O documento resume uma palestra de Maurício Harley sobre o uso do Cisco FirePOWER para combater ransomware. Ele apresenta o caso do ataque WannaCry, discute como o ransomware funciona e se prolifera, e explica como o ecossistema de segurança da Cisco, incluindo o FirePOWER, pode ajudar a prevenir e responder a ataques de ransomware.
3. Maurício Harley
Julho 04, 2017
Cisco Support Community Expert Series Webcast
FirePOWER contra Ransomware
4. Agenda
Introdução
Breve estudo de caso: WannaCry
Ecossistema de segurança da Cisco
Introdução ao FirePOWER
O FirePOWER como peça de combate
Considerações Finais
47. Vetores de Info
• URL
• IP
• DNS
011011001010100101010
0010010110100101101101
Proteger a borda de Internet
Eu quero…
Parar ameaças na borda,
encontrar e corrigir brechas, e
aumentar a largura de banda. Firewall
AVCMotor de
Descriptografia
SSL
NGIPS
#$
%*
• NAT Estático e Dinâmico
• Alta Disponibilidade
• Alta Largura de Banda
Rede Privada
DMZ
@
www
DNS
Internet
Bloquear
Permitir
Inspeção de Arq. AMP
AMP Threat Grid
DNS Sinkhole
Falar que as estatísticas, apesar de serem um pouco antigas, refletem tendências que permanecem.
Ressaltar a quantidade de infecções que chegam através de e-mail.
Novamente, mostrar a importância do e-mail como vetor de infecção de ransomware. Ressaltar que empresas de todos os segmentos podem ser atingidas.
Explicar que o gráfico tomou como base o horário da costa leste dos EUA e chamar a atenção para os pontos em vermelho que aparecem no mapa.
Explicar que estas informações são de domínio público e que os dados têm pouco mais de 1 mês.
Informar que as evidências foram encontradas a partir da análise forense de sistemas infectados com o WannaCry.
Chamar a atenção para a carteira do Bitcoin e para a chave de criptografia.
Informar que tanto usuários corporativos quanto domésticos foram afetados. O malware foi classificado como um wiper, ou seja, não devolve os arquivos originais mesmo após pagamento. Ele apaga os primeiros 10 setores do disco. Anáises de código mostraram alteração do malware original publicado em 2016.
Janus, criadora de um serviço de RaaS (Ransomware as a Service) e autora do Petya original em 2016, mostrou-se interessada em ajudar as vítimas do NoPetya do mês passado. O e-mail de ”suporte” do código atual não está mais disponível.
Explicar que os sistemas de e-mail anônimo não fazem qualquer verificação da identidade do usuário e que normalmente, justamente por isso, não é possível recuperar a senha caso se perca. Alegam que a chave de criptografia das mensagens é a senha criada pelo próprio usuário e que eles não possuem formas de descriptografar o conteúdo sem a mesma.
Explicar que o gráfico foi traduzido para o Português para facilitar a compreensão.
Ressaltar a paródia com os dizeres da moeda norte-americana. Os valores do Bitcoin são LIBERDADE, IGUALDADE e VERDADE.
Não se sabe se foi criada por uma só pessoa ou por um grupo de programadores. Isto permanece desconhecido até os dias atuais. Apesar de dizerem que existe uma forma de rastreamento do Blockchain, isso não aconteceu até então.
Distribuição é vendida, pois vem embarcada em hardwares específicos (adiante).
Diversos parceiros compõem a lista do ecossistema da Cisco. Nomes como AWS, AlienVault, CheckPoint, Citrix, F5, Microsoft, RSA, entre outros, engrossam os produtos e serviços de segurança para entregar uma solução completa que atenda às necessidades do mercado.
http://www.cisco.com/c/m/en_us/products/security/technical-alliance-partners.html
O SAFE, disponível em http://www.cisco.com/go/safe/, é um comjunto de guias para arquitetura de segurança da Cisco. Está em constante evolução. Na última versão, ele traz considerações para os ambientes mostrados. É mportante observar que o FirePOWER tem aplicações para qualquer dessas áreas. O SAFE se baseia em 6 pilares: Gerenciamento, Inteligência de Segurança, Conformidade, Segmentação, Defesa contra Ameaças e Serviços Seguros.
O Talos é o centro de Inteligência em Segurança da Cisco. Possui divisões de pesquisa que capturam dados a partir de requisições web, tráfego de e-mail, amostras de malware, endpoints distribuídos e invasões em redes. Entre as atribuições, destacam-se: Desenvolvimento de Software, Engenharia Reversa, Desenvolvimento de Vulnerabilidades, Pesquisa sobre Malware, Análise de Inteligência e Reputação SPAM e web.
É um guia completo, de 50 páginas, que traz considerações de arquitetura para defesa contra ransomware. Importante destacar a necessidade da defesa em camadas que veremos logo mais. O guia mostra etapas de testes e validação de cenários de ambientes, interação com o OpenDNS, telas do Threat Grid e exemplos de configuração do FirePOWER, ESA e WSA.
Aqui, destacamos que a defesa contra malware, de uma forma geral, é alcançada por meio de camadas. Assim como a segurança cibernética é um conceito que envolve diferentes áreas, como perímetro, identidade, e-mail, web, conduta, wireless LAN (para citar alguns), o caso particular do ransomware precisa de uma abordagem assim. O desenho mostra setores de controle. A Cisco possui produtos e serviços para abranger cada um deles, como o Umbrella, para verificação de DNS, o WSA para web, ESA para e-mail e o FirePOWER, nossa estrela, para controle de acesso, inspeção, sandbox e mitigação de ataques. Não esqueçamos também a AMP, que pode vir incorporada a ele.
Falar que a Machine Learning é composta pelos elementos do gráfico ao lado. Explicar o conceito de rastreamento e retrospectiva de arquivos que passam pelo software do FirePOWER.
O Threat Grid é uma solução avançada de sandboxing e análise de malware que pode ser implantada como um appliance independente, como serviço (na nuvem) ou integrado a diversos produtos, como o FirePOWER.
O AVC usa a tecnologia de DPI (Deep Packet Inspection) para classificar mais de 1.400 aplicações. Também usa o Netflow para estatísticas de desempenho e uso.
The Cisco Firepower NGFW is well-suited to address your toughest security and networking challenges.
Today, we'll go over the following ways the Cisco Firepower NGFW can be used to help your business:
[Delete as needed]
Acceptable use, to enforce proper application and web usage on your network
Internet Edge, to secure your network's web-connected endpoints
Cloud Data Center Edge, to keep threats out of your online data center
Local Data Center, to protect your on-premises data center
ACI Integration, to enforce consistent policies on your application centric infrastructure
Complex remote access, to safely extend network access to branch offices and remote users
Campus NGFW, to keep threats out of your campus security domain
Rapid Threat Containment, to remediate breaches as soon as they occur
T: The first use case we'll consider is _______.
<Click>
This solution would include one or more Firepower NGFW appliances with Firepower Management Center.
In this scenario the Cisco Firepower NGFW would help you block threats at the Internet Edge, identify and remediate breaches when they do occur, and do all this while maintaining high bandwidth.
The solution meets key connectivity and availability requirements. The Firewall is built for High Availability, supports routed mode, and comes with a port channel for interface redundancy and link speed aggregation. The Firewall also supports the dynamic routing protocol with OSPF or BGP.
Most importantly, the Firepower NGFW will meet your most stringent security requirements. It supports single context mode, dynamic NAT/PAT or static NAT, as well as industry-leading firewall capabilities. Cisco Firepower NGFW comes with SSL decryption, identity-based Application Visibility and Control, URL filtering, Next-generation IPS, Advanced Malware Protection, and real time security intelligence updates from Talos via IP-, URL-, and DNS-based feeds.
The Cisco Firepower NGFW is uniquely able to protect your company at the internet edge.
T: The next business-critical use case we'll cover is ______.<Click>
This requires a virtual appliance or Firepower NGFWv. We offer this virtual appliance in two form factors; Amazon Web Services and V-sphere.
In this case, the Cisco Firepower NGFW would extend trusted and highly secure firewall to the cloud.
The NGFW offers High Availability for redundancy, can be deployed in both routed and transparent mode, and supports both North-South or East-West deployments. It includes support for security and networking technologies like VPC and VXLAN. And it further supports the integration of the Firewall in the Data center environment with dynamic routing protocols like OSPF, BGP, Nonstop forwarding, and graceful restart.
In addition, the Cisco Firepower NGFW meets the same stringent security requirements as in the Internet Edge use case, offering single- or multi- context mode, as well as industry-leading firewall services. The Cisco Firepower NGFW delivers SSL decryption, identity-based AVC, NGIPS, and AMP. It integrates with TrustSec to ensure the incoming traffic from user communities can be trusted. Finally, it receives URL-, IP-, and DNS-based security intelligence feeds, which provide up-to-date protection against known threats, such as Command-and-Control.
The Cisco Firepower NGFW is the answer to securing your Cloud data center at the edge.
T: Next, we'll describe how the ______ use case can help your business. <Click>
This would include one or more Firepower NGFW appliances, typically physical, but also available as virtual appliances.
In this scenario, the NGFW is able to reduce the company's attack surface and detect threats to keep the on-premises data center secure.
The Cisco Firepower NGFW satisfies crucial connectivity and availability requirements, such as high availability for redundancy, dynamic NAT/PAT or static NAT, and support for both North-South or East-West deployments. The firewall supports both intra- and inter-chassis clustering, as well as fail-to-wire functionality. It also comes in high bandwidth options, with our new Firepower 4100 and 9300 platforms offering 10 Gbps and 40 Gbps throughput, as well as flow offload or fast path support.
In terms of security, the NGFW features single context mode, TrustSec Security Group Tags, SSL decryption, AVC, NGIPS, and AMP. It also comes with IP-, DNS-, and URL-based security intelligence connections that provide command and control protection.
The Cisco Firepower NGFW is the right solution for securing your local data center at the edge.
T: Next, we'll show how the ______ use case can meet your business needs. <Click>
This solution involves several Firepower NGFW appliances with Firepower Management Center. Here, in addition to a firewall at the data center edge, there are also firewalls between the campus core and distribution, or between the distribution and access edge.
In this scenario, the Cisco Firepower NGFW would protect the campus security domain against threats while maintaining the high throughput required by the campus distribution.
The NGFW meets important network needs, with high availability, routed or transparent mode, and a dynamic routing port. The Firepower 4100 and 9300 provide the high band interfaces that make either of them the platform of choice for this use case. The ASA 5585 is also an ideal candidate, with support for up to 16-way clustering.
The Cisco Firepower NGFW satisfies key security requirements, offering firewall support between security domains within the campus or campus edge. The NGFW enables single context mode, and boasts the same industry-leading features we have been discussing: TrustSec Security Group Tag support, VPN, identity-based AVC, NGIPS, AMP, and URL-, IP-, and DNS-based security intelligence.
The Cisco Firepower NGFW is well-suited for securing large campus security domains.
T: Next, we'll discuss how the ______ use case can address your network and security challenges.
<Click>
In this scenario, the Cisco Firepower NGFW would help you enforce several business-critical controls.
You can prevent your employees and guests from visiting inappropriate sites based on Cisco reputation scoring of millions of URLs, and 4,000+ applications. This includes in-house as well as web-based applications. And this reputation scoring can also be extended to custom application.
You can block access to sites that have been found to serve potentially harmful files or applications, using security intelligence feeds that keep the firewall updated on the latest threats.
You can stop command-and-control in its tracks, as well as other phone home traffic to malicious sites
You can perform traffic control and prioritization to limit the amount of bandwidth various applications and micro-applications consume, such as video streaming,
All of these controls are enforceable by user or group. For example, you can limit what people in sales can post to social media, while granting unrestricted access to people in marketing.
The Cisco Firepower NGFW’s unique feature set is ideal for enforcing acceptable use.
T: Next, we'll cover how the _____ use case can benefit your business.
<Click>
In this case, the Cisco Firepower NGFW can keep watch for unwanted traffic, while extending that patrol to multiple locations.
You can not only secure encrypted communications across one or more remote locations using VPN, but also apply the full NGFW controls and protections to that traffic, including TrustSec Security Group Tag support, identity-based AVC, NGIPS, AMP, and URL-, IP-, and DNS-based security intelligence.
The NGFW’s market-leading VPN capabilities include both site-to-site and remote access. Remote access VPN grants protected access to remote sites, while site-to-site VPN enables secure connection between branch offices as well as to third parties. These capabilities can be covered by the AnyConnect Security Mobility Client, as well as by third party VPN providers.
The Cisco Firepower NGFW’s industry-leading features are well-suited to flexibly extending secure remote access.
T: Next, we'll cover how the _____ use case can benefit your business.
<Click>
In this scenario, the Cisco Firepower NGFW would integrate with Cisco Application Centric Infrastructure (ACI) to protect your data center with automated policy-based security.
The Cisco ACI policy model provides flexible segmentation options within the data center, so you can choose how to segment based on business or application requirements. ACI is based on the Cisco Nexus 9000 family of switches along with a central management control point, the Application Policy Infrastructure Controller (APIC). The APIC manages and configures policies on each of the switches in the ACI fabric and offers a unified automated approach to policy management for data centers.
Cisco Firepower has been fully integrated into the ACI APIC controller for unified network and security policy orchestration and control. This ACI integration with Firepower NGIPS, AVC, and AMP provides automated security to dynamically detect advanced attacks, and to automate mitigation and incident response.
This Firepower ACI solution uses “Policy APIs” to enable fully automated advanced security that can tie security services to any workloads (Virtual, Containers, Physical) in the data center, or stitch them into any service chains. This integration provides agility for enabling security policies within the data center, minimizing coverage gaps due to security service provisioning delays.
Some of the benefits of this solution include:
Agile Provisioning: Because application flows within an ACI environment change dynamically, Firepower security can be deployed as a service for any transaction flow, completely independent of the underlying topology.
Unified Configuration and Visibility: ACI management tools provide a single point of network and security management, provisioning of security-as-a-service, flow policy control, and monitoring for a unified view of the infrastructure, while allowing for the contextual re-use of common security elements in an end-to-end design.
Policy Set Simplification: In traditional, topology-oriented environments, policy rules like security controls are either pushed as a complete rule set or administrators have to manually build custom rule sets for each device. With a services-based approach like ACI, each service element can be contextually programmed with only those security rules that are relevant to its specific transactions, creating a truly distributed and simplified policy set.
Integrating Cisco Firepower with ACI allows the early detection and mitigation of sophisticated attacks by enabling better visibility and awareness, malware containment and control, and threat detection, mitigation, and incident response. Organizations can take a holistic, system-based approach to data center security, leveraging a common policy-based operational model across ACI-ready networks, thereby reducing cost and complexity without compromising security.
T: The next use case we'll discuss is ______.
<Click>
Here, you can see an example of Rapid Threat Containment in action.
In the use case illustrated here, Firepower Management Center is scanning the activity of authorized users across all approved devices as traffic moves through the NGFW. When the Firepower Management Center detects suspicious activity, malware, or any other potential threat, it alerts ISE using pxGrid.
Then, it automatically enforces your security policy. Here, the platform draws on the Cisco TrustSec capabilities in ISE, such as Security Group Tags (SGTs) that can be enforced on Cisco routers, switches, security appliances, and wireless controllers in the network. You can assign TrustSec SGTs to designate anomalous traffic as “suspicious”. Based on that new SGT, ISE automatically enforces policy on the network.
According to policy, the device is contained for remediation or mitigation.
T: The Cisco Firepower NGFW is ideally suited for implementing Rapid Threat Containment.
<Click>