This document discusses reducing ransomware risks and provides an overview of a webinar on the topic. It begins with a poll asking organizations about their experience with ransomware attacks. It then introduces the speakers and discusses malware trends seen by Cisco Talos, including the continued prevalence of ransomware. The webinar agenda is outlined, covering malware trends, what ransomware is, high-level solutions, and next steps. High-level solutions include blocking malicious traffic, securing email, using endpoint protection, and network segmentation. The presentation encourages education, making lateral movement difficult through segmentation, and having response plans. It concludes with an additional poll and information on following up.
2. Which of the following network security projects is your
company planning to mainly engage in during 2021:
• Micro-segmentation
• Compliance
• Cloud migration
• Automation
• More than one of the above
2 | Confidential
A QUESTION TO YOU
4. JAN HEIJDRA – CISCO SECURITY
Enterprise Mobility
Management
Network Traffic Security Analytics
(Cloud) Workload
Protection
Web
Security
Email
Security
Advanced
Threat
Secure
SD-WAN / Routers
Identity and Network
Access Control
Secure Internet
Gateway
Switches and
Access Points
Next-Gen
FW/IPS
Cloud Access Security
5. 2 | Confidential
YITZY TANNENBAUM – ALGOSEC OVERVIEW
Founded 2004
1800+ Enterprise Customers
Serving 20 of the Fortune 50
24/7 Support via 3 Global Centers
ISO 27001 Certified
Passionate about Customer Satisfaction
FORTUNE
50
ISO
27001
2004
9. Did you organization experience a ransomware
attack?
• Yes, multiple in the last two years
• Yes, one in the last two years
• Yes, but not in the last two years
• No, thankfully we haven’t had a ransomware attack!
9 | Confidential
POLL
11. 11 | Confidential
Talos encompasses six key areas:
Threat Intelligence & Interdiction,
Detection Research,
Engine Development,
Vulnerability Research & Discovery,
Open Source & Education,
and Global Outreach.
We are an elite group of security experts
devoted to providing superior protection to
customers with our products and service.
Cisco Talos' core mission is to
provide verifiable and customizable
defensive technologies and
techniques that help customers
quickly protect their assets from
cloud to core.
Our job is protecting your network.
13. 13 | Confidential
EXTENSIVE COVID-THEMED ACTIVITY
• Malware and phishing
campaigns using COVID-
themed lures
• Attacks against
organizations that carry
out research and work
related to COVID
• Fraud and
disinformation
17. Top threats included
ransomware, such as
Sodinokibi and Maze
OBSERVED TRENDS
Top weaknesses include
lack of phishing
protection/education,
network monitoring and
logging, and patching
Top initial vectors
included phishing and
web app exploitation
18. RANSOMWARE
• The most common type of
attack
• Most common variants were
Maze and Sodinokibi
• No commodity trojans
• Maze “retires”
These types of attacks
remain one of the most
impactful for any
organization and can
severely affect critical
services
Impact
21. HOW?
1. Deliver exploits to 1st victim computer
2. Repeat per victim computer:
• Encrypt file system
• Encrypt accessible networked file shares
• Move laterally: explore the network
• Deliver exploits to next victim via network
3. Wait for victim to call
4. Collect ransom
5. Supply decryption key
“Advanced
Persistent
Threat”,
Wikipedia
22. 1ST VICTIM: ATTACK TECHNIQUES (PARTIAL LIST)
• Email attachment
• Send a malicious email attachment
• Browser Drive-By-Download
• Host the malicious content on a website
• “Water-hole” technique
• Compromise a website the victim likely to visit
• Social Engineering
• Fool someone to do it for you
• Mobile malware
• Spread a malicious mobile application
23. EXPLORE THE COMPROMISED NETWORK
• Encrypting network shares:
→Requires network access from victim to file system
→Produces (unusual) network traffic
• Move Laterally:
• Find more devices, gain more access, encrypt more interesting data
→Requires network access from victim1 to victim2 to …
→Produces (unusual) network traffic
29. Umbrella blocks
the request
NGFW blocks
the connection
Email Security w/AMP
blocks the phishing
email
AMP for Endpoint
blocks the file
Umbrella blocks
the request (or file
download AMP)
NGFW blocks
the connection (or
file download AMP)
Cisco Ransomware Defense
Breaking the Kill Chain
Umbrella blocks
the request to
Encryption Key
Infrastructure
NGFW blocks
the connection
Umbrella Next-Gen Firewall AMP Endpoint
Email w/AMP
OR
Persist
Propagate
NetFlow
StealthWatch
AMP
Segmentation
ISE (RTC)
FW
30. THE FIRST STEP IS THE HARDEST
Financial
Database
HVAC
Control
Partner
Network
Procurement
Department
Internet
• Most ingenious step (social engineering, clever technical exploit delivery, …)
• Much of the attack is happening outside of your control
• Requires fancy defense technologies to mitigate
31. RECOMMENDATION #1: EDUCATION
• Educate you employees to identify malicious actors as we’ve
mentioned earlier
• Equip your self with tool that can help with these type of attack (hard
to find good tools)
32. MAKE LATERAL STEPS HARDER FOR ATTACKER!
Financial
Database
HVAC
Control
Partner
Network
Procurement
Department
Internet
Step 1 Step 2 Step 3
33. LATERAL STEPS
• The attacker is now on your turf
• Use your advantages:
• Control your network
• Know what traffic is usual and what is not
34. UNUSUAL – IN THE USUAL WAYS
• Lateral traffic is unusual – in the usual ways
• Communicating parties that never communicate
• Protocols & ports that are never used across security zones
• Firewalls are really good at blocking such traffic … as long as:
• There are firewalls in the traffic path
• The firewalls are properly configured
35. RECOMMENDATION #2: SEGMENTATION
• Define network zones
• Place firewalls to filter traffic between zones
• Write restrictive policies for traffic between zones
36. USE TECHNOLOGY YOU KNOW WELL
Financial
Database
HVAC
Control
Partner
Network
Procurement
Department
Internet
37. SEGMENT THE NETWORK: INTERNAL FIREWALLS
Financial
Database
HVAC
Control
Partner
Network
Procurement
Department
Internet
• Place internal firewalls between network zones
• Use SDN virtualization technologies to filter traffic inside data center
38. RECOMMENDATION #3: PLAN
• Leverage a SIEM technology to quickly identify an attack is happening
• Create a playbook in your SOAR system with well defined step to stop
the attack
• Create a playbook in your NSPM to quickly isolate the infected server
39. Have you already started a micro-segmentation
project in your organization?
• Yes, we’ve completed our micro-segmentation project
• Yes, we are currently in the midst of a micro-segmentation
project
• No, but it is in our roadmap
• No, and we don’t plan to in the near future
39 | Confidential
POLL
40.
41. WHAT TO DO NEXT?
ATTACHMENTS TAB
Connect with us on LinkedIn
Register for Part 2 of Ransomware Masterclass Webinar
Join the Raffle request a Ransomware Assessment Service
1 random winner will be selected for a free of charge assessment
Request your copy of:
• Cisco Zero Trust Security
• Ransomware Defense for dummies
Select