Live Demo: Detect Ransomware Before it’s Too Late with AlienVault USM

About AlienVault

AlienVault has unified the security products, intelligence and community essential for

mid-sized businesses to defend against today’s

modern threats

Agenda

• The changing threat landscape

• Ransomware 101

• Tips to mitigate these threats

• Demo: Using USM to Detect Ransomware

• Correlation directives

• Detecting communications with the C&C server

• Incident investigation

Threat landscape: Our new reality

• More and more organizations are finding themselves in the crosshairs of various bad actors for a variety of reasons.

• The number of organizations experiencing high profile breaches is unprecedented.

• The “security arms race” cannot continue indefinitely as the economics of securing your organization is stacked so heavily in favor of those launching attacks that incremental security investments are seen as impractical.

84%of organizations breached

had evidence of the breach in their log files…

Source: Verizon Data Breach Report, 2013

“There are two types of

companies that use computers.

Victims of crime that know they

are victims of crime and victims

of crime that don’t have a clue

yet.”

“How would you change your

strategy if you knew for certain

that you were going to be

compromised?”

- James Routh, 2007

CISO Depository Trust Clearing Corporation- Martin Roesch, 2013

Founder & CTO Sourcefire, Author SNORT

Prevention is Elusive

Prevent Detect & Respond

The basics are in place for most

companies…but this alone is a ‘proven’ failed

strategy.

New capabilities to develop

Get (Very) good at detection & response

Ransomware 101

• Malicious payload restricts access to files and demands ransom paid to recover them

• First known example (“AIDS/PC Cyborg” trojan) seen in 1989

• Ransomware sightings picked back up in 2005 (Gpcode(.AG, .AK), Archiveus, etc.

• Using more and more complicated encryption schemes

• 2013 – CryptoLocker puts ransomware “on the map”

• 10/15/2013 – 12/18/2013 – estimated $27m extorted

• 6/2014 - ZeuS botnet eventually seized by US DOJ

• Still seeing variants today (CL v2.0, CryptoLocker.F, TorrentLocker…)

Ransomware in 4 Easy Steps

1. Malware delivered via email or

drive-by

2. File executes & compromises

system

3. Trojan connects with C&C server

4. Encryption & notification of user

begins

Mitigation

• Especially with today’s variants, you will not be able to decrypt your data via

conventional means. Here are some steps to take to thwart these attacks:

• Backup your data… OFTEN

• Educate your users about malicious emails/attachments

• Keep operating systems and applications updated

• Keep endpoint protection up to date

Firewalls/Antivirus are not enough

• Firewalls are usually not the target – too difficult to effectively penetrate

• Endpoints are the target, usually via email, url redirects, misc malicious

files, etc.

• With 160,000 new malware

samples seen every day,

antivirus apps will not find

every threat

• Needs to be bolstered by

regular and comprehensive

monitoring

Built-In, Essential Security Capabilities

USM Platform

ASSET DISCOVERY

• Active Network Scanning

• Passive Network Scanning

• Asset Inventory

• Host-based Software Inventory

VULNERABILITY

ASSESSMENT

• Continuous

Vulnerability Monitoring

• Authenticated /

Unauthenticated Active

Scanning

BEHAVIORAL MONITORING

• Log Collection

• Netflow Analysis

• Service Availability Monitoring

SIEM

• SIEM Event Correlation

• Incident Response

INTRUSION DETECTION

• Network IDS

• Host IDS

• File Integrity Monitoring

AlienVault Labs Threat Intelligence

• Weekly updates to correlation directives to detect emerging threats

• Recent updates related to Ransomware threats:

• System Compromise, Ransomware infection, VirLock

• System Compromise, Ransomware infection, TorrentLocker

• System Compromise, C&C Communication, TorrentLocker SSL

• System Compromise, Malware Infection, Cryptowall(Expanded Detection Technique)

• System Compromise, Malware Infection, Cryptolocker(Expanded Detection Technique)

• System Compromise, Malware Infection, CoinVault

• System Compromise, Malware Infection, CoinLocker

888.613.6023

ALIENVAULT.COM

CONTACT US

HELLO@ALIENVAULT.COM

Now for some Questions..

Questions? Hello@AlienVault.com

Twitter : @alienvault

Test Drive AlienVault USM

Download a Free 30-Day Trial

http://www.alienvault.com/free-trial

Check out our 15-Day Trial of USM for AWS

https://www.alienvault.com/free-trial/usm-for-aws

Try our Interactive Demo Site

http://www.alienvault.com/live-demo-site