cryptolocker webcast
DESCRIPTION
Each day millions of Internet requests are made to dynamically changing Cryptolocker domains. And it only takes one successful connection from a malware-infected system to the botnet controller for your files to end up encrypted and held for ransom. So how does Cryptolocker actually work? What is the best way to block it? And what implications does this have for security methods going forward? In this webcast, you will learn: -What steps are involved in a Cryptolocker attack -How Domain Generation Algorithms enable it to evade most threat detection methods -Why leveraging our global intelligence has been effective in containing Cryptolocker -What you can do to avoid becoming a victimTRANSCRIPT
OpenDNS Con�dential
CONTAINING CRYPTOLOCKER
How Predictive Analytics Combat Emerging Threats
#2 �� 11-Dec-13 �� OpenDNS Con�dential
AGENDA
CYBER ATTACKS & THREATS
multiple stages, varying tactics
1
CRYPTOLOCKER IN-DEPTH
how it works, what can stop it
2
WHY SECURITY FALLS BEHIND
how OpenDNS contained Cryptolocker, why we stay ahead
3
OpenDNS Con�dential
CYBER ATTACKS AND THREATS
#4 �� 11-Dec-13 �� OpenDNS Con�dential
RECON & PREP
MOVE DATA & MONEY
CYBER-ATTACKS ARE MULTI-STAGE
A BUSINESS MAY OBSERVE UP TO FIVE STAGES
1 2 LURE USER
INFECT SYSTEM
3 PHONE HOME
4 5 BREACH NETWORK
REALIZE MOTIVE
#5 �� 11-Dec-13 �� OpenDNS Con�dential
LURE & INFECTION
EMAIL ONLY
Malicious Attachment (ZIP and/or EXE falsely
labeled as PDF)
Socially- Engineered
Content (business sender)
EMAIL TO WEB Falsely- Labeled
Web Link
Compromised Web Site (Javascript redirection)
Malware Drop Host
(often exploits browser or plug-in
vulnerabilities)
WEB ONLY Links in
Forums or Search Engines
Compromised Web Site (Javascript redirection)
Malware Drop Host
(often exploits browser or plug-in
vulnerabilities)
MULTIPLE ATTACK VECTORS
#6 �� 11-Dec-13 �� OpenDNS Con�dential
STATIC FAST FLUX DGA (domain generation algorithm)
PHONE HOME (to CnCs)
23.4.24.1 44.6.11.8 23.4.34.55
23.4.24.1 129.3.6.3
34.4.2.110
bad.com bad.com
34.4.2.110
baa.ru?
44.6.11.8 23.4.34.55
23.4.24.1 129.3.6.3
bid.cn
bad.com?
87.32.4.21
83.56.21.1
34.4.2.110
INCREASING SOPHISICATION
#7 �� 11-Dec-13 �� OpenDNS Con�dential
BREACH & MOTIVE
DISRUPTS YOUR BUSINESS
HIJACKS YOUR INFRASTRUCTURE
MANIPULATES YOUR DATA
Locks You Out of Your Data on Your Network
Attacks Other Businesses Using Your Reputation
Cyber-Criminals and Nation States Obtain
Your Knowledge
Pay the Ransom
to Unlock the Data
MOST BREACHES YOU DON’T SEE
OpenDNS Con�dential
CRYPTOLOCKER IN-DEPTH
#9 �� 11-Dec-13 �� OpenDNS Con�dential
5 COLLECT RANSOM 4 ENCRYPT
DATA 3 DGA-BASED PHONE HOME 2 FAKE
EXECUTABLE 1 EMAIL-ONLY VECTOR
BUSINESSES OFTEN MISS SEEING THE THIRD STAGE
IT IS TARGETING BUSINESSES
#10 �� 11-Dec-13 �� OpenDNS Con�dential
5 COLLECT RANSOM 4 ENCRYPT
DATA 3 DGA-BASED PHONE HOME 2 FAKE
EXECUTABLE 1 EMAIL-ONLY VECTOR
SECURITY REQUIRES VISIBILITY, INTELLIGENCE AND ENFORCEMENT
Data Archiving
Encryption or DB Security
Firewalls, Gateways
or Endpoint Protections
Endpoint Protections
Firewalls or Gateways
BLOCK WHAT IS KNOWN TO BE MALICIOUS: • by appearance • by origin • by behavior
WHICH SOLUTIONS CAN STOP IT?
#11 �� 11-Dec-13 �� OpenDNS Con�dential
DISCOVERING WHAT IS MALICIOUS IS A COLLECT AND REACT APPROACH
time 0 time 1-N time N
COLLECT ANALYZE REACT • block new
appearances
• block new origins
• block new behaviors
IF IT’S NOT KNOWN, THEN…
#12 �� 11-Dec-13 �� OpenDNS Con�dential
MALWARE ANALYSIS APPROACHES WILL NEVER STAY AHEAD
Variant A
Variant B
Variant C
Variant D
Variant E
Variant F
Variant G Variant H
Variant I Variant J
Variant K NEW DGA
#13 �� 11-Dec-13 �� OpenDNS Con�dential
MALWARE ANALYSIS APPROACHES WILL NEVER STAY AHEAD
Variant A
#14 �� 11-Dec-13 �� OpenDNS Con�dential
MALWARE ANALYSIS APPROACHES WILL NEVER STAY AHEAD
Variant A
Variant B
Variant C
Variant D
Variant E
Variant F
Variant G
#15 �� 11-Dec-13 �� OpenDNS Con�dential
MALWARE ANALYSIS APPROACHES WILL NEVER STAY AHEAD
Variant A
Variant B
Variant C
Variant D
Variant E
Variant F
Variant G Variant H
Variant I Variant J
Variant K NEW DGA
#16 �� 11-Dec-13 �� OpenDNS Con�dential
MALWARE ANALYSIS APPROACHES WILL NEVER STAY AHEAD
Variant A
Variant B
Variant C
Variant D
Variant E
Variant F
Variant G Variant H
Variant I Variant J
Variant K NEW DGA
#17 �� 11-Dec-13 �� OpenDNS Con�dential
WHAT IS A BETTER APPROACH?
DISCOVER WHERE MALICIOUS ACTIVITY WILL ORIGINATE, BEFORE IT HAPPENS
time 0 time 1
OBSERVE DGA-based phone home activity
PREDICT future DGA domains
#18 �� 11-Dec-13 �� OpenDNS Con�dential
TO OBSERVE YOU NEED SITUATIONAL AWARENESS AND GLOBAL INTELLIGENCE
#19 �� 11-Dec-13 �� OpenDNS Con�dential
TO OBSERVE YOU NEED SITUATIONAL AWARENESS AND GLOBAL INTELLIGENCE
Live Internet Activity
#20 �� 11-Dec-13 �� OpenDNS Con�dential
TO OBSERVE YOU NEED SITUATIONAL AWARENESS AND GLOBAL INTELLIGENCE
#21 �� 11-Dec-13 �� OpenDNS Con�dential
7.3M
19.1M
24.6M 22.3M
18.1M 19.6M
28.7M 26.9M
17.6M 21.7M 20.1M
20-Oct 21-Oct 22-Oct 23-Oct 24-Oct 25-Oct 26-Oct 27-Oct 28-Oct 29-Oct 30-Oct
Unknown Co-Occurring
DNS Requests
pasp
mnb
spw
ijo.r
u
lfdic
ecqj
etfq
rm.c
om
shoc
dnhy
fmdf
soj.c
o.uk
ftam
�aiv
pdw
.biz
dctq
ynve
nluf
.biz
ixsl
pslo
bkdd
ytp.
info
byei
xyix
hmse
.biz
ohjv
agap
tmlff
n.in
fo
ljllk
fudr
vgge
pm.c
om
dble
kuao
nugn
.biz
lcyn
qebq
etam
nmb.
net
OBSERVING CRYPTOLOCKER’S DGA-BASED PHONE ACTIVITY ACTIVITY
Known Domains Blocked 20-Oct 21-Oct 22-Oct 23-Oct 24-Oct 25-Oct 26-Oct 27-Oct 28-Oct 29-Oct 30-Oct
FOR EVERY 1 KNOWN DOMAIN PER DAY FOR EVERY 1 KNOWN DOMAIN PER DAY, 999 MORE DOMAINS OBSERVED
#22 �� 11-Dec-13 �� OpenDNS Con�dential
T-1
uwelwphpjsemxsn.info (2100), google.com (800), arjddblgbsumi.biz (575), danvawrrcgrwo.com (300),
facebook.co.uk (266), frjpjcapmnvdo.ru (34)
T+1 ALL CO-OCCURRENCES INCLUDING NEWLY DISCOVERED CRYPTOLOCKER DOMAINS
PREDICTING CRYPTOLOCKER’S DGA-BASED PHONE HOME ACTIVITY
tctggapprqfatc.biz uauuqfmmuwemsj.ru psnineovwogkvx.org
CRYPTOLOCKER KNOWN DOMAINS
ONE OF THOSE 999 CO-OCCURRING DOMAINS WILL BECOME ACTIVE NEXT
#23 �� 11-Dec-13 �� OpenDNS Con�dential
OBTAIN VISIBILITY, INTELLIGENCE AND ENFORCEMENT OF STAGE 3
5 COLLECT RANSOM 4 ENCRYPT
DATA 3 DGA-BASED PHONE HOME 2 FAKE
EXECUTABLE 1 EMAIL-ONLY VECTOR
STOP THE ATTACK’S “KILL CHAIN”
At the Gateway and on the Endpoint*
(*because it will not always be behind the gateway)
OpenDNS Con�dential
WHY SECURITY FALLS BEHIND
#25 �� 11-Dec-13 �� OpenDNS Con�dential
THE PERFECT STORM HAS FORMED
REACTIVE INTELLIGENCE
LIMITED VISIBILITY
Samples Collected by On-Premises Appliances
Emerging Threats
Roaming Users & Remote Of�ces
Non-Web Protocols & Ports Different
Behavior
Similar Appearance
Unknown Origin
On-Network Web Traf�c
Targeted Attacks
INCOMPLETE ENFORCEMENT
#26 �� 11-Dec-13 �� OpenDNS Con�dential
WANTED: SECURITY FOR THE WAY THE WORLD WORKS TODAY
PREDICTIVE INTELLIGENCE
GLOBAL VISIBILITY
EVERYWHERE ENFORCEMENT
ENFORCEMENT UMBRELLA
INTELLIGENCE SECURITY GRAPH
GLOBAL VISIBILITY
PREDICTIVE SECURITY
#28 �� 11-Dec-13 �� OpenDNS Con�dential
WHAT MAKES OPENDNS’S SECURITY UNIQUE
80M+ REQUESTS TO ADVANCED MALWARE, BOTNET & PHISHING THREATS BLOCKED DAILY
NEW THREAT ORIGINS DISCOVERED OR PREDICTED DAILY 100K+
THE ONLY CLOUD-DELIVERED AND DNS-BASED SECURITY SOLUTION
#29 �� 11-Dec-13 �� OpenDNS Con�dential
UMBRELLA LEVERAGES OPENDNS’S FOUNDATIONS
ASIA-PACIFIC
EUROPE, MIDDLE EAST & AFRICA
AMERICAS
THE WORLD’S LARGEST INTERNET SECURITY NETWORK
" 50M+ ACTIVE USERS DAILY " 21 DATA CENTER LOCATIONS " 1500+ BGP PEERING SESSIONS
" 50B+ REQUESTS DAILY " 160+ COUNTRIES W/USERS " ZERO NET NEW LATENCY
#30 �� 11-Dec-13 �� OpenDNS Con�dential
USER CLIENTS ATTEMPTING TO PHONE HOME TO CRYPTOLOCKER’S CnCs
NEW
NEW
NEW
TO
TAL
TOTA
L
TOTA
L
TOTA
L
OPENDNS IS PREDICTING & CONTAINING
CRYPTOLOCKER for 1,000s of our customers daily.
EVERYWHERE.
#31 �� 11-Dec-13 �� OpenDNS Con�dential
CUSTOMERS PROTECTED BEFORE TRADITIONAL SECURITY APPROACHES
OPENDNS PREDICTED CRYPTOLOCKER’S DGA
before others could reverse engineer it
#32 �� 11-Dec-13 �� OpenDNS Con�dential
OPENDNS WILL HELP YOUR BUSINESS
We Predict, Prevent And Contain
Emerging Threats
BEFORE THE INFECTION OR BREACH HAPPENS
OpenDNS Con�dential
FOR A FREE INSTANT TRIAL, VISIT WWW.UMBRELLA.COM OR EMAIL [email protected]
FOR TECHNICAL QUESTIONS, EMAIL ME [email protected]