Professional Documents
Culture Documents
Incident Response
Fernando Zamai
fzamai@cisco.com
Advanced Threat Solutions
Ransomware: Easy Profits
EMAIL
!
WEB
EMAIL
!
http://blog.talosintelligence.com/2017/05/wannacry.html
Incident Response Emergency
General Recommendation for Mitigation
• Block all requests from ”Security” Categories and make sure ”Newly
Seen Domains” is blocked.
Cisco AMP for Endpoint
• AMP is doing a great job blocking wannacry, just make sure that
automatic ”sandbox” submission for low prevalence files are enabled
• Explore the retrospection feature to find any correlation and artefacts
Cisco NGFW/NGIPS - Recommendations
• Accidental hero' halts ransomware attack and warns: this is not over
• He used Umbrella Investigate to predict attacks
https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html
Umbrella Containment – Killswitch Block
Umbrella Containment – TOR Block
Umbrella is blocking new Threats
Where Umbrella can help
Exploit MS17-010
Tcp/445 mssecsvc.exe
Install Encrypts files
eternalblue/doublepulsar RSA 2048
taskse.exe
Command & Control tasksche.exe
Killswitch !
www.iuqwergwea.com Tor.exe
Delete Temp
188.166.23.127:443
Files taskdl.exe
193.23.244.244:443
2.3.69.209:9001
146.0.32.144:9001
50.7.161.218:9001