Transcription
Secure Your Businessfrom Escalating DDoSRansomware andExtortion AttacksMike Geller – Distinguished Architect,Radware
Cisco and Radware Together as Cisco SecureCisco Connect ASEAN Gold Sponsor “Secure Your Data” Cisco Secure DDoS Cisco Secure WAF & BoT Encrypted Traffic Visibility & CloudElasticityApplication Availability & DataSecurityNetwork and Data Center ResiliencyCisco Secure ADC Granularly distinguish legitimate frommalicious traffic Defend web, mobile apps, and APIsfrom attack SSLi Bundles – Cost-effectiveinspection of encrypted traffic Maintain network and applicationavailability during an attack Ensure application availability whileprotecting your data Full L4-L7 services, including servicechaining Ensure that your digital business isalways-on Compliance with data privacyrequirements, globally Dynamic allocation of ADC services(GEL) Learn more: Cisco Secure DDoSProtection AAG Learn more: Cisco Advanced WAFand Bot AAG Learn more: SSL Inspection BundlesAAG, Cisco Secure ADC Data Sheet 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public2
Enterprise PerimeterAmericas2 Tbps Global BotnetEmployeesSorry, we’reCLOSEDEuropeDataServers &ApplicationsAsiaPac 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public3
Enterprise PerimeterAmericasNetworking2 Tbps Global BotnetEuropeLayer 2/3ApplicationsLayer 7AsiaPac 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public4
“Our clients are worriedabout Ransomware. Whatcan they do? How can wehelp?”
Key Ransomware Questions Cyber Insurance? Backups? People and Process? Tabletop Exercise Incident Response? Penetration Testing / Assessments Defense in Depth? Having a strong security investment can reduce insurance costs 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public6
Ransomware Web and Email Threat ModelCloud or On-premApplicationEmail T1566.002 Remote UserEndpoint ProtectionDNS & Web T1027.004T1018T1047T1127T1082O365T1021.002Firewall T1018Analytics T1018T1021.002Web Gateway T1189T1566.002Initial Access- T1189 - Drive-by Compromise- T1566.002 - Spearphishing LinkExecution- T1059.001 - PowerShell- T1569.002 - Service Execution- T1047 - Windows Management InstrumentationLateral Movement- T1021.002 - SMB/Windows Admin SharesT1098Workload T1113T1003T1087T1070Protection dential Access- T1003 - OS Credential Dumping- T1552.002 - Credentials in RegistryDiscovery- T1087 - T1057 - T1018 - T1082 -Account DiscoveryProcess DiscoveryRemote System DiscoverySystem Information Discovery LAN UserT1087T1070T1098T1113Endpoint Protection T1021.002T1059.001T1003T1189T1562.001DNS & Web Security 1047T1082T1127Defense Evasion- T1070 - Indicator Removal on Host- T1562.001 - Disable or Modify Tools- T1027.004 - Compile After Delivery- T1127 - Trusted Dev Utilities Proxy ExecutionPersistence- T1098 - Account ManipulationCollection- T1113 - Screen Capture
Web and Email Ransomware Defense ModelCloud or cureM1050M1042Workload M1038M1049M1021Secure Email M1041M1017 Remote UserSecure EndpointSecure 1042M1038M1025M1021M1017M1017M1047O365Secure M1049M1043M1041M1021M1037M1030Firewall M1035M1041Secure M1043NetworkAnalyticsUmbrella M1017M1049M1021M1017Initial Access- M1048 - Application Isolation and Sandboxing- M1050 - Exploit Protection- M1021 - Restrict Web-Based Content- M1017 - User TrainingExecution- M1049 - Antivirus/Antimalware- M1045 - Code Signing- M1042 - Disable or Remove Feature or Program- M1026 - Privileged Account Management- M1018 - User Account ManagementLateral Movement- M1037 - Filter Network Traffic- M1035 - Limit Access to Resource OverNetworkCredential Access- M1043 - Credential Access Protection- M1041 - Encrypt Sensitive Information- M1025 - Privileged Process Integrity- M1017 - User Training- M1047 - Audit LAN UserSecure Endpoint M1032M1048M1043M1049M1042M1037Secure Access fense Evasion- M1041 - Encrypt Sensitive Information- M1018 - User Account Management- M1042 - Disable or Remove Feature or Program- M1038 - Execution PreventionPersistence- M1032 - Multi-factor Authentication- M1030 - Network Segmentation
Cisco Ransomware DefenseCisco Umbrella Block request to malicious sources asymmetric encryption SASECisco Secure Email Block phishing email threatsCisco Secure Workload Identify and remediate malicious files / artifacts Micro segmentationCisco Endpoint Identify and remediate malicious files / artifactsCisco Secure Analytics Network anomaly and breach detectionCisco Secure Firewall Secure Access Segmentation, visibility and security defenseCisco Duo Multifactor authentication and endpoint assessmentCisco SecureX Threat hunting Orchestration Event management
“I hear that now we haveDDoS attacks with Ransombuilding on theRansomware theme.What’s going on?”
Ransom DDoSMaybe you forgot us, but we didn’t forget you. We were busyworking on more profitable projects, but now we are back.We asked for 10 bitcoin to be paid at XXXXXXXXXXXXXXXXXXXX toavoid getting your whole network DDoSed. It’s a long timeoverdue and we did not receive payment. Why? What is wrong? Doyou think you can mitigate our attacks? Do you think that it wasa prank or that we will just give up? In any case, you arewrong.We can easily shut you down completely, but considering yourcompany size, it would probably cost you more one day withoutthe Internet then what we are asking so we calculated anddecided to try peacefully again. And we are not doing this forcyber vandalism, but to make money, so we are trying to be makeit easier for both.We will be kind and will not increase your fee. Actually, sincethe Bitcoin price went up for over 100% since the last time wewill temporarily decrease the fee to 5 BTC! Temporarily.Yes, pay us 5 BTC and we are gone!You can pay us to the same address we gave you last time or ifyou need a new one for any reason (privacy, because you haveprobably forwarded our first email to law enforcement):XXXXXXXXXXXXXXXXXXXXRemember, we never give up. And we always come back, until weare paid. Once paid we are gone and you will never hear from usagain - forever.Aug 2021 ‘Fancy Bear/Lazarus/Armada Collective’: global campaign targeting all verticals 10 to 20 BTCDec 2021 ‘Fancy Bear/Lazarus /Armada Collective’: revisiting previous targets that did not pay 5 to 10BTC 2021 Cisco and/or its affiliates. All rights reserved. Cisco PublicMay 2021 ‘Fancy Lazarus’: the hunt for unprotected assets 0.5 to 5 BTC11
Ransomware Triple ExtortionAvaddon uses DDoS attacks to bring difficult ‘partners’ back to thenegotiation table1 Encrypting Data and Systems2 Leaking Sensitive Data3 DDoS attack 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public12
Ransomware Initial Access Credential Stuffing and Brute Force Account TakeOver (ATO)- Against remote access solutions (SSLVPN, RDP)- Colonial Pipeline vs DarkSide (4.5 Million paid)Access through unused but still active VPN Credentials used in access were discovered in credential leaks Remote Access (VPN, RDP, VNC) VPNs affected by easy to exploit vulnerabilities Supply Chain- exploits throughout 2019, 2020 and 2021- 0days and known vulnerabilities-Zero-day / Undisclosed vulnerabilityKaseya VSA remote managementinfected almost 1,500 businessesUniversal decryptor key for 70 million 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public13
Organized: Ransomware Affiliate Programs Operators: DarkSide, Revil, Avaddon, LockBit, Netwalker, Operator provides crypto-locking malware to affiliates Each affiliate’s malware has a unique ID embedded For every victim that pays ransom- a REvil affiliate receives 30%, 40% after three successful ransom payments- a DarkSide affiliate 75 to 90% depending on the size of the ransom Might seem high, but 10% to 25% of 4.5 million Affiliates recruited through cybercrime forums Human operated attacks Honor their deals, reputation does matter on the underground- DarkSide recruited on Russian speaking forums XSS and Exploit 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public14
Ransomware PR Sites Dark Web PR to advertise new victims andsamples of stolen data Media monitoring these sites for the scoopsand headlines This tactic put even more pressure on victims Revil (aka Sodinokibi) ‘Happy Blog’ Quanta 50M ransomware demand 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public15
Cisco Secure DDoS Deployment OptionsGood - Better - BestCisco DDoS solutions for every customer need and every budget
“How can I get help,ASAP?”
At a GlancePublicCisco Emergency DDoS Attack MitigationEmergency DDoS Protection and Business Resilience When Under AttackWhen your organization is targeted by a crippling DDoS attack, getting the network back online and restoringbusiness operations is paramount. Through our global OEM partnership with Radware, Cisco customers have access toDDoS Emergency Attack Mitigation services. This is one-time attack mitigation service that is available to new DDoScustomers to help mitigate an on-going DDoS attack and quickly restore network services in order to minimize damageto the business.How Emergency DDoSAttack Mitigation WorksCustomers that purchase a Cisco Secure DDoS Protection* solution from Cisco receive a credit for the DDoSEmergency Services which is applied to the purchase of the Cisco DDoS protection.The client contacts Radware and receives an on-boardinginvitation to register protected assets in Radware’s CloudSecurity Services portal with the assistance of Radware’sEmergency Response Team (ERT).14 Global Scrubbing Centers, 8 Tbps Mitigation Capacity Our Cloud DDoS Protection service isbacked by a worldwide network of 14scrubbing centers with 8Tbps ofmitigation capacity. Radware’s scrubbing centers areglobally connected in full mesh mode,using Anycast-based routing. This ensures that DDoS attacks aremitigated closest to their point oforigin and provides truly global DDoSmitigation capable of absorbing eventhe largest volumetric attacks.Step1: Service RegistrationStep 2: Traffic Diversion Set-upFor BGP-based traffic diversion, the client signs an LOAfor BGP diversion, which is submitted by Radware forapproval by the client's upstream provider.For DNS-based traffic diversion, the client changes itsDNS record to direct traffic to a Radware scrubbingcenter.Step 3: GRE Tunnel ConfigurationA GRE tunnel is configured for clean traffic returnin the scrubbing center and on the client's side.Step 4:Traffic DiversionTraffic is diverted to the nearest scrubbing centerin Radware’s global scrubbing center network.* Cisco Secure DDoS Protection is a portfolio of industry-leading DDoS detection and mitigation solutions that are powered by Radware. 2021 Cisco and/or its affiliates. All rightsreserved.2021Cisco and/or its affiliates. All rights reserved. Cisco Public18
At a GlancePublicMore InformationDDoS Emergency Attack Mitigation ServiceFor More Information or toRegister for Emergency DDoSAttack Mitigation, email us at The client receives emergency onboarding to Cloud DDoS ProtectionService in Always-On mode to quickly mitigate ongoing attacksemergency-ddos-services@cisco.comCisco Secure DDoS Protectionwww.cisco.com/go/secure-ddosCisco Secure DDoS al/security/secure-ddos-protectaag.pdfGlobal Scrubbing Centers nter-ds.pdfWhat’s included: One-time protection against an unlimited number of DDoS attacks andattack sizes for a period of up to seven days (subject to terms of theservice) Service is provided for up to eight protected networks for eachcustomer’s data center and up to a total of 4Gbps of legitimate traffic This is an emergency service provided to a customer who is activelybeing attacked which is provided on a best-effort basis Estimated service fees are 36,000 per data center. This fee is creditedback to customers who purchase a Cisco Cloud DDoS Protection annualservice contract within 30 days from the start date of the service. Available only for new Cisco and Radware DDoS customers.Radware’s Emergency Response Team The ERT team is a group of Radware securityexperts that provide 24x7 security services forcustomers facing denial of service (DoS)attacks or malware outbreaks that requireimmediate assistance. The ERT is staffed by experts with extensiveknowledge of network threats as well as threatdetection and mitigation techniques. The ERT takes the lessons learned from eachcustomer engagement and simulates thesescenarios internally so that other customersfacing similar threats can benefit from ourexperience.What is a DDOS rity/what-is-a-ddos-attack.htmlNext StepsFor more information about our portfolio ofDDoS protection solutions, contact your Ciscosales representative todaySecurity StandardsCompliance and Certifications 2020 Cisco and/or its affiliates. All rights reserved. Cisco andthe Cisco logo are trademarks or registered trademarks of Ciscoand/or its affiliates in the U.S. and other countries. To view a listof Cisco trademarks, go to this URL:www.cisco.com/go/trademarks. Third-party trademarksmentioned are the property of their respective owners.The use 2021Cisco and/or its affiliates. All rights reserved. Cisco Publicof the word partner does not imply a partnership relationshipbetween Cisco and any other company.Learn more: cisco.com/go/secure-ddos19
What to do next? Take advantage of emergency-ddosservices@external.cisco.com to reach us Under attack, take advantage of the CiscoSecure DDoS service for immediate onboarding to protect your applications andthe networks that deliver them When you reach out, next step is we have ajoint white board and discussion – how tobest be protected 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public20
Penetration Testing / Assessments . - T1059.001 - PowerShell - T1569.002 - Service Execution - T1047 -Windows Management Instrumentation. Lateral Movement - T1021.002 - SMB/Windows Admin Shares. Credential Access - T1003 - OS Credential Dumping - T1552.002 - Credentials in Registry.
