Cisco Ransomware Defense

Ransomware is currently the most profitable and fastest growing industry within the Cyber-criminal framework. As our technology expands into every corner of our world, we seek to expand its ability to improve how we work and play. We look to the amazing breadth of capability that comes from such massive interconnectedness to bring efficiency and greater profit. However, this scale creates opportunities on many fronts. Just as it is easier today for anyone in the world to be part of the Internet, so is it easy, and cheaper, to leverage that same diversity of capability and vulnerability for massive criminal gains.

Ransomware, the practice of cryptographically holding your data hostage, is just the most current face of an old practice. Cybercriminals have always sought ways to generate revenue, obtain sensitive and intellectual property, or create greater social or political status. Like any effective business, the best methods are those that give scale, reduce the cost of production, and maximize the rate of return.

Combining the explosive growth in connected technologies (laden with vulnerabilities, but little built with security in mind or budget) with the anonymous advantages and rise of Bitcoin means easily deployed attacks are quickly and easily monetized. Why steal data to sell, when its owners will contribute to a more than $1 billion protection racket?

We will look at a few of the key phases of the Attack Chain that Ransomware follows, and how we can respond more effectively to these threats. Ransomware is much like any other malware (malicious software); it follows traditional delivery models (email and web delivery) with a focus on leveraging human behavior to drive deployment and execution. Time to Detection and Time to Response are now critical capabilities for cyber responders to both reduce the likelihood of ransomware exposure and limit the damage from those attacks that do succeed.

Cisco’s Ransomware Defense comprises:  

  • Cisco Umbrella, which blocks threats at the network layer, far away from your network •
  • Cisco Advanced Malware Protection (AMP) for Endpoints, which blocks malicious ransomware files from running on endpoints
  • Cisco Email Security, which stops phishing and spam messages seeking to deliver ransomware

How Google stealing the private information on iPhone Users?


"Don't be Evil" is Google's corporate code of conduct and their main moto, But their actions seems to be always Evil in nature. I got interest in this story in December 2017 - not on how Google will face the billion $ lawsuit, but on "how they stole the data and how they used it"

They did this by using special cookies which collect and transmit lot of your personal data to Google? we call this metadata!!! despite the fact that cookies don't transmit your data files - such as your photos, videos, app credentials and conversations etc, but they transmit lot of metadata about your phone and your usage. 

Google is thought to have bypassed the default privacy settings of Apple’s Safari internet browser using a technique dubbed ‘the Safari Workaround’, planting cookies into phones before selling the information they collect to advertising network "DoubleClick Service"

A cookie is a small file stored in a phone or computer that allows the tracking of an individual’s browsing activity, information which is valuable to advertisers as it allows them to better target ads to interested consumers.


AWS vs. Azure vs. GCP Storage Comparison

Cloud Based Storage Options:

  • Object Storage
  • Block Storage
  • Instance/Server Storage (Ephemeral)
  • Archival Storage
  • Content Delivery Networks
  • Queue Services
  • Database Services
  • Caching Services
  • Import/Export Services


Amazon’s block storage service is called “Elastic Block Storage” (EBS) and supports three types of persistent disks: Magnetic, SSD and SSD with provisioned IOPS. Maximum volume sizes range from 1TB for magnetic disks, up to 16TB for SSD disks.

Object storage service is “Simple Storage Service” (S3), with four different SLAs: standard, standard - infrequent access, reduced redundancy and Glacier (for archiving). All data is stored in one availability zone, unless manually replicated across AZs or regions.


Microsoft’s storage services are all referred to as Blobs. Page Blobs and Disks are Azure’s block storage service. Storage defined as standard (magnetic) or as Premium (SSD), with volumes of up to 1TB.

Offered in four different SLA levels: Locally redundant storage (LRS) where redundant copies of the data are stored within the same data center. Zone redundant storage (ZRS), where redundant copies are stored in different data centers within the same region; and geographically redundant storage (GRS) which performs LRS on two distant data centers, for the highest level of durability and availability.  


There are two options for either magnetic or SSD volumes; however the IOPS count is fixed. Ephemeral (local) disks are fully configurable and are part of the block storage offering.

Object storage is called Google Storage, and divided into three classes: Standard, Durable Reduced Availability for less critical data (similar to RRS in S3) and near line, which is for archives.

Physical Data Transport:


  • Import/Export Disk
  • Snowball


  • Import/Export Service


  • Offline Media Import/Export (Third Party Tool)

Active Directory Federation Services Integration with AWS IAM

 Business Value:

  • Secure SAML Integration (Security Assertion Markup Language)
  • Connects with AWS IAM seamlessly
  • Using existing infrastructure
  • No need to recreate all our users in IAM
  • Map IAM policies to AD groups
  • Provides an audit trial (using Cloudtrail)

Microsoft Recommendations for ADFS

  • HA AD servers (recommended 4 AD servers)
  • Minimum dual ADFS 2.0 standalone servers
  • Load balancer for ADFS

ADFS and AWS Authentication Process:

Setting up AWS IAM with ADFS:

  • Requirements:
  • AD + ADFS setup
  • Downloaded ADFS metadata
  • Create default groups in AD – AWS-PROD and AWS-Dev groups
  • Create a test user in these groups
  • Create Identity provider on IAM
  • Create IAM roles and grant SSO permissions
  • Setup ADFS Trust and mappings

AWS steps:

  • Create identity provider on IAM

Upload the metadata:

Create a New Role:

Set permissions:

Create AD groups as new AWS Roles:

  • CIS compliant, the users and access policies are managed from a single console. Applied CIS GPO benchmarks are applied at Domain Controller level and applies controls.