This document discusses reducing ransomware risks and provides an overview of a webinar on the topic. It begins with a poll asking organizations about their experience with ransomware attacks. It then introduces the speakers and discusses malware trends seen by Cisco Talos, including the continued prevalence of ransomware. The webinar agenda is outlined, covering malware trends, what ransomware is, high-level solutions, and next steps. High-level solutions include blocking malicious traffic, securing email, using endpoint protection, and network segmentation. The presentation encourages education, making lateral movement difficult through segmentation, and having response plans. It concludes with an additional poll and information on following up.

1. REDUCING RISK OF
RANSOMWARE ATTACKS
– Back to Basics

2. Which of the following network security projects is your
company planning to mainly engage in during 2021:
• Micro-segmentation
• Compliance
• Cloud migration
• Automation
• More than one of the above
2 | Confidential
A QUESTION TO YOU

3. LET’S INTRODUCE OUR SPEAKERS
HUIB KLAASSENS
BDM
JAN HEIJDRA
TECHNOLOGY EVANGELIST
YITZY TANNENBAUM
PRODUCT MARKETING MANAGER

4. JAN HEIJDRA – CISCO SECURITY
Enterprise Mobility
Management
Network Traffic Security Analytics
(Cloud) Workload
Protection
Web
Security
Email
Security
Advanced
Threat
Secure
SD-WAN / Routers
Identity and Network
Access Control
Secure Internet
Gateway
Switches and
Access Points
Next-Gen
FW/IPS
Cloud Access Security

5. 2 | Confidential
YITZY TANNENBAUM – ALGOSEC OVERVIEW
Founded 2004
1800+ Enterprise Customers
Serving 20 of the Fortune 50
24/7 Support via 3 Global Centers
ISO 27001 Certified
Passionate about Customer Satisfaction
FORTUNE
50
ISO
27001
2004

6. HUIB KLAASSENS – METSI TECHNOLOGIES

7. SECURITY SERVICES
SOC Services
• SOC Build, Operate and Optimization
• Security Devices (ASA, FP, FTD, AMP,
Third Party FWs, IPS)
• Switches, Servers, Endpoints,
• Managed ISE
• Managed AMP
• Cloud Security Monitoring
Security Consulting
• Network Architecture
Assessment
• Cloud Security Assessment
• Gap Assessment (NIST-800)
• Pen Testing
• Security Optimization
• Incident Response
• Forensics
• Malware Readiness Assessment
for Endpoint, Network and DC
• AMP (Endpoints, Network)
• Incident Response
Next Generation Firewall Services
(Cisco ASA and FirePOWER Threat Defense)
• Firewall Policy Reviews and Optimization
• Design and Deployments
• Migrations (from old Cisco Firewalls and Third-Party
Firewalls to Cisco ASA/FTD)
• Operate
• Compliance
• On-Prem, DC and Cloud
Network Access Control (Cisco ISE)
and Segmentations
• Workshops
• Proof of Value/POC and Pilot Deployment
• Enterprise Rollout
• Post Deployment optimization and Support
• ACS to ISE Migration
• Network Segmentation (TrustSec)
• SDA (DNA Center)
Malware Protection

8. AGENDA
Malware trends
1
2
3
4
What is ransomware
High level solutions
What to do next?

9. Did you organization experience a ransomware
attack?
• Yes, multiple in the last two years
• Yes, one in the last two years
• Yes, but not in the last two years
• No, thankfully we haven’t had a ransomware attack!
9 | Confidential
POLL

10. 10 | Confidential
MALWARE TRENDS BY TALOS

11. 11 | Confidential
Talos encompasses six key areas:
Threat Intelligence & Interdiction,
Detection Research,
Engine Development,
Vulnerability Research & Discovery,
Open Source & Education,
and Global Outreach.
We are an elite group of security experts
devoted to providing superior protection to
customers with our products and service.
Cisco Talos' core mission is to
provide verifiable and customizable
defensive technologies and
techniques that help customers
quickly protect their assets from
cloud to core.
Our job is protecting your network.

12. Protecting Customers
Malvertising
Drive by
downloads
Rogue
software
Botnets
Cryptomining
Credential
compromise
DDoS
Man in
the middle
Spyware/
Malware
Advanced
persistent
threats
Wiper
attacks
Phishing
Unpatched
software
Supply
chain attacks
Ransomware
Data/IP theft

13. 13 | Confidential
EXTENSIVE COVID-THEMED ACTIVITY
• Malware and phishing
campaigns using COVID-
themed lures
• Attacks against
organizations that carry
out research and work
related to COVID
• Fraud and
disinformation

14. 14 | Confidential
https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html#more

15. 15 | Confidential
Let’s look at
the poll
Results

16. 16 | Confidential

17. Top threats included
ransomware, such as
Sodinokibi and Maze
OBSERVED TRENDS
Top weaknesses include
lack of phishing
protection/education,
network monitoring and
logging, and patching
Top initial vectors
included phishing and
web app exploitation

18. RANSOMWARE
• The most common type of
attack
• Most common variants were
Maze and Sodinokibi
• No commodity trojans
• Maze “retires”
These types of attacks
remain one of the most
impactful for any
organization and can
severely affect critical
services
Impact

19. 19 | Confidential
WHAT IS RANSOMWARE

20. PC
Cyborg
2002
GPCoder
2005 2012 2013 2014
TOR
2006
First
commercial
Android phone
2007
QiaoZhaz
2008
1989 2015 2016
CRYZIP
Redplus
Bitcoin
network launched
Reveton
Ransomlock
Dirty Decrypt
Cryptorbit
Cryptographic Locker
Urausy
Cryptolocker
CryptoDefense
Koler
Kovter
Simplelock
Cokri
CBT-Locker
TorrentLocker
Virlock
CoinVault
Svpeng
TeslaCrypt
Virlock
Lockdroid
Reveton
Tox
Cryptvault
DMALock
Chimera
Hidden Tear
Lockscreen
Teslacrypt 2.0
Cryptowall
SamSam
Locky
Cerber
Radamant
Hydracrypt
Rokku
Jigsaw
Powerware
73V3N
Keranger
Petya
Teslacrypt 3.0
Teslacrypt 4.0
Teslacrypt 4.1
2017
CrySis
Nemucod
Jaff
Spora
Popcorn Time
NotPetya
WannaCry
THE EVOLUTION OF RANSOMWARE VARIANTS

21. HOW?
1. Deliver exploits to 1st victim computer
2. Repeat per victim computer:
• Encrypt file system
• Encrypt accessible networked file shares
• Move laterally: explore the network
• Deliver exploits to next victim via network
3. Wait for victim to call
4. Collect ransom
5. Supply decryption key
“Advanced
Persistent
Threat”,
Wikipedia

22. 1ST VICTIM: ATTACK TECHNIQUES (PARTIAL LIST)
• Email attachment
• Send a malicious email attachment
• Browser Drive-By-Download
• Host the malicious content on a website
• “Water-hole” technique
• Compromise a website the victim likely to visit
• Social Engineering
• Fool someone to do it for you
• Mobile malware
• Spread a malicious mobile application

23. EXPLORE THE COMPROMISED NETWORK
• Encrypting network shares:
→Requires network access from victim to file system
→Produces (unusual) network traffic
• Move Laterally:
• Find more devices, gain more access, encrypt more interesting data
→Requires network access from victim1 to victim2 to …
→Produces (unusual) network traffic

24. STEPPING STONES
2
4
Financial
Database
HVAC
Control
Partner
Network
Procurement
Department
Internet
Step 0

25. STEPPING STONES
2
5
Financial
Database
HVAC
Control
Partner
Network
Procurement
Department
Internet
Step 0
Step 1

26. STEPPING STONES
2
6
Financial
Database
HVAC
Control
Partner
Network
Procurement
Department
Internet
Step 0
Step 1 Step 2 Step 3

27. STEPPING STONES
2
7
Financial
Database
HVAC
Control
Partner
Network
Procurement
Department
Internet
Step 0
Step 1 Step 2 Step 3
Pay $$$$ or lose data

28. 28 | Confidential
HIGH LEVEL SOLUTION

29. Umbrella blocks
the request
NGFW blocks
the connection
Email Security w/AMP
blocks the phishing
email
AMP for Endpoint
blocks the file
Umbrella blocks
the request (or file
download AMP)
NGFW blocks
the connection (or
file download AMP)
Cisco Ransomware Defense
Breaking the Kill Chain
Umbrella blocks
the request to
Encryption Key
Infrastructure
NGFW blocks
the connection
Umbrella Next-Gen Firewall AMP Endpoint
Email w/AMP
OR
Persist
Propagate
NetFlow
StealthWatch
AMP
Segmentation
ISE (RTC)
FW

30. THE FIRST STEP IS THE HARDEST
Financial
Database
HVAC
Control
Partner
Network
Procurement
Department
Internet
• Most ingenious step (social engineering, clever technical exploit delivery, …)
• Much of the attack is happening outside of your control
• Requires fancy defense technologies to mitigate

31. RECOMMENDATION #1: EDUCATION
• Educate you employees to identify malicious actors as we’ve
mentioned earlier
• Equip your self with tool that can help with these type of attack (hard
to find good tools)

32. MAKE LATERAL STEPS HARDER FOR ATTACKER!
Financial
Database
HVAC
Control
Partner
Network
Procurement
Department
Internet
Step 1 Step 2 Step 3

33. LATERAL STEPS
• The attacker is now on your turf
• Use your advantages:
• Control your network
• Know what traffic is usual and what is not

34. UNUSUAL – IN THE USUAL WAYS
• Lateral traffic is unusual – in the usual ways
• Communicating parties that never communicate
• Protocols & ports that are never used across security zones
• Firewalls are really good at blocking such traffic … as long as:
• There are firewalls in the traffic path
• The firewalls are properly configured

35. RECOMMENDATION #2: SEGMENTATION
• Define network zones
• Place firewalls to filter traffic between zones
• Write restrictive policies for traffic between zones

36. USE TECHNOLOGY YOU KNOW WELL
Financial
Database
HVAC
Control
Partner
Network
Procurement
Department
Internet

37. SEGMENT THE NETWORK: INTERNAL FIREWALLS
Financial
Database
HVAC
Control
Partner
Network
Procurement
Department
Internet
• Place internal firewalls between network zones
• Use SDN virtualization technologies to filter traffic inside data center

38. RECOMMENDATION #3: PLAN
• Leverage a SIEM technology to quickly identify an attack is happening
• Create a playbook in your SOAR system with well defined step to stop
the attack
• Create a playbook in your NSPM to quickly isolate the infected server

39. Have you already started a micro-segmentation
project in your organization?
• Yes, we’ve completed our micro-segmentation project
• Yes, we are currently in the midst of a micro-segmentation
project
• No, but it is in our roadmap
• No, and we don’t plan to in the near future
39 | Confidential
POLL

41. WHAT TO DO NEXT?
ATTACHMENTS TAB
Connect with us on LinkedIn
Register for Part 2 of Ransomware Masterclass Webinar
Join the Raffle request a Ransomware Assessment Service
1 random winner will be selected for a free of charge assessment
Request your copy of:
• Cisco Zero Trust Security
• Ransomware Defense for dummies
Select

42. 42 | Confidential
Q&A
Let’s look at the
pollResults

43. 43 | Confidential
THANK YOU
HUIB KLAASSENS
BDM
JAN HEIJDRA
TECHNOLOGY EVANGELIST
YITZY TANNENBAUM
PRODUCT MARKETINGMANAGER