Вы находитесь на странице: 1из 52

, Cisco

, isco
, Berezha Security


Nyetya

, ,
Q&A



, Cisco
2014-2015

2015 2015 2015


2014 2014

Blackenergy Blackenergy
Blackenergy 0-Day
. -, -

- .

, BlackEnergy

,


Time
- 2016
WannaCry - 2017
[25855, 'RU']
[22986, 'CN']
[7614, 'TW']
[5966, 'UA']
[5054, 'US']
[3087, 'CA']
[2195, 'KR']
[1712, 'FR']
[1394, 'IN']
[1132, 'BR']
[943, 'HK']
[656, 'JP']
[651, 'GB']
[546, 'DE']
[518, 'PL']
[517, 'CL']
[480, 'MX']
[436, 'IT']
[430, 'VN']
[403, 'AM']
[397, 'KZ']
[363, 'RO']
[362, 'AR']
[337, 'MD']
[330, 'PH']
[277, 'TH']
2017. Nyetya. Petya-A. -

Cisco Talos The MeDoc Connection


http://www.cisco.com/c/dam/global/ru_ua/solutions/security/ransomware/pdfs/cisco_blog_ransomware_attack_ua_upd4-graphics.pdf
Neytya/Petya:
10%

Petya.A
$850
Lloyd's

1/3 0.2 -
0.5%
,

Nyetya Cisco Talos
, Cisco
27

21:33.


11:00 12:00

17:50
( 12.00 16.00)
Talos



EthernalBlue (, WannaCry)
EthernalRomance ( ShadowBrokers)
wmi.exe (Windows Management Instrumentation,
Windows)
PsExec.exe ( Windows)

mimikatz
named pipe parameter ( mimitakz
)


WMI PsExec

WMI PsExec
PsExec , mimikatz

WMI , CredEnumerateW API





SetShadowPrivilege
SetDebugPrivilege
,
10
, BootSector0 10
M.E.Doc

Ransomware!


-


Matt Olney,
-
Cisco Talos


Talos
Cisco Incident Response
Eng:
http://blog.talosintelligence.
com/2017/07/the-medoc-
connection.html

:
http://www.cisco.com/c/dam
/global/ru_ua/solutions/secu
rity/ransomware/pdfs/cisco_
blog_ransomware_attack_u
a_upd4-graphics.pdf




Cisco Talos:
80% , M.E.Doc.
,

?




,
1. Windows

2.

3. c


4. -

5. -

https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/

malware

( ,
)
( )
Identity Services Engine
Netya WannaCry
SMB








FirePOWER
Nyetya
ASA c FirePOWER

2017


MeDOC.

27.07.2017 09:46 ,
MeDOC c backdoor

FirePOWER.



Cisco Identity Services Engine


APT

TCP, UDP, C&C


SYN Half Open; ICMP/UDP/Port Flood


VS.

Cisco StealthWatch Nyetya

Cisco StealthWatch Nyetya
Endpoint Detection and Response
isco Advanced Malware Protection

Intelligence Continuous Analysis & Retrospective Security



Endpoint IOCs

.exe





IoC
One-to-One Signatures Fuzzy Fingerprinting Machine Advanced
Learning Analytics

,

,
Endpoint Detection and Response
Endpoint Detection and Response


StealthWatch

a

ISE
SW

Talos Security
Intelligence ISE
TrustSec
AMP

AMP

Threat Grid
NGFW

TRUSTSEC
Firepower

AMP
AMP Endpoint
NPIGS

NGIPS

.
MALWARE
CONTAINED

http://www.cisco.com/c/ru_ua/solutions/security/ransomware/index.html

People Process Technology


Cisco Incident Responce = Included
O = Optional

Feature Emergency Readiness & Retainer

4hrs by phone;
Service Level Agreement Best Effort
24hrs on-site
Service Model 90-day 12-mo Retainer
Included Hours 120 160
Included Travel 2-trips, 3 days each 2-trips, 3 days each
Needed Response Tools (AMP for Endpoints, OpenDNS, and more)

Incident Coordination, Containment, & Investigation


Log, Host, and Network based Forensics as needed
4-point Incident Response Readiness Assessment O
I. Readiness Assessment O
II. Environment Prep O
III. Table Top Exercise O
IV. Final Report O
90-day Fixed 12-mo Subscription

Ransomware Defense Validated


Design Guide
SAFE Design Guide
2/10/2017
, ,
-



-

1.
(SSL/TLS)
2.

3.

- -









ISO/IEC 27000 series (ISMS)
COBIT
ISF Standard for Good Practice
PCI DSS
Cyber Security Framework
CIS 20 Critical Controls

NIST SP800
ISO 15408 (Common Criteria)
RFC2196
Vendors recommendations
MS Security TechCenter
Cisco SAFE
AWS Cloud Security
OWASP
SANS
CIS Configuration benchmarks
https://www.cisecurity.org/controls/
https://www.cisecurity.org/cis-benchmarks/
Cyber Security Framework
Framework for
Improving Critical Infrastructure
Cybersecurity
NIST





1. Windows ID.BE-1.
.
PR.AC-4.
'.
PR.AC-5.
2. .
PR.AT-1. .
PR.AT-2.
.
3. PR.AT-3. (, , ,
) .
PR.IP-2.
.
PR.IP-3. .
4. PR.IP-4. ,
.
- PR.IP-9. (
) (
) .
5. PR.IP-10. .
PR.IP-12. .
DE.CM-6.
.
?
ShadowBrokers
(SMB? RDP?)





-

J