This document discusses how to detect ransomware before it's too late using AlienVault USM. It begins with an introduction to AlienVault and the agenda. It then discusses the changing threat landscape and prevalence of ransomware. The basics of how ransomware works are explained in 4 steps. Mitigation tips are provided such as backing up data often and keeping systems updated. It is noted that firewalls and antivirus alone are not enough and comprehensive monitoring is needed. The security capabilities of USM are overviewed. Recent AlienVault threat intelligence updates related to ransomware detection are listed. Questions are solicited and options to test drive USM provided.

1. Live Demo: Detect Ransomware Before
it’s Too Late with AlienVault USM

2. About AlienVault
AlienVault has unified the
security products, intelligence
and community essential for
mid-sized businesses to
defend against today’s
modern threats

3. Agenda
• The changing threat landscape
• Ransomware 101
• Tips to mitigate these threats
• Demo: Using USM to Detect Ransomware
• Correlation directives
• Detecting communications with the C&C server
• Incident investigation

4. Threat landscape: Our new reality
• More and more organizations are finding
themselves in the crosshairs of various bad
actors for a variety of reasons.
• The number of organizations experiencing high
profile breaches is unprecedented.
• The “security arms race” cannot continue
indefinitely as the economics of securing your
organization is stacked so heavily in favor of
those launching attacks that incremental
security investments are seen as impractical.
84%
of organizations breached
had evidence of the
breach in their log files…
Source: Verizon Data Breach Report, 2013

5. “There are two types of
companies that use computers.
Victims of crime that know they
are victims of crime and victims
of crime that don’t have a clue
yet.”
“How would you change your
strategy if you knew for certain
that you were going to be
compromised?”
- James Routh, 2007
CISO Depository Trust Clearing Corporation
- Martin Roesch, 2013
Founder & CTO Sourcefire, Author SNORT
Prevention is Elusive

6. Prevent Detect & Respond
The basics are in
place for most
companies…but
this alone is a
‘proven’ failed
strategy.
New capabilities to develop
Get (Very) good at detection & response

7. Ransomware 101
• Malicious payload restricts access to files and demands ransom paid to
recover them
• First known example (“AIDS/PC Cyborg” trojan) seen in 1989
• Ransomware sightings picked back up in 2005 (Gpcode(.AG, .AK),
Archiveus, etc.
• Using more and more complicated encryption schemes
• 2013 – CryptoLocker puts ransomware “on the map”
• 10/15/2013 – 12/18/2013 – estimated $27m extorted
• 6/2014 - ZeuS botnet eventually seized by US DOJ
• Still seeing variants today (CL v2.0, CryptoLocker.F,
TorrentLocker…)

8. Ransomware in 4 Easy Steps
1. Malware delivered via email or
drive-by
2. File executes & compromises
system
3. Trojan connects with C&C server
4. Encryption & notification of user
begins

9. Mitigation
• Especially with today’s variants, you will not be able to decrypt your data via
conventional means. Here are some steps to take to thwart these attacks:
• Backup your data… OFTEN
• Educate your users about malicious emails/attachments
• Keep operating systems and applications updated
• Keep endpoint protection up to date

10. Firewalls/Antivirus are not enough
• Firewalls are usually not the target – too difficult to effectively penetrate
• Endpoints are the target, usually via email, url redirects, misc malicious
files, etc.
• With 160,000 new malware
samples seen every day,
antivirus apps will not find
every threat
• Needs to be bolstered by
regular and comprehensive
monitoring

11. Built-In, Essential Security Capabilities
USM Platform
ASSET DISCOVERY
• Active Network Scanning
• Passive Network Scanning
• Asset Inventory
• Host-based Software Inventory
VULNERABILITY
ASSESSMENT
• Continuous
Vulnerability Monitoring
• Authenticated /
Unauthenticated Active
Scanning
BEHAVIORAL MONITORING
• Log Collection
• Netflow Analysis
• Service Availability Monitoring
SIEM
• SIEM Event Correlation
• Incident Response
INTRUSION DETECTION
• Network IDS
• Host IDS
• File Integrity Monitoring

12. AlienVault Labs Threat Intelligence
• Weekly updates to correlation directives to detect emerging threats
• Recent updates related to Ransomware threats:
• System Compromise, Ransomware infection, VirLock
• System Compromise, Ransomware infection, TorrentLocker
• System Compromise, C&C Communication, TorrentLocker SSL
• System Compromise, Malware Infection, Cryptowall
(Expanded Detection Technique)
• System Compromise, Malware Infection, Cryptolocker
(Expanded Detection Technique)
• System Compromise, Malware Infection, CoinVault
• System Compromise, Malware Infection, CoinLocker

13. 888.613.6023
ALIENVAULT.COM
CONTACT US
HELLO@ALIENVAULT.COM
Now for some Questions..
Questions? Hello@AlienVault.com
Twitter : @alienvault
Test Drive AlienVault USM
Download a Free 30-Day Trial
http://www.alienvault.com/free-trial
Check out our 15-Day Trial of USM for AWS
https://www.alienvault.com/free-trial/usm-for-aws
Try our Interactive Demo Site
http://www.alienvault.com/live-demo-site