Cryptolocker Webcast

CONTAINING
CRYPTOLOCKER
How Predictive Analytics
Combat Emerging Threats

OpenDNS Confidential

AGENDA

1

CYBER ATTACKS & THREATS
multiple stages, varying tactics

2

CRYPTOLOCKER IN-DEPTH
how it works, what can stop it

3

WHY SECURITY FALLS BEHIND
how OpenDNS contained Cryptolocker, why we stay ahead

#2

Ÿ

11-Dec-13 Ÿ OpenDNS Confidential

CYBER ATTACKS
AND THREATS


CYBER-ATTACKS ARE MULTI-STAGE

A BUSINESS MAY OBSERVE
UP TO FIVE STAGES

1 2 3 4 5
RECON
& PREP

#4

Ÿ

LURE
USER


INFECT
SYSTEM

PHONE
HOME

BREACH
NETWORK

REALIZE
MOTIVE

MOVE DATA
& MONEY

LURE & INFECTION

MULTIPLE ATTACK VECTORS
EMAIL ONLY
SociallyEngineered
Content

Links in
Forums or
Search
Engines

(business
sender)

Malicious
Attachment
(ZIP and/or
EXE falsely
labeled as PDF)

#5

Ÿ

WEB ONLY


Malware
Drop Host
(often exploits
browser or plug-in
vulnerabilities)

EMAIL TO WEB
FalselyLabeled
Web Link

Compromised
Web Site

Compromised
Web Site

(Javascript
redirection)

(Javascript
redirection)

Malware
Drop Host
(often exploits
browser or plug-in
vulnerabilities)

PHONE HOME (to CnCs)

INCREASING SOPHISICATION
STATIC

FAST FLUX
23.4.34.55

23.4.24.1

23.4.24.1

DGA

(domain generation algorithm)

44.6.11.8

23.4.34.55
44.6.11.8
87.32.4.21

129.3.6.3
83.56.21.1

34.4.2.110
bad.com

#6

Ÿ


34.4.2.110
bad.com

129.3.6.3
23.4.24.1

34.4.2.110
bad.com?
baa.ru?
bid.cn

BREACH & MOTIVE

MOST BREACHES YOU DON’T SEE
DISRUPTS

YOUR BUSINESS

HIJACKS

YOUR INFRASTRUCTURE

MANIPULATES
YOUR DATA

Pay the
Ransom
to Unlock
the Data
Locks You Out
of Your Data on
Your Network

#7

Ÿ


Attacks Other
Businesses Using
Your Reputation

Cyber-Criminals and
Nation States Obtain
Your Knowledge

CRYPTOLOCKER
IN-DEPTH


BUSINESSES OFTEN MISS SEEING THE THIRD STAGE

IT IS TARGETING BUSINESSES

EMAIL-ONLY

1 VECTOR
#9

Ÿ


2 FAKE
EXECUTABLE

DGA-BASED
3 PHONE HOME

4 ENCRYPT
DATA

COLLECT
5 RANSOM

SECURITY REQUIRES VISIBILITY, INTELLIGENCE AND ENFORCEMENT

WHICH SOLUTIONS CAN STOP IT?
EMAIL-ONLY

1 VECTOR

Firewalls or
Gateways

2 FAKE
EXECUTABLE

Endpoint
Protections

DGA-BASED
3 PHONE HOME
Firewalls,
Gateways
or Endpoint
Protections

BLOCK WHAT IS KNOWN TO BE MALICIOUS:
•  by appearance
•  by origin
•  by behavior
#10

Ÿ


4 ENCRYPT
DATA

Encryption or
DB Security

COLLECT
5 RANSOM

Data
Archiving

DISCOVERING WHAT IS MALICIOUS IS A COLLECT AND REACT APPROACH

IF IT’S NOT KNOWN, THEN…
COLLECT

ANALYZE

REACT
•  block new
appearances
•  block new
origins
•  block new
behaviors

time 0
#11

Ÿ


time 1-N

time N

MALWARE ANALYSIS APPROACHES WILL NEVER STAY AHEAD

Variant G

Variant H
Variant C

Variant A

Variant E
Variant F
Variant K
NEW DGA
Variant B
Variant I

#12

Ÿ

Variant D


Variant J


Variant A

#13

Ÿ



Variant G
Variant C

Variant A

Variant E
Variant F

Variant B

Variant D
#14

Ÿ



Variant G

Variant H
Variant C

Variant A

Variant E
Variant F
Variant K
NEW DGA
Variant B
Variant I

#15

Ÿ

Variant D


Variant J


Variant G

Variant H
Variant C

Variant A

Variant E
Variant F
Variant K
NEW DGA
Variant B
Variant I

#16

Ÿ

Variant D


Variant J

WHAT IS A BETTER APPROACH?

DISCOVER WHERE MALICIOUS ACTIVITY
WILL ORIGINATE, BEFORE IT HAPPENS
OBSERVE

PREDICT

DGA-based phone home activity

time 0
#17

Ÿ

future DGA domains

time 1


TO OBSERVE YOU NEED SITUATIONAL AWARENESS AND GLOBAL INTELLIGENCE

#18

Ÿ



Live Internet Activity

#19

Ÿ



#20

Ÿ


OBSERVING CRYPTOLOCKER’S DGA-BASED PHONE ACTIVITY ACTIVITY

24-Oct

28.7M
24.6M

Unknown
Co-Occurring
DNS Requests
#21

Ÿ

19.1M

22.3M
18.1M

28-Oct

29-Oct

lcynqebqetamnmb.net

27-Oct

dblekuaonugn.biz

26-Oct

ljllkfudrvggepm.com

ixslpslobkddytp.info

25-Oct

ohjvagaptmlffn.info

23-Oct

byeixyixhmse.biz

22-Oct

dctqynvenluf.biz

21-Oct

ftamfiaivpdw.biz

20-Oct

shocdnhyfmdfsoj.co.uk

lfdicecqjetfqrm.com

Known
Domains
Blocked

paspmnbspwijo.ru

DAY
FOR EVERY 1 KNOWN DOMAIN PER DAY,
999 MORE DOMAINS OBSERVED

30-Oct

26.9M
21.7M

19.6M

17.6M

20.1M

7.3M
20-Oct


21-Oct

22-Oct

23-Oct

24-Oct

25-Oct

26-Oct

27-Oct

28-Oct

29-Oct

30-Oct

PREDICTING CRYPTOLOCKER’S DGA-BASED PHONE HOME ACTIVITY

ONE OF THOSE 999 CO-OCCURRING
DOMAINS WILL BECOME ACTIVE NEXT

CRYPTOLOCKER

KNOWN DOMAINS
tctggapprqfatc.biz
uauuqfmmuwemsj.ru
psnineovwogkvx.org
#22

Ÿ


ALL CO-OCCURRENCES INCLUDING NEWLY

DISCOVERED CRYPTOLOCKER DOMAINS T-1 T+1
uwelwphpjsemxsn.info (2100), google.com (800),
arjddblgbsumi.biz (575), danvawrrcgrwo.com (300),
facebook.co.uk (266), frjpjcapmnvdo.ru (34)

OBTAIN VISIBILITY, INTELLIGENCE AND ENFORCEMENT OF STAGE 3

STOP THE ATTACK’S “KILL CHAIN”
EMAIL-ONLY

1 VECTOR

2 FAKE
EXECUTABLE

DGA-BASED
3 PHONE HOME

4 ENCRYPT
DATA

At the Gateway and
on the Endpoint*
(*because it will not always
be behind the gateway)

#23

Ÿ


COLLECT
5 RANSOM

WHY SECURITY
FALLS BEHIND

THE PERFECT STORM HAS FORMED

INCOMPLETE
ENFORCEMENT
On-Network
Web Traffic
Roaming
Users &
Remote
Offices

#25

Ÿ

Non-Web
Protocols
& Ports


LIMITED
VISIBILITY
Samples
Collected by
On-Premises
Appliances
Targeted
Attacks

Emerging
Threats

REACTIVE
INTELLIGENCE
Similar
Appearance
Different
Behavior

Unknown
Origin

WANTED: SECURITY FOR THE WAY THE WORLD WORKS TODAY

EVERYWHERE

ENFORCEMENT

#26

Ÿ


GLOBAL

VISIBILITY

PREDICTIVE

INTELLIGENCE

GLOBAL VISIBILITY

ENFORCEMENT
UMBRELLA

INTELLIGENCE

SECURITY GRAPH

PREDICTIVE SECURITY

WHAT MAKES OPENDNS’S SECURITY UNIQUE

THE ONLY CLOUD-DELIVERED
AND DNS-BASED
SECURITY SOLUTION

80M+
100K+
#28

Ÿ


REQUESTS TO ADVANCED
MALWARE, BOTNET & PHISHING
THREATS BLOCKED DAILY
NEW THREAT ORIGINS
DISCOVERED OR PREDICTED DAILY

UMBRELLA LEVERAGES OPENDNS’S FOUNDATIONS

THE WORLD’S LARGEST
INTERNET SECURITY NETWORK
"   50M+ ACTIVE USERS DAILY
"   21 DATA CENTER LOCATIONS
"   1500+ BGP PEERING SESSIONS

"   50B+ REQUESTS DAILY
"   160+ COUNTRIES W/USERS
"   ZERO NET NEW LATENCY

EUROPE, MIDDLE
EAST & AFRICA

AMERICAS

#29

Ÿ


ASIA-PACIFIC

EVERYWHERE.
#30

Ÿ


TOTAL
NEW

NEW

TOTAL

NEW

for 1,000s of our
customers daily.

TOTAL

OPENDNS IS
PREDICTING &
CONTAINING
CRYPTOLOCKER

TOTAL

USER CLIENTS ATTEMPTING TO PHONE HOME TO CRYPTOLOCKER’S CnCs

CUSTOMERS PROTECTED BEFORE TRADITIONAL SECURITY APPROACHES

OPENDNS PREDICTED
CRYPTOLOCKER’S DGA
before others could reverse engineer it

#31

Ÿ


OPENDNS WILL HELP YOUR BUSINESS

We Predict,
Prevent And Contain
Emerging Threats

BEFORE THE INFECTION
OR BREACH HAPPENS
#32

Ÿ


FOR A FREE INSTANT TRIAL,
VISIT WWW.UMBRELLA.COM OR
EMAIL SALES@OPENDNS.COM
FOR TECHNICAL QUESTIONS,
EMAIL ME BARRY@OPENDNS.COM

Cryptolocker Webcast

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Cryptolocker Webcast

Ähnlich wie Cryptolocker Webcast (20)

Mehr von OpenDNS

Mehr von OpenDNS (19)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Cryptolocker Webcast