issa-the rise of ransomware v0 · issa-the rise of ransomware v0.3 author: predrag zivic created...
TRANSCRIPT
![Page 1: ISSA-The Rise of Ransomware v0 · ISSA-The Rise of Ransomware v0.3 Author: Predrag Zivic Created Date: 6/10/2016 8:08:22 PM](https://reader034.vdocuments.site/reader034/viewer/2022050408/5f8511c16b2ea00bfc724dc7/html5/thumbnails/1.jpg)
THE RISE OFRANSOMWARETHREE CRITICAL STEPS TOPREVENT AN OUTBREAK INYOUR ORGANIZATION
Pez ZivicGlobal Systems Engineer
CISSP, CISA
![Page 2: ISSA-The Rise of Ransomware v0 · ISSA-The Rise of Ransomware v0.3 Author: Predrag Zivic Created Date: 6/10/2016 8:08:22 PM](https://reader034.vdocuments.site/reader034/viewer/2022050408/5f8511c16b2ea00bfc724dc7/html5/thumbnails/2.jpg)
![Page 3: ISSA-The Rise of Ransomware v0 · ISSA-The Rise of Ransomware v0.3 Author: Predrag Zivic Created Date: 6/10/2016 8:08:22 PM](https://reader034.vdocuments.site/reader034/viewer/2022050408/5f8511c16b2ea00bfc724dc7/html5/thumbnails/3.jpg)
![Page 4: ISSA-The Rise of Ransomware v0 · ISSA-The Rise of Ransomware v0.3 Author: Predrag Zivic Created Date: 6/10/2016 8:08:22 PM](https://reader034.vdocuments.site/reader034/viewer/2022050408/5f8511c16b2ea00bfc724dc7/html5/thumbnails/4.jpg)
How do we feel?
![Page 5: ISSA-The Rise of Ransomware v0 · ISSA-The Rise of Ransomware v0.3 Author: Predrag Zivic Created Date: 6/10/2016 8:08:22 PM](https://reader034.vdocuments.site/reader034/viewer/2022050408/5f8511c16b2ea00bfc724dc7/html5/thumbnails/5.jpg)
5 | © 2015,Palo Alto Networks. Confidential and Proprietary.
Research and Learn!
![Page 6: ISSA-The Rise of Ransomware v0 · ISSA-The Rise of Ransomware v0.3 Author: Predrag Zivic Created Date: 6/10/2016 8:08:22 PM](https://reader034.vdocuments.site/reader034/viewer/2022050408/5f8511c16b2ea00bfc724dc7/html5/thumbnails/6.jpg)
Source: PaloAltoNetworks.com/solutions/initiatives/ransomware
![Page 7: ISSA-The Rise of Ransomware v0 · ISSA-The Rise of Ransomware v0.3 Author: Predrag Zivic Created Date: 6/10/2016 8:08:22 PM](https://reader034.vdocuments.site/reader034/viewer/2022050408/5f8511c16b2ea00bfc724dc7/html5/thumbnails/7.jpg)
Cooperation and Partnership in Research and Learning
7 | © 2015,Palo Alto Networks. Confidential and Proprietary.
![Page 8: ISSA-The Rise of Ransomware v0 · ISSA-The Rise of Ransomware v0.3 Author: Predrag Zivic Created Date: 6/10/2016 8:08:22 PM](https://reader034.vdocuments.site/reader034/viewer/2022050408/5f8511c16b2ea00bfc724dc7/html5/thumbnails/8.jpg)
44% Victims Paid Up
$325MEstimated Damages Across the Globe
30.7% Exploit Delivery
CryptoWall v3 Investigation
Source: http://go.paloaltonetworks.com/cryptowall
Palo Alto Networks Intel SecuritySymantecFortinet
Co-Founded by
![Page 9: ISSA-The Rise of Ransomware v0 · ISSA-The Rise of Ransomware v0.3 Author: Predrag Zivic Created Date: 6/10/2016 8:08:22 PM](https://reader034.vdocuments.site/reader034/viewer/2022050408/5f8511c16b2ea00bfc724dc7/html5/thumbnails/9.jpg)
What We Learned?
9 | © 2015,Palo Alto Networks. Confidential and Proprietary.
![Page 10: ISSA-The Rise of Ransomware v0 · ISSA-The Rise of Ransomware v0.3 Author: Predrag Zivic Created Date: 6/10/2016 8:08:22 PM](https://reader034.vdocuments.site/reader034/viewer/2022050408/5f8511c16b2ea00bfc724dc7/html5/thumbnails/10.jpg)
To Prevent Ransomware:
10 | © 2015,Palo Alto Networks. Confidential and Proprietary.
1. Attack Vectors
2. Delivery Methods
3. How to Block
![Page 11: ISSA-The Rise of Ransomware v0 · ISSA-The Rise of Ransomware v0.3 Author: Predrag Zivic Created Date: 6/10/2016 8:08:22 PM](https://reader034.vdocuments.site/reader034/viewer/2022050408/5f8511c16b2ea00bfc724dc7/html5/thumbnails/11.jpg)
Hidden Attack Vectors!
11 | © 2015,Palo Alto Networks. Confidential and Proprietary.
![Page 12: ISSA-The Rise of Ransomware v0 · ISSA-The Rise of Ransomware v0.3 Author: Predrag Zivic Created Date: 6/10/2016 8:08:22 PM](https://reader034.vdocuments.site/reader034/viewer/2022050408/5f8511c16b2ea00bfc724dc7/html5/thumbnails/12.jpg)
12 | © 2015,Palo Alto Networks. Confidential and Proprietary.
1. A
ttac
k Ve
ctor
s
Exploits ExecMacros
![Page 13: ISSA-The Rise of Ransomware v0 · ISSA-The Rise of Ransomware v0.3 Author: Predrag Zivic Created Date: 6/10/2016 8:08:22 PM](https://reader034.vdocuments.site/reader034/viewer/2022050408/5f8511c16b2ea00bfc724dc7/html5/thumbnails/13.jpg)
13 | © 2015,Palo Alto Networks. Confidential and Proprietary.
1. A
ttac
k Ve
ctor
s
Exploits ExecMacros
![Page 14: ISSA-The Rise of Ransomware v0 · ISSA-The Rise of Ransomware v0.3 Author: Predrag Zivic Created Date: 6/10/2016 8:08:22 PM](https://reader034.vdocuments.site/reader034/viewer/2022050408/5f8511c16b2ea00bfc724dc7/html5/thumbnails/14.jpg)
14 | © 2015,Palo Alto Networks. Confidential and Proprietary.
1. A
ttac
k Ve
ctor
s
Exploits ExecMacros
![Page 15: ISSA-The Rise of Ransomware v0 · ISSA-The Rise of Ransomware v0.3 Author: Predrag Zivic Created Date: 6/10/2016 8:08:22 PM](https://reader034.vdocuments.site/reader034/viewer/2022050408/5f8511c16b2ea00bfc724dc7/html5/thumbnails/15.jpg)
15 | © 2015,Palo Alto Networks. Confidential and Proprietary.
1. A
ttac
k Ve
ctor
s
Exploits ExecMacros
![Page 16: ISSA-The Rise of Ransomware v0 · ISSA-The Rise of Ransomware v0.3 Author: Predrag Zivic Created Date: 6/10/2016 8:08:22 PM](https://reader034.vdocuments.site/reader034/viewer/2022050408/5f8511c16b2ea00bfc724dc7/html5/thumbnails/16.jpg)
Delivery Methods
16 | © 2015,Palo Alto Networks. Confidential and Proprietary.
![Page 17: ISSA-The Rise of Ransomware v0 · ISSA-The Rise of Ransomware v0.3 Author: Predrag Zivic Created Date: 6/10/2016 8:08:22 PM](https://reader034.vdocuments.site/reader034/viewer/2022050408/5f8511c16b2ea00bfc724dc7/html5/thumbnails/17.jpg)
17 | © 2015,Palo Alto Networks. Confidential and Proprietary.
ExploitKits
Drive-by Downloads
EmailAttachments
2. D
eliv
ery
Met
hods
![Page 18: ISSA-The Rise of Ransomware v0 · ISSA-The Rise of Ransomware v0.3 Author: Predrag Zivic Created Date: 6/10/2016 8:08:22 PM](https://reader034.vdocuments.site/reader034/viewer/2022050408/5f8511c16b2ea00bfc724dc7/html5/thumbnails/18.jpg)
18 | © 2015,Palo Alto Networks. Confidential and Proprietary.
ExploitKits
Drive-by Downloads
EmailAttachments
2. D
eliv
ery
Met
hods
![Page 19: ISSA-The Rise of Ransomware v0 · ISSA-The Rise of Ransomware v0.3 Author: Predrag Zivic Created Date: 6/10/2016 8:08:22 PM](https://reader034.vdocuments.site/reader034/viewer/2022050408/5f8511c16b2ea00bfc724dc7/html5/thumbnails/19.jpg)
19 | © 2015,Palo Alto Networks. Confidential and Proprietary.
Exploit Kits
2. D
eliv
ery
Met
hods
User visits a compromised website
Malicious code or ad redirects to exploit kit landing
page
Exploit kit page loads;; determines best way to compromise user
endpoint
Exploit kit compromises user
endpoint
Exploit kit delivers ransomware
Ransomware encrypts data and holds it for
ransom
![Page 20: ISSA-The Rise of Ransomware v0 · ISSA-The Rise of Ransomware v0.3 Author: Predrag Zivic Created Date: 6/10/2016 8:08:22 PM](https://reader034.vdocuments.site/reader034/viewer/2022050408/5f8511c16b2ea00bfc724dc7/html5/thumbnails/20.jpg)
20 | © 2015,Palo Alto Networks. Confidential and Proprietary.
ExploitKits
Drive-by Downloads
EmailAttachments
2. D
eliv
ery
Met
hods
![Page 21: ISSA-The Rise of Ransomware v0 · ISSA-The Rise of Ransomware v0.3 Author: Predrag Zivic Created Date: 6/10/2016 8:08:22 PM](https://reader034.vdocuments.site/reader034/viewer/2022050408/5f8511c16b2ea00bfc724dc7/html5/thumbnails/21.jpg)
21 | © 2015,Palo Alto Networks. Confidential and Proprietary.
Email Attachments
2. D
eliv
ery
Met
hods
User receives targeted email with
infected file
User opens file, thinking it is a
legitimate document
Office runs macro, downloads
ransomware from URL embedded in doc
Ransomware encrypts data and holds it for
ransom
![Page 22: ISSA-The Rise of Ransomware v0 · ISSA-The Rise of Ransomware v0.3 Author: Predrag Zivic Created Date: 6/10/2016 8:08:22 PM](https://reader034.vdocuments.site/reader034/viewer/2022050408/5f8511c16b2ea00bfc724dc7/html5/thumbnails/22.jpg)
22 | © 2015,Palo Alto Networks. Confidential and Proprietary.
ExploitKits
Drive-by Downloads
EmailAttachments
2. D
eliv
ery
Met
hods
![Page 23: ISSA-The Rise of Ransomware v0 · ISSA-The Rise of Ransomware v0.3 Author: Predrag Zivic Created Date: 6/10/2016 8:08:22 PM](https://reader034.vdocuments.site/reader034/viewer/2022050408/5f8511c16b2ea00bfc724dc7/html5/thumbnails/23.jpg)
23 | © 2015,Palo Alto Networks. Confidential and Proprietary.
Drive-by Download
2. D
eliv
ery
Met
hods
User visits a compromised website
Website serves exploit to compromises user
endpoint
Exploit downloads ransomware
Ransomware encrypts data and holds it for
ransom
![Page 24: ISSA-The Rise of Ransomware v0 · ISSA-The Rise of Ransomware v0.3 Author: Predrag Zivic Created Date: 6/10/2016 8:08:22 PM](https://reader034.vdocuments.site/reader034/viewer/2022050408/5f8511c16b2ea00bfc724dc7/html5/thumbnails/24.jpg)
24 | © 2015,Palo Alto Networks. Confidential and Proprietary.
Multiple Attack Vectors
Multiple Delivery Methods
Perimeter
Cloud/SaaS
Endpoints
The Problem – Prevent & Detect Ransomware
![Page 25: ISSA-The Rise of Ransomware v0 · ISSA-The Rise of Ransomware v0.3 Author: Predrag Zivic Created Date: 6/10/2016 8:08:22 PM](https://reader034.vdocuments.site/reader034/viewer/2022050408/5f8511c16b2ea00bfc724dc7/html5/thumbnails/25.jpg)
How to Block and Detect?
25 | © 2015,Palo Alto Networks. Confidential and Proprietary.
![Page 26: ISSA-The Rise of Ransomware v0 · ISSA-The Rise of Ransomware v0.3 Author: Predrag Zivic Created Date: 6/10/2016 8:08:22 PM](https://reader034.vdocuments.site/reader034/viewer/2022050408/5f8511c16b2ea00bfc724dc7/html5/thumbnails/26.jpg)
26 | © 2015,Palo Alto Networks. Confidential and Proprietary.
Reduce Attack Surface
3. H
ow t
o B
lock
Prevent Known Threats
Prevent Unknown Threats
![Page 27: ISSA-The Rise of Ransomware v0 · ISSA-The Rise of Ransomware v0.3 Author: Predrag Zivic Created Date: 6/10/2016 8:08:22 PM](https://reader034.vdocuments.site/reader034/viewer/2022050408/5f8511c16b2ea00bfc724dc7/html5/thumbnails/27.jpg)
27 | © 2015,Palo Alto Networks. Confidential and Proprietary.
Reduce Attack Surface
Block unknown traffic
Stop dangerous file types
Block malicious URLs
Micro-segmentationN-S & E-W
Extend zero-trust policies to endpoints
Block dangerous file types
Disallow non-org access
Extend threat intelligence from network to SaaS apps to endpoints
Reduce Attack Surface
![Page 28: ISSA-The Rise of Ransomware v0 · ISSA-The Rise of Ransomware v0.3 Author: Predrag Zivic Created Date: 6/10/2016 8:08:22 PM](https://reader034.vdocuments.site/reader034/viewer/2022050408/5f8511c16b2ea00bfc724dc7/html5/thumbnails/28.jpg)
28 | © 2015,Palo Alto Networks. Confidential and Proprietary.
Prevent Known Threats
Block storage or transmission of files containing exploits
Scan cloud storage & SaaS apps for malicious files
Extend threat intelligence from network to SaaS apps to endpoints
Block all known exploits
Block execution of known malware
Stop known exploits, malware & command-and-control traffic
Block malicious URLs
Prevent Known Threats
Block Virus & Vulnerabilities
![Page 29: ISSA-The Rise of Ransomware v0 · ISSA-The Rise of Ransomware v0.3 Author: Predrag Zivic Created Date: 6/10/2016 8:08:22 PM](https://reader034.vdocuments.site/reader034/viewer/2022050408/5f8511c16b2ea00bfc724dc7/html5/thumbnails/29.jpg)
29 | © 2015,Palo Alto Networks. Confidential and Proprietary.
Prevent Unknown Threats
Block all unknown and zero-day exploits
Block execution of unknown malware
Extend threat intelligence from network to SaaS apps to endpoints
Control unknown traffic
Detect and prevent threats in unknown files and URLs
Add context to threats and create proactive
protections
Scan cloud storage & SaaS apps for malicious files
Prevent Unknown Threats
![Page 30: ISSA-The Rise of Ransomware v0 · ISSA-The Rise of Ransomware v0.3 Author: Predrag Zivic Created Date: 6/10/2016 8:08:22 PM](https://reader034.vdocuments.site/reader034/viewer/2022050408/5f8511c16b2ea00bfc724dc7/html5/thumbnails/30.jpg)
30 | © 2015,Palo Alto Networks. Confidential and Proprietary.
Exploit Kits Email Attachments Drive-‐by Download
Network & Perimeter
––––––
––––––
––––––
SaaS Applications
––––––
––––––
––––––
Endpoint
––––––
––––––
––––––
Automated Ransomware Prevention Across
Multiple Attack Vectorsand Delivery Methods is Only Possible with an Integrated
Security Platform
![Page 31: ISSA-The Rise of Ransomware v0 · ISSA-The Rise of Ransomware v0.3 Author: Predrag Zivic Created Date: 6/10/2016 8:08:22 PM](https://reader034.vdocuments.site/reader034/viewer/2022050408/5f8511c16b2ea00bfc724dc7/html5/thumbnails/31.jpg)
How to Block and Detect?
31 | © 2015,Palo Alto Networks. Confidential and Proprietary.
![Page 32: ISSA-The Rise of Ransomware v0 · ISSA-The Rise of Ransomware v0.3 Author: Predrag Zivic Created Date: 6/10/2016 8:08:22 PM](https://reader034.vdocuments.site/reader034/viewer/2022050408/5f8511c16b2ea00bfc724dc7/html5/thumbnails/32.jpg)
32 | © 2015,Palo Alto Networks. Confidential and Proprietary.
Traps
WildFireAperture
Threat-ID
App-ID
AutoFocus
User-ID
URL Filter
Implementing Contextual Security
![Page 33: ISSA-The Rise of Ransomware v0 · ISSA-The Rise of Ransomware v0.3 Author: Predrag Zivic Created Date: 6/10/2016 8:08:22 PM](https://reader034.vdocuments.site/reader034/viewer/2022050408/5f8511c16b2ea00bfc724dc7/html5/thumbnails/33.jpg)
Traps
Enhancing Contextual Security with Partners
GlobalProtect
WildFire
AutoFocus
Aperture
Threat Prevention
URL Filtering
10 | © 2015,Palo Alto Networks. Confidential and Proprietary.
AppID, UserID
SocialPatrol
TANIUM
TANIUM Mgmt.
![Page 34: ISSA-The Rise of Ransomware v0 · ISSA-The Rise of Ransomware v0.3 Author: Predrag Zivic Created Date: 6/10/2016 8:08:22 PM](https://reader034.vdocuments.site/reader034/viewer/2022050408/5f8511c16b2ea00bfc724dc7/html5/thumbnails/34.jpg)
RESOURCES
Unit 42 Ransomware Report:http://Go.PaloAltoNetworks.com/ransomware2016
Ultimate Test Drives:http://Go.PaloAltoNetworks.com/TestDrive