WIXLIB

These materials are 2017 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

RansomwareDefenseCisco Special Editionby Lawrence Miller, CISSPThese materials are 2017 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

Ransomware Defense For Dummies , Cisco Special EditionPublished byJohn Wiley & Sons, Inc.111 River St.Hoboken, NJ 07030-5774www.wiley.comCopyright 2017 by John Wiley & Sons, Inc., Hoboken, New JerseyNo part of this publication may be reproduced, stored in a retrieval system or transmitted in any form orby any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except aspermitted under Sections 107 or 108 of the 1976 United States Copyright Act, without the prior writtenpermission of the Publisher. Requests to the Publisher for permission should be addressed to thePermissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011,fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.Trademarks: Wiley, For Dummies, the Dummies Man logo, The Dummies Way, Dummies.com, MakingEverything Easier, and related trade dress are trademarks or registered trademarks of John Wiley & Sons,Inc. and/or its affiliates in the United States and other countries, and may not be used without writtenpermission. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc., isnot associated with any product or vendor mentioned in this book.LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE NOREPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THECONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUTLIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATEDOR EXTENDED BY SALES OR PROMOTIONAL MATERIALS. THE ADVICE AND STRATEGIES CONTAINEDHEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION. THIS WORK IS SOLD WITH THE UNDERSTANDINGTHAT THE PUBLISHER IS NOT ENGAGED IN RENDERING LEGAL, ACCOUNTING, OR OTHER PROFESSIONALSERVICES. IF PROFESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES OF A COMPETENT PROFESSIONALPERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLE FORDAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION OR WEBSITE IS REFERRED TOIN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOTMEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE INFORMATION THE ORGANIZATION ORWEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. FURTHER, READERS SHOULD BE AWARETHAT INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEENWHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ.ISBN 978-1-119-35226-6 (pbk); ISBN 978-1-119-35215-0 (ebk)Manufactured in the United States of America10 9 8 7 6 5 4 3 2 1For general information on our other products and services, or how to create a custom For Dummies bookfor your business or organization, please contact our Business Development Department in the U.S. at877-409-4177, contact info@dummies.biz, or visit www.wiley.com/go/custompub. For informationabout licensing the For Dummies brand for products or services, contact BrandedRights&Licenses@Wiley.com.Publisher’s AcknowledgmentsSome of the people who helped bring this book to market include the following:Development Editor: Elizabeth KuballProduction Editor: Siddique ShaikCopy Editor: Elizabeth KuballSpecial Help: Rachel Ackerly, MaryBriggs, Dan Gould, Aivy Iniguez,Kate MacLean, Ben Munroe,Mark MurtaghAcquisitions Editor: Amy FandreiEditorial Manager: Rev MengleBusiness Development Representative:Karen HattanThese materials are 2017 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

Table of ContentsINTRODUCTION. 1About This Book. 1Foolish Assumptions. 1Icons Used in This Book. 2Beyond the Book. 2CHAPTER 1:What Is Ransomware?. 3Defining Ransomware. 3Recognizing Ransomware in the Modern Threat Landscape. 4Understanding How Ransomware Operates. 7CHAPTER 2:Implementing Best Practices to ReduceRansomware Risks. 9Before an Attack: Discover, Enforce, Harden. 9During an Attack: Detect, Block, and Defend. 14After an Attack: Scope, Contain, and Remediate. 15CHAPTER 3:Building the “New Best-of-Breed”Security Architecture. 17Recognizing the Limitations of Current Security Designs. 17Defining the “New Best-of-Breed” Security Architecture. 19CHAPTER 4:Deploying Cisco Ransomware Defense. 25Leveraging DNS as the First Line of Defense in the Cloud. 25Securing Endpoints and Addressing Email Threats. 30Cisco Advanced Malware Protection (AMP)for Endpoints. 31Cisco Email Security with Advanced MalwareProtection (AMP). 32Protecting the Network with Next-Generation Firewalls andSegmentation. 34Cisco Firepower Next-Generation Firewall (NGFW). 34Use the network as a sensor and enforcer. 35Streamlining Deployments and BolsteringIncident Response. 36Table of ContentsiiiThese materials are 2017 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

CHAPTER 5:Ten Key Ransomware Defense Takeaways. 39Ransomware Is Evolving. 39Ransomware-as-a-Service Is an Emerging Threat. 40Paying a Ransom Doesn’t Solve Your Security Problems. 40Build a Layered Security Architecture Based onOpen Standards. 41Deploy Integrated, Best-of-Breed Solutions. 42Embed Security throughout Your Network Environment. 42Reduce Complexity in Your Security Environment. 42Leverage Cloud-Based, Real-Time Threat Intelligence. 43Automate Security Actions to Reduce Response Time. 43See Something, Say Something. 43ivRansomware Defense For Dummies, Cisco Special EditionThese materials are 2017 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

IntroductionThe rise of ransomware over the past few years is an evergrowing problem that has quickly become an extremelylucrative criminal enterprise. Targeted organizations oftenbelieve that paying the ransom is the most cost-effective way toget their data back — and, unfortunately, this may be true. Theproblem is that every single business that pays to recover its filesis directly funding the development of the next generation ofransomware. As a result, ransomware is evolving at an alarmingrate with new and more sophisticated variants.Ransomware must be prevented when possible, detected whenit attempts to breach a network, and contained to limit potential damage when it infects systems and endpoints. Ransomwaredefense calls for a “new best-of-breed” architectural approachthat spans the organization at the edge in the domain name system (DNS) layer to the data center and across endpoint devices nomatter where they’re being used.About This BookRansomware Defense For Dummies consists of five short chaptersthat explore how ransomware operates and its defining characteristics (Chapter 1), security best practices to reduce ransomwarerisks (Chapter 2), a “new best-of-breed” security architecture(Chapter 3), the Cisco Ransomware Defense solution (Chapter 4),and important ransomware defense takeaways (Chapter 5).Foolish AssumptionsIt has been said that most assumptions have outlived their uselessness, but I assume a few things nonetheless!Mainly, I assume that you know a few things about information security. Perhaps you’re a C-level IT executive, IT director,senior IT architect, analyst, or manager, or a security, network,or system administrator. As such, this book is written primarilyIntroduction1These materials are 2017 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

for technical readers who know a little something about IT networking, infrastructure, and enterprise systems.If any of these assumptions describes you, then this book is foryou! If none of these assumptions describes you, keep readinganyway. It’s a great book, and when you finish reading it, you’llknow enough about ransomware defense to be dangerous (to thebad guys)!Icons Used in This BookThroughout this book, I use special icons to call attention toimportant information. Here’s what to expect:This icon points out information that you should commit to yournonvolatile memory, your gray matter, or your noggin — alongwith anniversaries and birthdays!You won’t find a map of the human genome here, but if you seekto attain the seventh level of NERD-vana, perk up! This iconexplains the jargon beneath the jargon and is the stuff legends —well, nerds — are made of!Thank you for reading, hope you enjoy the book, please take careof your writers! Seriously, this icon points out helpful suggestionsand useful nuggets of information.This icon points out the stuff your mother warned you about.Okay, probably not. But you should take heed nonetheless — youmight just save yourself some time and frustration!Beyond the BookThere’s only so much I can cover in 48 short pages, so ifyou find yourself at the end of this book, thinking, “Gosh,this was an amazing book. Where can I learn more?,” just go towww.cisco.com/go/ransomware.2Ransomware Defense For Dummies, Cisco Special EditionThese materials are 2017 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.

IN THIS CHAPTER»» Identifying ransomware and its definingcharacteristics»» Looking at ransomware trends»» Seeing how ransomware worksChapter1What Is Ransomware?Ransomware is the fastest-growing malware threat todayand is already an epidemic. According to a U.S. governmentinteragency report, an average of more than 4,000 ransomware attacks have occurred daily since January 2016. In this chapter, you learn about ransomware — what it is, how it’s evolvingas a threat, and how it works.Defining RansomwareRansomware is malicious software (malware) used in a cyberattack to encrypt the victim’s data with an encryption key that isknown only to the attacker, thereby rendering the data unusableuntil a ransom payment (usually cryptocurrency, such as Bitcoin) ismade by the victim.Cryptocurrency is an alternative digital currency that uses encryption to regulate the “printing” of units of currency (such asbitcoins) and to verify the transfer of funds between parties,without an intermediary or central bank.Ransom amounts are typically high, but not exorbitant. For example, demands for individuals typically range from 300 to 600,while larger organizations will typically pay more. In 2016, a SouthCarolina school district paid an estimated 10,000 ransom and aCalifornia hospital paid approximately 17,000 to cybercriminals.These amounts quickly add up — more than 200 million in theCHAPTER 1 What Is Ransomware?3These materials are 2017 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited.