Worried About Ransomware? — If not, you should be. We Can Stop Ransomware from Stealing Your Data and Holding It Hostage.
Ransomware can penetrate your organization in many ways. Reducing the risk of infection requires more than a single source of defense. LA Networks works with Cisco and other leading solutions to deploy ransomware defenses using an architectural approach that strengthens cyber defenses through detection, visibility, and intelligence.
You may ask:
“Everyone is trying to sell me security products to keep my business data safe. They all say they’re the best. Which ones are?”
- “There are so many security products out there, and many seem to overlap. Do I need all these products? How do I know what’s right for my business?”
Here’s the All-in-One Answer: You Need Security-In-Depth
What is Security-In-Depth? It’s a security and anti-virus system where multiple layers of protection are deployed to guard against failure of one component or layer.
It shows points in the chain of events whereby a security product COULD have identified or stopped the progression of the attack but didn’t. For this narrative, we assume that these products aren’t fully effective against a zero-day exploit, in order to illustrate the numerous layers of protection that could be afforded to an organization that has deployed a full complement of security products.
Before we go on, these are some Common Security Terms you should know:
- Zero-day exploit
- Perimeter defense
- Endpoint protection
- Incident of Compromise
Here’s the scenario:
- An email (phishing attempt) with a URL link to malware hits the corporate mail gateway.
- Our Cisco Email Security Appliance or CES (in the cloud) scans the email for spam and bad content.
- Then our Trend Micro email scanner checks incoming email.
- As it turns out, the email doesn’t have anything bad in it, but it does contain a link to a My Space page. The URL is unknown/ unreported, and no malware file is attached. So, the email is delivered to the user’s inbox.
- Unfortunately, the user opens the email and clicks on the URL.
- Our Cisco Umbrella Defense examines the URL/DNS. (It’s cloud-based, and always on.)
- The host and domain are not reported.
- Now, the user’s web browser attempts to open the webpage.
- Then the Websense Cisco Firepower URL filter, Cisco Umbrella or WSA scan the URL and compare it against the URL filter lists, and reported malware sites. (These will stop non-zero-day)
- Nothing bad is found and the browser attempts an initial TCP/IP connection through the firewall.
- The Cisco ASA Firewall inspects the TCP/IP ports and protocols, and compares them against the corporate security rules. (TCP port 80) Port 80 is allowed through the firewall.
- The website responds with an html page, including media elements (jpegs, mp4, Flash)
- Cisco Firepower IPS checks the individual packets against corporate security rules and known exploit patterns.
- Nothing is found and a jpeg and Flash media are allowed through. However, there’s a Flash script using a zero-day unknown exploit! This is the vulnerability that got through all the defenses.
- The user’s web browser now runs the downloaded Adobe Flash Script. Unfortunately, the Adobe Flash version on their computer is old and a vulnerability still exists.
- The Flash script modifies the local operating system and drops a modified executable application (calculator.exe).
- Trend Micro and Cisco AMP for Endpoint on the user’s computer don’t recognize the executable file as known malware.
- The Cisco AMP for Endpoint uploads the unrecognized file to the Cisco AMP Threat Grid for sandbox (The malware writers know this and will wait a day for a counter measure.)
- The Flash script executes the calc.ex malware and it attempts to open a TCP/IP connection to a Russian FTP server. However, the company security policy unfortunately allows outbound FTP connections.
- The calc.ex app attempts to resolve the IP address of its Command and Control server via the DNS.
- The Cisco Umbrella blocks the DNS address resolution to a known command and control site.
- The malware attempts to connect to the FTP site via the numeric IP address.
- Cisco Firepower blocks the FTP session to a known command and control site.
- The malware attempts to enumerate the file shares on the local network.
- The malware now begins encrypting files that the user has read/write access to.
- The malware then attempts to scan and infect the other computers on the local network.
- Now, our Cisco ISE segmentation policies block communication between peer systems.
- Cisco Stealthwatch alerts based on increased volume of data consumed by the endpoint, and unexpected connections to servers not normally access by this user.
- Then, Cisco AMP for Endpoints finishes the sandbox analysis of malware and raises the threat level of this file.
- Cisco AMP for Endpoints quarantines the file on all protected endpoints.
- The Security Staff use Cisco Firesight to retrospectively map the spread of the infected malware, and trigger network quarantine of the endpoints via the Cisco ISE of the infected clients.
- The Systems Staff uses Microsoft System Center with Secuina plug-in to patch update the vulnerable Adobe Flash installations.
- They then used Tenable Nessus to scan the endpoints for known vulnerabilities, and verify endpoints are clear to be removed from quarantine.
- Then we use Veeam Backup & Restore to roll-back the file server for VM (virtual machines), or restore the individual files encrypted by the ransomware.
- The Infosec staff utilizes Splunk Security to build an incident report from the centralized log repository.
So—Now you can see how persistent Ransomware can be. If you aren’t protected with Security-In-Depth, your business can be held hostage.
Don’t risk this. Sign up for LA Network’s Free Cisco Firepower Threat Assessment and Umbrella Evaluation.
One of our Ransomware Experts will get right back to you.