Upload
others
View
10
Download
0
Embed Size (px)
Citation preview
www.sangfor.com Sangfor Technologies Inc.
Sangfor's Answer to Ransomware
When Ransomware Calls - Sangfor Answers
Jason Yuan
VP for Product & Marketing
Sangfor Technologies
Sangfor Technologies Page 1
PART 1 The Threat
Sangfor Technologies Page 2
The Threat
91%
Cyber attacks that begin with phishing
- TrendMicro
01
363%
Increase of Ransomware attacks annually
- Malwarebytes
02
350K
New malicious malware samples seen everyday
- AV Test
03
$2.4M
Average cost of a malware attack to a company
The longer discovery of a breach takes, the more it costs.
- Accenture
04
Sangfor Technologies Page 3
What is Ransomware?
Ransomware is a form of malware that hijacks a victim’s
system and encrypts the data files. The attacker then
demands a ransom from the victim to restore access to the
data upon payment.
Users are shown instructions how to pay the ransom fee in
exchange for the decryption key. Ransoms range from a
few hundred dollars to thousands, usually payable to
cybercriminals in Bitcoin.
Sangfor Technologies Page 4
Attacks Bypass Traditional & Next Generation Antivirus
In a recent Barkly survey of companies who suffered
ransomware attacks in the past 12 months:
o 100% of customers were running anti-virus
o 95% of attacks bypassed traditional firewall
o 77% of attacks bypassed email security
WannaCry Ransomware infected 200,000
machines in four days across 150 countries.
Sangfor Technologies Page 6
Ransomware Transmission Methods
Ransomware typically uses one of four primary
methods for transmission and implantation:
Phishing
• Malicious code inside email attachments which victims open thereby infecting the PC
• Malicious scripts or code downloaded via embedded web link
Cases: Locky, Petya variant
Target: Windows
Worm
Malware which “worms” it’s waythrough a network taking advantageof vulnerabilities and weak passwords,replicating itself as it travels.
Cases: WannaCry, Petya variant
Target: Windows
Exploit Kit
A “hacker package” designed toseek out vulnerabilities in softwareinstalled on a device, infiltrate thesevulnerabilities to gain access to thesystem, and drop a malwarepayload into the system.
Case: Cerber
Target: Servers with vulnerabilities
System Vulnerability
Designed to crack RDP ports, SSHports, database ports, SMB ports,etc.
Case: Globelmposter variant
Target: Servers with vulnerabilities
Sangfor Technologies Page 7
Ransomware Intranet Attack Process
Ransomware encrypts
target file types
Data Encryption
A dialogue box pops up
to demand a ransom for
encrypted files
Ransom Demand
Vulnerability scanning of
internal network hosts
Network Scan
Uses intranet hosts with
vulnerabilities to spread
ransomware
Intranet Communication
Sangfor Technologies Page 8
TSMC Exposed to Ransomware
Event Profile:
• The largest semiconductor company in Taiwan
• Company statement shows the ransomware came from a newly
connected computer
• TSMC's stock dropped 15.2% in 3 days
• TSMC announced that luckily, their core codes weren’t lost
• Considered the most serious WannaCry attack globally, as of 2018
Date & Time: August, 3rd - 6th 2018
Loss: 370M USD
Industry: Manufacturing
Sangfor Technologies Page 9
PART 2 Ideal Protection
Against Ransomware
Sangfor Technologies Page 10
Adaptive Security Model
Prevent
DetectRespond
Continuous
Monitoring and
Analytics
Proactive Exposure Analysis
Predict Attacks
Baseline Systems
Remediate/Make Change
Design/Model Change
Investigate/Forensics Contain Incidents
Confirm and Prioritize Risk
Detect Incidents
Prevent Incidents
Divert Attackers
Harden and Isolate Systems
Predict
Sangfor Technologies Page 11
PART 3 How to Defend
Against Ransomware
Sangfor Technologies Page 12
A Different Approach for Defending Endpoints
Revolutionary
AI Detection
Continuous
Monitoring/Learning
Self-EvolutionUnknown Threat
Detection
No-Feature
Technology
Threat Attack
Protection
Advanced Intelligence Detection
Comprehensive Protection
Integrated
Control
Effective
Adaptation
Comprehensive
Protection
Flexible Response
Fast Closed
Loop Security
Collaborative
Intelligence
Threat Situational
Awareness
World-class Malware Analysis and Detection
Emphasis on ResponseEmphasis on Containment
and Mitigation
Sangfor Technologies Page 13
Risk Protection for Ransomware
• Risk Driven • Full Protection • Active Defense
Infected? C&C Communication Encryption Lateral Propagation
Endpoint Secure IAM
• Ransomware Detection
• Malicious Domain
• C&C Servers
Ransomware/APT
• Detection
• Blocking
• Disinfection
• Connection Analysis
• Malware Containment
Ransomware
Platform-X MSS
Cloud
NGAF
Incident Response
Services
• Integrated Management
• Situational Threat Awareness
• Global/Local
• Threat Intelligence
• AI Engine
• Automated Sandbox Cluster
Neural-X
Sangfor Technologies Page 14
Adaptive Malware Response
Value Proposition: Asset-centric, targeted defense, continuous detection, and collaborative response
to respond to breaches quickly.
Endpoint Assets
Lightweight, Intelligent, Responsive
Baseline
Verification
Visualization
Co
ntin
uo
us
Re
altim
e
Ass
ess
me
nt
Clo
sed
-Loo
p
Co
llab
ora
tion
Vulnerability
Scanning
Prevention Prediction Detection Response
Ransomware
Detection
Intrusion
Detection
Compliance
Review
One-click
Kill
One-click
Isolation
Attack
Trace
Linked
Response
Sangfor Technologies Page 15
Predictive Attack Capability with Engine Zero
• Comprehensive,
High-Quality
Malware Database
High Detection,Low False
Report
• Malware Family DNA
Fingerprint
Identification
• Multiple Expert
Algorithms Refine
Ideal Identification
• AI Models Continuous
Self-Study in Cloud
Engine
• Fast Iterative Self-Updating
Learning Mechanisms
• AI + Rules Identify
Optimal Response
to Known Threats
File Reputation Detection
Engine
Gene Characteristics Detection Engine
Behaviour Analysis
Detection Engine
AI Detection Engine
Neural-X Detection
Engine
Predict
Sangfor Technologies Page 16
Identify Unknown Malware Powered by AI
0.00%
10.00%
20.00%
30.00%
40.00%
50.00%
60.00%
70.00%
80.00%
90.00%
100.00%
61.4%
99.65%
32%
SangforEngine Zero
Open Source AV
Market Benchmark
Detection False Positive
0.1% 0.04% 0.09%
Sangfor Engine ZeroAI Malware Detection Engine
Innovative Unique AI Technology
High Detection Accuracy
Low False Positive Rate
Globelmposter Ransomware
Zero-Day Detection
99.65% Accuracy with Unknown Malware Detection
>99.9% Accuracy with Known Malware Detection
Predict
Sangfor Technologies Page 17
Ransomware Verification
Detect
Sangfor Technologies CONFIDENTIAL Page 18
Neural-X Forensic Capabilities
Detect
Sangfor Technologies Page 20
Detection
NGAF Network View
Risks to both PCs and servers are visible
Endpoint Secure Client View
Detect
Identify Communications Between Endpoints
Tracking Abnormal Network Behavior
NGAF discovers malicious network behavior
and traces the origin using Endpoint Secure to
locate abnormal files, backdoors, toolkits, etc.
Detect
Prevention
Prevent
Sangfor Technologies Page 23
Ransomware Honeypot
Cannot be
encrypted
1. Bait files are placed in system-critical, high
target and random directories
2. Encryption of bait files highlights
running encryption process
3. Endpoint Secure kills the
encryption process to block
encryption
4. Malware controlling
encryption is identified
mitigated
Encrypted Encrypted Encrypted Encrypted Encrypted
Encrypted Encrypted Encrypted Encrypted Encrypted
Encrypting... Cannot be
encrypted
Protect Agent
After analysis of encryption order of tens of thousands of ransomware, key directories with a high probability of being
targeted for encryption are identified
Encrypted
Encrypted Encrypted Encrypted
Prevent
Sangfor Technologies Page 24
Response
Respond
Sangfor Technologies Page 25
Security Butler
Providing Security Expertise for Organizations that Need It
• Security event
Fully Visibility
• Customized Security Policy
• Expert Security Level
• 24/7 Monitoring
• Real-time active response
Professional Security
• Experts Online
• Unified Security
Management
Respond
Sangfor Technologies Page 26
One-Click Kill
Respond
Endpoint Secure Manager
One click mitigation for the entire network
One click mitigation for the entire network
Find one infection, quickly scan the
network for more
Sangfor Technologies Page 27
Micro-isolation Reduces Threat Propagation
Access control for different roles
Business A Business B
Department BDepartment A
Security isolation and access control for
different business systems
Security isolation at different terminals
Security isolation and access
control in concert with IAM
Data Center
Business Area
Intranet office
area
Respond
Sangfor Technologies Page 28
Simpler Smarter Monitoring
Multi-Dimensional Response
Malware Sandbox
Ransomware Honeypot
Network-Wide Threat Disposal
NGAF/IAM Integration
One-Click/Automatic Host Micro-Isolation
One-Click/Automatic File Disposal/Restore
Threat Intelligence
Global Whitelists/Blacklists
Compliance
Asset Tracking
Vulnerability Scanning
Patch Management
Respond
Sangfor Technologies Page 29
Simplified Security Operation
One Click Mitigation Vulnerability Scan with Remediation Informative Visual Dashboard & TI
Respond
Sangfor Technologies Page 30
PART 4 Sangfor Ransomware
Offerings
Sangfor Technologies Page 31
Sangfor SIP
External Threat Intelligence
Data Center
Branch officeWAN
Behavior Analysis, ML,
UEBA, Specialists
NTA Sensor
NGAF
EDR (Server)
NTA Sensor
NGAF
Visibility for Operation
Visibility for Management
Am I safe now?
Where am I at risk?
What’s the impact?
How do I fix it?
Threat Intelligence
Security Operations for the Enterprise
Sangfor Technologies Page 32
Standard Ransomware Solution
Cloud (Neural-X & Security Butler)
• Cloud Monitoring Service: Detecting existing exploits or
vulnerabilities like RDP port exposure, deserialization
vulnerabilities and Eternal Blue Vulnerabilities.
• Cloud Threat Intelligence: Pushing the latest ransomware
intelligence.
• Deploy Security Butler: Security operation center
controlling policy optimization & customization, advanced
threat analysis and guidance and security expert services.
Network• Deploy Border Security Devices: Block WEB exploits/RDP
brute force attacks.
• Configure Protection Device to Associate with the Cloud
Reputation: Directly block outbound C&C host behavior
and malicious file downloads based on IP/file reputation.
Endpoint• Endpoint Secure: Early detection of vulnerable hosts that
are easily exploited by ransomware.
• Scan endpoints regularly for ransomware.
• Real-time, AI-powered analysis of ransomware behavior
• Immediate isolation of infected hosts to avoid widespread
infection.
Enterprise Ransomware Detection FrameworkCloud
Network
Endpoint
Perimeter/Domain
NGAF
IAM
NGAF
IAM
Core switchSecurity
software
Security operation
visible screen
Security management zone
Endpoint Secure Protect Agent
Office
Endpoint Secure Protect Agent
Data center
Neural-X &Security Butler
Internet Internet
Core switch
Sangfor Technologies Page 33
Enterprise Ransomware Solution
Cloud (Neural-X)
• Cloud Monitoring Service: Detecting existing exploits or
vulnerabilities like RDP port exposure, deserialization
vulnerabilities and Eternal Blue Vulnerabilities.
• Cloud Threat Intelligence: Pushing the latest ransomware
intelligence.
Network• Deploy Border Security Devices: Block WEB exploits/RDP
brute force attacks.
• Configure Protection Device to Associate with the Cloud
Reputation: Directly block outbound C&C host behavior
and malicious file downloads, based on IP/file reputation.
• Deploy SIP: Link network data and terminal data to jointly
analyze suspicious behavior, monitor in real-time and
provide early warning of any threats.
Endpoint• Endpoint Secure: Early detection of vulnerable hosts that
are easily exploited by ransomware.
• Scan endpoints regularly for ransomware.
• Real-time, AI-powered analysis of ransomware behavior
• Immediate isolation of infected hosts to avoid widespread
infection.
Standard Ransomware Detection FrameworkCloud
Network
Terminal
Perimeter/Domain
NGAF
IAM
NGAF
IAM
Core switchSecurity
software
Security operation
visible screenSIP
Security management zone
Endpoint Secure Protect Agent
Office
Endpoint Secure Protect Agent
Data center
Neural-X
Internet Internet
Core switch
Sangfor Technologies Page 34
Ransomware Incident Response Services
Business Recovery
• Locating infection and
stopping spread
• Remediation planning
Assessment & Forensics
• Identify root cause
• Security Gap Analysis
• Response planning
Customized Solutions
• Vertical based
• Compliance based
• Tailored to unique needs
Highly Trained
Incident
Response Team
Sangfor Technologies Page 35
Case Studies
Country Ransomware Response Timeline
China WannaCry
Recover back ups (1 hour)- Confirm ransomware strain and infected files (30
mins)- Install Endpoint Secure to remediate ransomware (2 hours)
Customer A: Government
Country Ransomware Response Timeline
Malaysia GandGrab V2.1
Recover back ups (5 mins with Sangfor HCI)- Confirm ransomware strain and infected files
(30 mins)- Install Endpoint Secure to mitigate ransomware
(2 hours)
Customer B: Education
Country Ransomware Response Timeline
UAE Phobos
Confirm ransomware strain and infected files(30 mins)- Installed Endpoint Secure to
remediate ransomware (2 hours)- Vulnerability scanning (2 hours)
Customer C: Enterprise
THANK YOU
www.sangfor.com Sangfor Technologies Inc.
Jason Yuan
VP for Product & Marketing
Sangfor Technologies