Professional Documents
Culture Documents
White Paper c11 740980
White Paper c11 740980
Cisco public
Introduction
Ransomware attacks can take many different shapes and forms. Ransomware is a type of malicious
software that typically attempts to encrypt the files on a victim’s computer. Upon successful encryption,
it demands payment before the ransomed data is decrypted and access returned to the victim.
Ransomware attacks are typically carried out using a malicious payload that is distributed as a legitimate
file that tricks the user into downloading or opening when it arrives as an email attachment. However, there
have been examples of ransomware attacks that are propagated without user interaction. The motivation
for attackers using ransomware is nearly always monetary, and unlike other types of attacks, the victim
is usually notified that an attack has occurred. The victim is then given instructions on how to recover
from the attack. Payment is often demanded in a virtual currency so that the cyber criminal’s identity isn’t
easily attributed. An important point here is that paying the ransom doesn’t guarantee data decryption
and this also sponsors development of next generation of ransomware. Refer to the Cisco Talos™ website
(talosintelligence.com) to learn more about examples of recent ransomware attacks and foundational
guidelines to minimize the risks.
AMP for Endpoints Malicious Activity Protection (MAP) engine included in the AMP Connector Version
6.1.5 for Windows defends your endpoints by monitoring the system and identifying processes that exhibit
malicious activities when they execute and stops them from running. Because the MAP engine detects
threats by observing the behavior of the process at run time, it can generically determine if a system is
under attack by a new variant of ransomware or malware that may have eluded other security products
and detection technology, such as legacy signature-based malware detection. The first release of the MAP
engine targets identification, blocking, and quarantine of ransomware attacks on the endpoint.
AMP for endpoints • Exploit Prevention defends endpoints from memory injection attacks
commonly used by malware and zero-day attacks on unpatched software
protection lattice
vulnerabilities in protected processes.
Malicious activity • System Process Protection defends critical Windows system processes
protection technology from being compromised through memory injection attacks by other
processes.
How it works
Performance and compatibility The core on-disk detection technologies include:
Exclusions • AMP Cloud provides access to the global intelligence database that is
constantly updated and augmented with new detections and provides a
See It in Action great breadth of knowledge to the AMP Connector through one-to-one
hash lookups, a generic signature engine, and the machine learning engine.
Appendix
• TETRA is a traditional signature-based antivirus engine that resides on the
Frequently asked questions endpoint and provides on-disk malware detection capabilities; TETRA is a
part of the AMP Connector for Windows (ClamAV is an offline engine for
Summary
Mac and Linux).
• Malicious Activity Protection provides run-time detection and blocking
of abnormal behavior of a running program on the endpoint (for example,
behaviors associated with ransomware).
• Custom Detections serve the goal of delivering robust control capabilities
to the security administrator by allowing to define custom signatures and
enforce blacklists.
Figure 1. AMP for Endpoints - Protection Lattice
The core post-infection detection technologies include: computers and can be imported from open IOC-based
• Cognitive Threat Analytics uses machine learning files that are written to trigger on file properties.
and artificial intelligence to correlate traffic generated These security features are the foundation of the overall
by users to reliably identify command and control approach to pervasive advanced malware protection.
traffic, data exfiltration, and possibly unwanted While Cisco recommends using all of these engines in
applications already operating in the environment; conjunction with each other to leverage the full value of
it requires a proxy supplying weblogs or a Cisco the product, customers can select whether to enable
Stealthwatch® Flow Collector supplying NetFlow. or disable one or another feature through a policy. MAP,
• Device Flow Correlation allows to monitor network which is the focus of this whitepaper, is itself just one
activity and determines which action the AMP of the important elements of functionality that AMP for
Connector should take when connections to malicious Endpoints delivers. Although listed separately, these
hosts are detected. technologies work together as a detection lattice to
provide improved visibility and increased control across
• Cloud Indication of Compromise (IOC) is a feature the entire attack continuum.
that allows detecting suspicious behaviors observed
on the endpoints and looks for patterns of malware and Additional functionality of AMP for Endpoints, such
alerts on such; Cloud IOCs don’t imply active blocking. as dynamic analysis and retrospective detection, is
• Endpoint IOC is a powerful incident response tool for well described in the user guide available at
scanning post-compromise indicators across multiple docs.amp.cisco.com.
Although the AMP Connector can detect and prevent malicious. The AMP Connector will report files that were
ransomware from completely compromising data on the modified by the offending process so they can be quickly
system, it is possible that some files will be encrypted by restored from backups, if necessary. This file history
the offending process until the MAP engine determines information lives in the MAP event shown in the AMP for
that the process meets the criteria for being labeled as Endpoints console.
See it in action
Although MAP is an engine capable of generically stopping ransomware at run time (without regards to the exploitation
vector, propagation abilities, hash of the sample, targeted files, file extensions, etc.), it may be helpful for testing
purposes to relate to several examples of attacks that may be blocked or quarantined by the engine. Testing was
performed using infrastructure automated for testing using different virtualization environments, as well as bare-metal
machines with supported operating systems. AMP for Endpoints engineering and research teams are continuously
evaluating techniques used by ransomware authors to enhance the protection levels.
Some of the ransomware families that were blocked or quarantined at run time by MAP include SamSam, WannaCry,
JigSaw, Jaff, Cerber, TeslaCrypt, CryptoFortress, and many others.
Because the MAP engine uses behavior-based protection to look for activities, it is impossible to evade detection with
simple changes to file hashes or obfuscation with the user of packers.
Appendix
Frequently asked questions
Question: If the process was quarantined by mistake, can it be restored back to normal operation?
The process that was incorrectly convicted and quarantined, as a result, can be restored using the normal AMP for
Endpoints restore process. It then needs to be placed into a whitelist or excluded from AMP inspection through the
AMP for Endpoints console and any occurrence like that should also be reported to engineering through the Cisco
Technical Assistance Center.
Question: Can MAP address a use case where malicious code was injected into a legitimate process and used it for
data encryption?
Because of the guardrails built into the AMP Connector, they may protect a legitimate process from being convicted
by the MAP engine (even though it may contain malicious code inside, as a result of using process hollowing or other
code injection techniques). Use of code injection techniques may be prevented by exploit prevention and system
process protection engines that may be enabled through AMP’s policy.
Question: Would the MAP engine stop ransomware launched from a connected USB drive?
Yes, the MAP engine monitors connected USB drives and blocks/quarantines ransomware processes launched from
those.
Question: Is there a guarantee that all in-the-wild ransomware samples will get blocked or quarantined by the MAP
engine?
Such a guarantee can never be provided. However, AMP’s research and development teams perform continuous
efficacy testing and ongoing investment in development of the feature to provide greater protection levels to
customers.
Summary
Ransomware attacks significantly impact many organizations around the world. Over the years, this business has
grown dramatically, and the most widespread ransomware attacks of the past do a decent job of telling the story
of how it has grown. As is the case with so many breaches, the fault could be in the way organizations build and
maintain their IT infrastructure. There is also always a human factor—many ransomware attacks begin with a simple
phishing email, not even always targeted and well prepared by attackers.
MAP introduces a different approach to malware and ransomware protection that is more focused on run-time
detection for blocking and quarantine. This approach is superior in identifying variants of ransomware at execution
time without dependence on signature-based approaches and does not require prior knowledge on how the threat
was built. Cisco strongly recommends leveraging this capability in conjunction with an architectural approach to
security and best practices of information security that would contribute to an effective solution of either preventing or
seriously limiting the impact of such threats. Having a sound, layered defense-in-depth strategy in place will ensure
that organizations can limit widespread system outages, and detect and respond when system compromise occurs
within their environments to minimize the impact these attacks may have.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of
Cisco trademarks, go to this URL: https://www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply
a partnership relationship between Cisco and any other company. (1110R) C11-740980-00 07/18