Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

Cisco Connect Toronto 2017 - Anatomy-of-attack

750 Aufrufe

Veröffentlicht am

Anatomy of an Attack

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

Cisco Connect Toronto 2017 - Anatomy-of-attack

  1. 1. © 2016 Cisco and/or its affiliates. All rights reserved. 1 Cisco Connect Anatomy of an Attack Chris Parker-James Consulting Systems Engineer, Cloud Security October 12th, 2017
  2. 2. © 2016 Cisco and/or its affiliates. All rights reserved. 2 Agenda Anatomy of an Attack What’s Changed? Cisco’s Solution Cisco Umbrella Cisco Cloudlock Why Cisco?
  3. 3. © 2016 Cisco and/or its affiliates. All rights reserved. 3 Anatomy of a cyber attack Reconnaissance and infrastructure setup Domain registration, IP, ASN Intel Monitor adaption based on results Target expansion Wide-scale expansion Defense signatures built Patient zero hit
  4. 4. © 2016 Cisco and/or its affiliates. All rights reserved. 4© 2016 Cisco and/or its affiliates. All rights reserved. 4 Locky/Wannacry Ransomware
  5. 5. © 2016 Cisco and/or its affiliates. All rights reserved. 5 Mapping attacker infrastructure SEP 12-26 DAYS Umbrella AUG 17 LOCKY *.7asel7[.]top ? Domain → IP Association ? IP → Sample Association ? IP → Network Association ? IP → Domain Association ? WHOIS Association ? Network → IP Association
  6. 6. © 2016 Cisco and/or its affiliates. All rights reserved. 6 91.223.89.201185.101.218.206 600+ Threat Grid files SHA256:0c9c328eb66672e f1b84475258b4999d6df008 *.7asel7[.]top LOCKY Domain → IP Association AS 197569IP → Network Association 1,000+ DGA domains ccerberhhyed5frqa[.]8211fr[.]top IP → Domain Association IP → Sample Association CERBER Mapping attacker infrastructure
  7. 7. © 2016 Cisco and/or its affiliates. All rights reserved. 7 -26 DAYS AUG 21 Umbrella JUL 18 JUL 21 Umbrella JUL 14 -7 DAYS jbrktqnxklmuf[.]info mhrbuvcvhjakbisd[.]xyz LOCKY LOCKY DGA Network → Domain Association DGA Threat detected same day domain was registered. Threat detected before domain was registered. DOMAIN REGISTERED JUL 22-4 DAYS Mapping attacker infrastructure
  8. 8. © 2016 Cisco and/or its affiliates. All rights reserved. 8© 2016 Cisco and/or its affiliates. All rights reserved. 8 Google OAuth attack
  9. 9. © 2016 Cisco and/or its affiliates. All rights reserved. 9 Sequence of events (1 of 2) Attacker sets up infrastructure and fake app; sends phishing email Victim opens email and clicks link 1 2 ! Victim is sent to Google’s OAuth page for authentication and to grant permissions. Then the user will be redirected to an attacker-controlled website
  10. 10. © 2016 Cisco and/or its affiliates. All rights reserved. 10 Sequence of events (2 of 2) On the backend… If allowed, Google provisions an OAuth token, appends it to redirect_uri, and instructs victim’s browser to redirect to attacker’s domain Attacker gains access to OAuth token once the user is redirected to one of the attacker-controlled domains Note: users were redirected to these domains whether they clicked Deny or Allow 4 5 g-cloud[.]win Attacker uses the granted privileges (email contacts, delete emails, etc.) 6 Victim prompted to allow/deny access 3 Uses access to send emails from victim’s account and propagate the worm
  11. 11. © 2016 Cisco and/or its affiliates. All rights reserved. 11 How Cisco Security can help Victim redirected to attacker’s domain Attacker gains access to OAuth token Attacker Has persistent access to the victims’ account Victim opens email and clicks link Victim grants access to their account If attack is successful, Cloudlock revokes OAuth token Umbrella blocks user redirect to malicious domain. Attacker never receives OAuth token if blocked here. Umbrella Investigate used to research attacker’s infrastructure Email Security blocks malicious emails
  12. 12. © 2016 Cisco and/or its affiliates. All rights reserved. 12© 2016 Cisco and/or its affiliates. All rights reserved. 12 The way we work has changed.
  13. 13. © 2016 Cisco and/or its affiliates. All rights reserved. 13 Branch office What’s changed Apps, data, and identities move to the cloud Business drives use of cloud apps and collaboration is easier No longer need VPN to get work done Branch offices have direct internet access HQ Roaming
  14. 14. © 2016 Cisco and/or its affiliates. All rights reserved. 14 Branch office How risk is different today Users not protected by traditional security stack Gaps in visibility and coverage Expose sensitive info (inadvertently or maliciously) Users can install and use risky apps on their own HQ Roaming
  15. 15. © 2016 Cisco and/or its affiliates. All rights reserved. 15 Branch office Our solution Umbrella Secure access to the internet Cloudlock Secure usage of cloud apps HQ Roaming
  16. 16. © 2016 Cisco and/or its affiliates. All rights reserved. 16 Cisco cloud security Shared focus, complementary use cases Visibility and control Threat protection Forensics Data protection Malware / ransomware Cloudlock For Shadow IT and connected cloud apps (OAuth) Protect cloud accounts from compromise and malicious insiders Analyze audit cloud logs Assess cloud data risk and ensure compliance Prevent cloud-native (OAuth) attacks Umbrella For all internet activity Stop connections to malicious internet destinations Investigate attacks with internet-wide visibility Block C2 callbacks and prevent data exfiltration Prevent initial infection and C2 callbacks
  17. 17. © 2016 Cisco and/or its affiliates. All rights reserved. 17 Cisco Umbrella Secure access to the internet
  18. 18. © 2016 Cisco and/or its affiliates. All rights reserved. 18 First line of defense against internet threats Umbrella See Visibility to protect access everywhere Learn Intelligence to see attacks before they launch Block Stop threats before connections are made
  19. 19. © 2016 Cisco and/or its affiliates. All rights reserved. 19 Umbrella Start blocking in minutes Easiest security product you’ll ever deploy Signup1 2 Point your DNS 3 Done
  20. 20. © 2016 Cisco and/or its affiliates. All rights reserved. 20 How fast do we resolve DNS requests? Measured in milliseconds Source: MSFT Office 365 Researcher, ThousandEyes Blog Post, May 2017 157 130 119 92 78 75 74 50 45 33 SafeDNS FreeDNS DNS.WATCH Comodo Level3 OpenNIC Verisign Dyn Umbrella Google Overall 75 132 106 39 17 38 43 12 17 25 North America 135 41 34 44 32 52 43 31 31 29 Europe/ EMEA 197 275 268 198 167 119 112 80 59 39 Asia/ APC 184 225 218 119 110 108 140 73 99 42 Latin America 322 195 169 164 171 81 176 165 23 38 Africa
  21. 21. © 2016 Cisco and/or its affiliates. All rights reserved. 21 Enterprise-wide deployment in minutes DEPLOYMENT Cisco endpoint  No additional agents to deploy with AnyConnect  Or Umbrella roaming client works alongside other VPNs for DNS and IP redirection AnyConnect WLAN controller ISR 4K Cisco networking  Out-of-the-box integration  Use of tags for granular filtering and reporting  Policies per VLAN/SSID Other network devices DNS/DHCP servers Wireless APs  Simple configuration change to redirect DNS  Policies for corporate and guests
  22. 22. © 2016 Cisco and/or its affiliates. All rights reserved. 22 Where does Umbrella fit? Malware C2 Callbacks Phishing HQ Sandbox NGFW Proxy Netflow AV AV BRANCH Router/UTM AV AV ROAMING AV First line It all starts with DNS Precedes file execution and IP connection Used by all devices Port agnostic
  23. 23. © 2016 Cisco and/or its affiliates. All rights reserved. 23 Built into foundation of the internet Umbrella provides: Connection for safe requests Prevention for user and malware- initiated connections Proxy inspection for risky URLs Safe request Blocked request
  24. 24. © 2016 Cisco and/or its affiliates. All rights reserved. 24 Cisco Talos feeds Cisco WBRS Partner feeds Custom URL block list Requests for “risky” domainsIntelligent proxy URL inspection File inspection AV Engines Cisco AMP ENFORCEMENT
  25. 25. © 2016 Cisco and/or its affiliates. All rights reserved. 25 Prevents connections before and during the attack Command and control callback Malicious payload drop Encryption keys Updated instructions Web and email-based infection Malvertising / exploit kit Phishing / web link Watering hole compromise Stop data exfiltration and ransomware encryption ENFORCEMENT
  26. 26. © 2016 Cisco and/or its affiliates. All rights reserved. 26 Our view of the internet 100Brequests per day 12Kenterprise customers 85Mdaily active users 160+countries worldwide INTELLIGENCE
  27. 27. © 2016 Cisco and/or its affiliates. All rights reserved. 27 Intelligence to see attacks before launched Data  Cisco Talos feed of malicious domains, IPs, and URLs  Umbrella DNS data — 100B requests per day Security researchers  Industry renown researchers  Build models that can automatically classify and score domains and IPs Models  Dozens of models continuously analyze millions of live events per second  Automatically uncover malware, ransomware, and other threats INTELLIGENCE
  28. 28. © 2016 Cisco and/or its affiliates. All rights reserved. 28 Statistical models Guilt by inference  Co-occurrence model  Geolocation Model  Secure rank model Guilt by association  Predictive IP Space Modeling  Passive DNS and WHOIS Correlation Patterns of guilt  Spike rank model  Natural Language Processing rank model  Live DGA prediction INTELLIGENCE 2M+ live events per second 11B+ historical events
  29. 29. © 2016 Cisco and/or its affiliates. All rights reserved. 29 Co-occurrence model Domains guilty by inference a.com b.com c.com x.com d.com e.com f.com time - time + Co-occurrence of domains means that a statistically significant number of identities have requested both domains consecutively in a short timeframe Possible malicious domain Possible malicious domain Known malicious domain INTELLIGENCE
  30. 30. © 2016 Cisco and/or its affiliates. All rights reserved. 30 Spike rank model Patterns of guilt y.com DAYS DNSREQUESTS Massive amount of DNS request volume data is gathered and analyzed DNS request volume matches known exploit kit pattern and predicts future attack DGA MALWARE EXPLOIT KIT PHISHING y.com is blocked before it can launch full attack INTELLIGENCE
  31. 31. © 2016 Cisco and/or its affiliates. All rights reserved. 31 Predictive IP Space Monitoring Guilt by association Pinpoint suspicious domains and observe their IP’s fingerprint Identify other IPs – hosted on the same server – that share the same fingerprint Block those suspicious IPs and any related domains DOMAIN 209.67.132.476 209.67.132.477 209.67.132.478 209.67.132.479 INTELLIGENCE
  32. 32. © 2016 Cisco and/or its affiliates. All rights reserved. 32 ‘Sender Rank’ model: predict domains related to spammers Identify queries to spam reputation services Our 85M+ users leverage email reputation services check for spam; we see requests made to check domains found in emails MAIL SERVERS REPUTATION SERVICES a.spam.ru. checkspam.com b.spam.ru. checkspam.com Domain of service Domain of sender Model aggregates hourly graphs per domain Short bursts of 1000s of “Hailstorm” spam uses many FQDNs, e.g. subdomains, to hide from reputation services a.spam.ru … b.spam.ru z.spam.ru spam.ru suspect domain identified Model identifies owners of “Hailstorm” domains After confirmation, query WHOIS records to get registrant of sender domain ? ? ? Type of domain Domain popularity Historical activity Confirm “Hailstorm” domain check behavior patterns Block 10,000s of domains before new attacks happen Attackers often register more domains to embed links in phishing or C2 callbacks in malware badguy Model automatically places registrants on a watch list New domains registered at a future time Model automatically verifies new domains New malicious domain blocked by Umbrella INTELLIGENCE
  33. 33. © 2016 Cisco and/or its affiliates. All rights reserved. 33 1. Any user (free or paid) requests the domain1 2. Every minute, we sample from our streaming DNS logs. 3. Check if domain was seen before & if whitelisted2. 4. If not, add to category, and within minutes, DNS resolvers are updated globally. Domains used in an attack. Umbrella’s Auto- WHOIS model may predict as malicious. Attackers register domains. Before expiration3, if any user requests this domain, it’s logged or blocked as newly seen. Later, Umbrella statistical models or reputation systems identify as malicious. ‘Newly Seen Domains’ category reduces risk of the unknown EVENTS 1. May have predictively blocked it already, and likely the first requestor was a free user. 2. E.g. domain generated for CDN service. 3. Usually 24 hours, but modified for best results, as needed. Reputation systems protected Cisco Umbrella 24 HOURS protected DAYS TO WEEKS not yet a threat not yet a threat unprotected potentially unprotected MINUTES INTELLIGENCE
  34. 34. © 2016 Cisco and/or its affiliates. All rights reserved. 34 Our efficacy 3M+daily new domain names Discover 60K+daily malicious destinations Identify 7M+malicious destinations while resolving DNS Enforce INTELLIGENCE
  35. 35. © 2016 Cisco and/or its affiliates. All rights reserved. 35 What sets Umbrella apart from competitors Easiest connect-to-cloud deployment Fastest and most reliable cloud infrastructure Broadest coverage of malicious destinations and files Most open platform for integration Most predictive intelligence to stop threats earlier
  36. 36. © 2016 Cisco and/or its affiliates. All rights reserved. 36 Cisco Cloudlock Secure usage of cloud apps
  37. 37. © 2016 Cisco and/or its affiliates. All rights reserved. 37 User Cloudlock can provide visibility and control over global cloud activities
  38. 38. © 2016 Cisco and/or its affiliates. All rights reserved. 38 Key questions organizations have ApplicationsDataUsers/Accounts  Who is doing what in my cloud applications?  How do I detect account compromises?  Are malicious insiders extracting information?  Do I have toxic and regulated data in the cloud?  Do I have data that is being shared inappropriately?  How do I detect policy violations?  How can I monitor app usage and risk?  Do I have any 3rd party connected apps?  How do I revoke risky apps?
  39. 39. © 2016 Cisco and/or its affiliates. All rights reserved. 39 Cisco Cloudlock addresses customers’ most critical cloud security use cases Discover and Control User and Entity Behavior Analytics Cloud Data Loss Prevention (DLP) Apps Firewall Cloud Malware Shadow IT/OAuth Discovery and Control Data Exposures and Leakages Privacy and Compliance Violations Compromised Accounts Insider Threats
  40. 40. © 2016 Cisco and/or its affiliates. All rights reserved. 40 Here’s an example of why you need cloud user security North America 9:00 AM ET Login Africa 10:00 AM ET Data export Distance from the US to the Central African Republic: 7362 miles  At a speed of 800 mph, it would take 9.2 hours to travel between them In one hour
  41. 41. © 2016 Cisco and/or its affiliates. All rights reserved. 41 Have you ever been to 68 countries in one week?
  42. 42. © 2016 Cisco and/or its affiliates. All rights reserved. 42 More than 24,000 files per organization publicly accessible Data exposure per organization Accessible by external collaborators Accessible publicly Accessible organization-wide 2% 10% 12% 24,000 files publicly accessible per organization of external sharing done with non-corporate email addresses70% Source: Cloudlock CyberLab
  43. 43. © 2016 Cisco and/or its affiliates. All rights reserved. 43 33 mins 22 mins 18mins 17mins 15mins 10mins Consider “connected” cloud apps: Pokémon Go Daily time spent in Pokémon Go by average iOS user Pokémon Go breaks another record: Higher daily average user time than Facebook, Snapchat, and Instagram Source: SensorTower 40 30 20 10 0 Pokémon Go The picture can't be displayed. Facebook Snapchat Twitter Instagram Slither Time to reach 100 million users worldwide An Unusual Start: Pokémon Go breaking all mobile gaming records globally. 1 month (estimated) 4.5 yrs 7 yrs 16 yrs 75 yrs YEAR OF LAUNCH 1878 1879 1900 2004 2016 The picture can't be displayed.
  44. 44. © 2016 Cisco and/or its affiliates. All rights reserved. 44 Identities Data Apps Cisco Cloudlock Cloud Access Security Broker (CASB)
  45. 45. © 2016 Cisco and/or its affiliates. All rights reserved. 45 Public APIs Cisco NGFW / Umbrella Managed Users Managed Devices Managed Network Unmanaged Users Unmanaged Devices Unmanaged Network CASB – API Access (cloud to cloud)
  46. 46. © 2016 Cisco and/or its affiliates. All rights reserved. 46 Cloudlock has over 70 pre-defined policies PII  SIN/ID numbers  Driver license numbers  Passport numbers Education  Inappropriate content  Student loan application information  FERPA compliance General  Email address  IP address  Passwords/ login information PHI  HIPAA  Health identification numbers (global)  Medical prescriptions PCI  Credit card numbers  Bank account numbers  SWIFT codes
  47. 47. © 2016 Cisco and/or its affiliates. All rights reserved. 47 Cloudlock provides automated response actions Detect Alert (Admin/Users) Security Workflows Response Actions API Integrations
  48. 48. © 2016 Cisco and/or its affiliates. All rights reserved. 48 Smartest Intelligence CyberLab, crowd-sourced community trust ratings Proven Track Record Deployed at over 700 organizations and supporting deployments over 750,000 users FedRAMP In Process The only FedRAMP In Process CASB working towards an Authority to Operate via Agency Authorization Cisco Ecosystem Integrated, architectural approach to security, vendor viability Cloud-Native Full value instantly, no disruption Differentiators Cisco Cloudlock
  49. 49. © 2016 Cisco and/or its affiliates. All rights reserved. 49© 20136 Cisco and/or its affiliates. All rights reserved. 49 Why Cisco Cloud Security?
  50. 50. © 2016 Cisco and/or its affiliates. All rights reserved. 50 Why customers love Cisco cloud security Cisco cloud security Most effective protection Simplest to deploy and manage Most open platform Most reliable
  51. 51. © 2016 Cisco and/or its affiliates. All rights reserved. 51 Real customer results “Deployed to 30,000 employees in less than 60 minutes” “Reduced infections by 98%...saved 1.7 months of user downtime per year” “Cut incident response time by 25-30%” Umbrella “Reduced public exposure by 62% in one day” “Intelligently reduced OAuth-connected apps by 34% in one week” “Deployed to 125,000 employees in less than 5 minutes” Cloudlock
  52. 52. © 2016 Cisco and/or its affiliates. All rights reserved. 52 Try Umbrella and Cloudlock today. Tackle ransomware and other threats with: Umbrella Enable the secure use of the cloud with: Cloudlock
  53. 53. Thank you.

×