SEEING THE THIRD STAGE

IT IS TARGETING BUSINESSES





SECURITY REQUIRES VISIBILITY, INTELLIGENCE AND ENFORCEMENT

Data Archiving

Encryption or DB Security

Firewalls, Gateways

or Endpoint Protections

Endpoint Protections

Firewalls or Gateways

BLOCK WHAT IS KNOWN TO BE MALICIOUS: •  by appearance •  by origin •  by behavior

WHICH SOLUTIONS CAN STOP IT?


DISCOVERING WHAT IS MALICIOUS IS A COLLECT AND REACT APPROACH

time 0 time 1-N time N

COLLECT ANALYZE REACT •  block new

appearances

•  block new origins

•  block new behaviors

IF IT’S NOT KNOWN, THEN…


MALWARE ANALYSIS APPROACHES WILL NEVER STAY AHEAD

Variant A

Variant B

Variant C

Variant D

Variant E

Variant F

Variant G Variant H

Variant I Variant J

Variant K NEW DGA



Variant A



Variant A

Variant B

Variant C

Variant D

Variant E

Variant F

Variant G



Variant A

Variant B

Variant C

Variant D

Variant E

Variant F

Variant G Variant H

Variant I Variant J

Variant K NEW DGA


WHAT IS A BETTER APPROACH?

DISCOVER WHERE MALICIOUS ACTIVITY WILL ORIGINATE, BEFORE IT HAPPENS

time 0 time 1

OBSERVE DGA-based phone home activity

PREDICT future DGA domains


TO OBSERVE YOU NEED SITUATIONAL AWARENESS AND GLOBAL INTELLIGENCE



Live Internet Activity


7.3M

19.1M

24.6M 22.3M

18.1M 19.6M

28.7M 26.9M

17.6M 21.7M 20.1M

20-Oct 21-Oct 22-Oct 23-Oct 24-Oct 25-Oct 26-Oct 27-Oct 28-Oct 29-Oct 30-Oct

Unknown Co-Occurring

DNS Requests

pasp

mnb

spw

ijo.r

u

lfdic

ecqj

etfq

rm.c

om

shoc

dnhy

fmdf

soj.c

o.uk

ftam

�aiv

pdw

.biz

dctq

ynve

nluf

.biz

ixsl

pslo

bkdd

ytp.

info

byei

xyix

hmse

.biz

ohjv

agap

tmlff

n.in

fo

ljllk

fudr

vgge

pm.c

om

dble

kuao

nugn

.biz

lcyn

qebq

etam

nmb.

net

OBSERVING CRYPTOLOCKER’S DGA-BASED PHONE ACTIVITY ACTIVITY

Known Domains Blocked 20-Oct 21-Oct 22-Oct 23-Oct 24-Oct 25-Oct 26-Oct 27-Oct 28-Oct 29-Oct 30-Oct

FOR EVERY 1 KNOWN DOMAIN PER DAY FOR EVERY 1 KNOWN DOMAIN PER DAY, 999 MORE DOMAINS OBSERVED


T-1

uwelwphpjsemxsn.info (2100), google.com (800), arjddblgbsumi.biz (575), danvawrrcgrwo.com (300),

facebook.co.uk (266), frjpjcapmnvdo.ru (34)

T+1 ALL CO-OCCURRENCES INCLUDING NEWLY DISCOVERED CRYPTOLOCKER DOMAINS

PREDICTING CRYPTOLOCKER’S DGA-BASED PHONE HOME ACTIVITY

tctggapprqfatc.biz uauuqfmmuwemsj.ru psnineovwogkvx.org

CRYPTOLOCKER KNOWN DOMAINS

ONE OF THOSE 999 CO-OCCURRING DOMAINS WILL BECOME ACTIVE NEXT


OBTAIN VISIBILITY, INTELLIGENCE AND ENFORCEMENT OF STAGE 3




STOP THE ATTACK’S “KILL CHAIN”

At the Gateway and on the Endpoint*

(*because it will not always be behind the gateway)


WHY SECURITY FALLS BEHIND


THE PERFECT STORM HAS FORMED

REACTIVE INTELLIGENCE

LIMITED VISIBILITY

Samples Collected by On-Premises Appliances

Emerging Threats

Roaming Users & Remote Of�ces

Non-Web Protocols & Ports Different

Behavior

Similar Appearance

Unknown Origin

On-Network Web Traf�c

Targeted Attacks

INCOMPLETE ENFORCEMENT


WANTED: SECURITY FOR THE WAY THE WORLD WORKS TODAY

PREDICTIVE INTELLIGENCE

GLOBAL VISIBILITY

EVERYWHERE ENFORCEMENT

ENFORCEMENT UMBRELLA

INTELLIGENCE SECURITY GRAPH

GLOBAL VISIBILITY

PREDICTIVE SECURITY


WHAT MAKES OPENDNS’S SECURITY UNIQUE

80M+ REQUESTS TO ADVANCED MALWARE, BOTNET & PHISHING THREATS BLOCKED DAILY

NEW THREAT ORIGINS DISCOVERED OR PREDICTED DAILY 100K+

THE ONLY CLOUD-DELIVERED AND DNS-BASED SECURITY SOLUTION


UMBRELLA LEVERAGES OPENDNS’S FOUNDATIONS

ASIA-PACIFIC

EUROPE, MIDDLE EAST & AFRICA

AMERICAS

THE WORLD’S LARGEST INTERNET SECURITY NETWORK

"  50M+ ACTIVE USERS DAILY "  21 DATA CENTER LOCATIONS "  1500+ BGP PEERING SESSIONS

"   50B+ REQUESTS DAILY "   160+ COUNTRIES W/USERS "   ZERO NET NEW LATENCY


USER CLIENTS ATTEMPTING TO PHONE HOME TO CRYPTOLOCKER’S CnCs

NEW

NEW

NEW

TO

TAL

TOTA

L

TOTA

L

TOTA

L

OPENDNS IS PREDICTING & CONTAINING

CRYPTOLOCKER for 1,000s of our customers daily.

EVERYWHERE.


CUSTOMERS PROTECTED BEFORE TRADITIONAL SECURITY APPROACHES

OPENDNS PREDICTED CRYPTOLOCKER’S DGA

before others could reverse engineer it


OPENDNS WILL HELP YOUR BUSINESS

We Predict, Prevent And Contain

Emerging Threats

BEFORE THE INFECTION OR BREACH HAPPENS


FOR A FREE INSTANT TRIAL, VISIT WWW.UMBRELLA.COM OR EMAIL [email protected]

FOR TECHNICAL QUESTIONS, EMAIL ME [email protected]

cryptolocker webcast

Technology

variant d11

new dga variant b variant

opendns confidential4

opendns confidentialmalware

opendns confidential34

opendns confidentialtime

opendns confidentialattacks

opendns confidentialvariant