Cyber-Attacks: Why They Happen and How to Stop Them (#CyberSecurityNE Slides)

Cyber-Attacks: Why They Happen and How to Stop Them

Sean Ball, Forfusion

#CyberSecurityNE

IT is a risky business…

Agenda

10.15am - 10.30amIntroduction to The Cloud Innovation Centre and the National Institute for Smart Data InnovationSteve Caughey - Technical Consultant, Cloud Innovation Centre

10.30am – 11.00amCyber-Security in the Real WorldAdam Denyer-Hampton – Security Specialist, Cisco

11.00am – 11.20amProving the Value of Cyber-Security Jay McDonald, Architectural Lead (Security), Comstor

The Cloud Innovation Centreand the National Institute for Smart Data Innovation

Steve CaugheyTechnical Consultant, Cloud Innovation Centre

InnovationCycle

Engagement:

Teaching: Developing next generation talent

Research:Cloud and big data

UniversityResearch teams

Cloud Innovation Centre

• The National Institute for Smart Data Innovation (NISDI) will enable industry to unleash the huge potential for innovation offered by the explosive growth in digital data.

• Once processed and analysed, digital data can become “Smart Data”, enabling new products and services that greatly benefit the country’s economy and its citizens. However, a major skills gap is preventing the UK from realising the potential of Smart Data.

• NISDI will overcome this barrier by creating a unique new facility which brings together industry, the public sector and universities to create the skills, ideas and resources needed to exploit these opportunities.

• Driven by the needs of industry, NISDI will allow the region, the Northern Powerhouse and the UK to become global leaders in this important sector, estimated to be worth around $125bn per annum.

• The National Institute for Smart Data Innovation (NISDI) will enable industry to unleash the huge potential for innovation offered by the explosive growth in digital data.

• Once processed and analysed, digital data can become “Smart Data”, enabling new products and services that greatly benefit the country’s economy and its citizens. However, a major skills gap is preventing the UK from realising the potential of Smart Data.

• NISDI will overcome this barrier by creating a unique new facility which brings together industry, the public sector and universities to create the skills, ideas and resources needed to exploit these opportunities.

• Driven by the needs of industry, NISDI will allow the region, the Northern Powerhouse and the UK to become global leaders in this important sector, estimated to be worth around $125bn per annum.

Security for the Real World

Adam Denyer-HamptonSecurity Specialist

October 2016

Cisco Confidential 13C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.

Hackers!!!


Designed to evade and reconstitute

Exploit Server

User Proxy Server Status Server Master Server

Requests page

Referred toProxy server

Proxy server gets data from Exploit server

Exploit server sends HTTPrequests to status server

Rollup of logdata pushed to master serverStatus server tracks

HTTP requests/status

Professional Attack Infrastructure -Ransomeware


Exploit Kits

Check vuln 1

Check vuln 2

Vuln 3 success!✖✔✔

Patched?

User Exploit Server✖✔✔


Designed to evade and reconstitute

Exploit Server

User Proxy Server Status Server Master Server

Requests page

Referred toProxy server

Proxy server gets data from Exploit server

Exploit server sends HTTPrequests to status server

Rollup of logdata pushed to master serverStatus server tracks

HTTP requests/status

Professional Attack Infrastructure -Ransomeware


How Data Breaches Happen


What can we do?


Integrated Threat Defense Across the Attack Continuum

Firewall/VPN NGIPS

Security Intelligence

Web Security

Advanced MalwareProtection

BEFOREControlEnforceHarden

DURINGDetectBlock

Defend

AFTERScope

ContainRemediate

Attack Continuum

Visibility and Automation

Granular App Control

Modern Threat Control

Retrospective Security

IoCs/IncidentResponse


Superior Network Visibility

Typical Visibility

Cisco® Services

Basicvisibility

Thre

ats

User

s

Web

App

licat

ions

Appl

icatio

n Pr

otoc

olsFi

le Tr

ansf

ers

Mal

ware

Com

man

d an

d Co

ntro

l Ser

vers

Clie

nt A

pplic

atio

nsNe

twor

k Se

rver

sOpe

ratin

g Sy

stem

sRo

uter

s an

d Sw

itche

sM

obile

Dev

ices

Prin

ters

VoIP

Pho

nes

Virtu

al M

achi

nes


Attack Lineage

IPS Events

Malware BackdoorsExploit Kits

Web App AttacksCnC Connections

Admin Privilege Escalations

SI Events

Connections to Known CnC IPs

Malware Events

Malware DetectionsOffice/PDF/Java Compromises

Malware ExecutionsDropper Infections


Continuous Retrospective Security

1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00

0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 000001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110

Continuous Feed

Continuous Analysis

Telemetry Stream

Web

WWW

Endpoints NetworkEmail Devices

IPS

File Fingerprint and Metadata

File and Network I/O

Process Information

Breadth ofControl Points


Conclusions

Comstor Security Initiative

Jay McDonald  Cisco Security Architecture Business

Lead

25

The Security Problem

Changing Business Models

Dynamic Threat Landscape

Complexity and Fragmentation

26

The Industrialization of Hacking

20001990 1995 2005 2010 2015 2020

Viruses1990–2000

Worms2000–2005

Spyware and Rootkits2005–Today

APTs CyberwareToday +

Hacking Becomesan Industry

Sophisticated Attacks, Complex Landscape

Phishing, Low Sophistication

27

The Security Problem

28

Social Security$1

MedicalRecord>$50

DDOS as a Service

~$7/hour

WELCOME TO THE HACKERS’ ECONOMY

DDoS

CreditCard Data$0.25-$60

Bank Account Info>$1000

depending on account type and balance

$

Exploits$1000-$300K

Facebook Account$1 for an account

with 15 friends

Spam$50/500K emails

Malware Development

$2500(commercial malware)

Global Cybercrim

eMarket:

$450B-$1T

Mobile Malware$150

How Industrial Hackers Monetize the Opportunity

29

100 0111100 011 1010011101 1000111010011101 10001110 10011 101 010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00

The Problem with Legacy Next-Generation Firewalls

Focus on the Apps But miss the threat…

Legacy NGFWs can reduce attack surface area but advanced malware often evades security controls.

100 0111100 011 1010011101 1

30

What does this mean to me?

31

The Basics: Security questions to get you started

• What is your biggest security concern and is your security spend and expertise properly allocated to address that risk?

• Do you have a clear picture of your overall security posture and of how it relates to industry best practices?

• Do you currently conduct security assessments, such as penetration tests / threat scan on a bi-annual basis?

• How realistic is your plan to address the security gaps that you might have today ?

• Do you have an established process to address computer security breaches?

• How confident are you of your ability to demonstrate compliance?

• Given the skills gap that exists in security, do you view the ability to recruit and retain talent and expertise as a top priority?

32

Understand the threats

• Report highlights include:• How industry efforts have crippled major attacks• Why cybercriminals are shifting their tactics to make money• What expert have to say about major vulnerabilities• How adaptive, integrated solutions can quicken time to detection• How enterprises fare in security preparedness

http://www.cisco.com/c/en/us/products/security/annual_security_report.html

33

5 Questions to Ask When a Security Breach Has Occurred

• 1) Has an attack occurred?• 2) What is the scope of the compromise?• 3) How do we contain the attack?• 4) How do we prevent future attacks?• 5) Should we communicate breaches?

http://www.business.com/internet-security/5-questions-to-ask-when-a-security-breach-has-occurred/

34

What do we do?!!

35

…. And Breathe …

36

Threat Landscape Demands more than Application Control

36

100%of companies connect to domains that host

malicious files or services

54%of breaches

remain undiscoveredfor months

60%of data is stolen in hours

avoids detection and attacks swiftly

It is a Community that hides in plain sight

37

Cisco Sees More Than the Competition

Network Servers

Operating Systems

Routers and Switches

Mobile Devices

Printers

VoIP Phones

Virtual Machines

Client Applications

Files

Users

Web Applications

Application Protocols

Services

Malware

Command and Control

Servers

VulnerabilitiesNetFlow

NetworkBehavior

Processes

38

The Cisco Security Model

BEFOREDiscoverEnforce Harden

AFTERScope

ContainRemediate

Attack Continuum

Network Endpoint Mobile Virtual Cloud

Detect Block Defend

DURING

Point in Time Continuous

3939

RECURSIVE DNS

ANY PORT

ADMIN

NGFW/UTM

Filter

URL

Leading Threat Intelligence Research Group

I0I00I00I0I 0II0 I00I0 00I0II0 00I0I00I 0I0II00I0 I00I 0I00 I0I00 II0I 0 II0 I I0I00I0II0I I0II 00I 0I0 00II0I0II0I0I0II 0I00II

II0I

00I

00 I0

0000

I00

00I00I0I00I00I0I00I0II00II00I0 I00I 000 I0I 0I0II000I0 0I00 I0II00 I0I000I00I00I 000I00I0 I00I

Roaming User 00II0I 0I00II00I00I 000I00I0

0I00I0001 1100

III0I 00I00I 000I00I0II0I I0I0 00 I0I I00I0II 00I00I0I 00I0I00I0 00II0I0I 00II0II0I 00I0II II

AMP for Endpoints

00I00I0I00I00I0I00I0II00II00I0 I00I 0I00 I00I 0I0 I000I I0 0I00II 00I0 I0I 00I I0I 00 I0I0I 00I I0I 00 I0I0 0I I0I0I 0 0I0II0 I00 I0I0I0I00 I0I0 I0I0 0I0 I0I00 I00 I0I I00 0I0II 00II00I 0 I00I0 0I0I0 00I0I0 I00I I0I 0I0I 0I I0 0 I00I I0I0 I00I 0I0I 0I0 0I0I0 I0 0 I0 0 I 0I0 0 I 0 I0I0 0I0I I0I0 I0 0 I00 I0 0I0 0 I0 I00 I 00 I0 0 I 0I0 0I0 0 I0 0 I 0 0I 0I 0I0 I00 I0I0I 00I I0I 00 I0I0 0I I0I0I 0 0I0II0 I00 I0I0I0I00 I0I0 I00 I0I0I 00I I0I 00 I0I0 0I I0I0I 0 0I0II0 I00II0 0I0I0I00 I0I0 I0I0I0I 00I I0I 00 I0I0 0I I0I0I 0 0I0II0 I00 I0I0I0I00 I0I0 I00 I0I0I 00I I0I 00 I0I0 0I I0I0I 0 0I0II0 I00 I0I0I0I00 I0I0 I00 I0I0I 00I I0I 00 I0I0 0I I0I0I 0 0 I0I0I 00I I0I 00 I0I0 0I I0I0I 0 0I0II0 I00 0II0I000II0I0I 0I0II0 I00 I0I0I0I00 I0I0 I00 I0I0I 00I I0I 00 I0I0 0I 0I0II0 I00 I0I0I0I00 I0I0 I00 I0I0I 00I I0I 00 I0I0 0I 0I0II0 I00 I0I0I0I00 I0I0 I00 I0I0I 00I I0I 00 0I0I 0I00 00II0I 00I00I I00I0 00I 0000I00I00II0I 00I00I 00I00II0I I00I I0I0 I00I 0I0I 0I0 0I0I0 I0 0 I0 0 I 0I0 0 I 0 I0I0 0I0I I0I0 I0 0 I00 0

I00I0II00I0I00II0I00II0II0I000I0I000II0I00I00I0I00I00I000II0

II0I

00I

00I 0

I00I

00I

0I0I

0I00

I00I 00II0I0II0 0II0II0I 00I0I)I00II0I0 00I0I00 00II0II0I 0I0I 00II0II000I00I 000I00I00 I0I00

CTA

II00I0 I00I 0I00 I0I00 II0I 0 II0 I I0I00I0II0I I0 00I00I

0I0I0II00I0I0III00I0I0I0I0I0I0I00II0I0II 000II0II00I00I0I

II0 II0II 0II II00I0 I00I 0I00 I0I00 II0I 0 II0 I I0I00I0II0I I0I00I 0II0I 0II0 0II0I I00I0I 000II0I 00II00I I0II00I 00II0I0III000I 0I0I II00I0 I00I 0I00 I0I00 II0I 0 II0 I I0I00I0II0I I0I00I 0I0I 00II 0II0I 0II0I0II00I00 00II0I0II0I0I 00I000I0I00I 0000I

II0I0II 00II0I00 00I00I00I

I0I0I0 I0I00III0 0I0II II0I00 0I00II0

AMP for Endpoints

Endpoint User


VPN

DATACENTER

I00I

00I

0II0

II000

II0 0

0II 0

II 0I

0 00

0I00

I 00I

0I II

0000

I0I0

I0

00I0

I000

I0I0

I

0II I

I0I0

II00

I0I0

000

0000

II0I

I0 0

0II0

I 000

000I

I

0II I

I0I0

II00

I0I0

000

0000

II0I

I0 0

0II0

I 000

000I

II

I0II0I II0II0 0I 0 I

000II000I0I

000II000I0I

0I 0I 00 II 0II 0I 0I0I0

0II I0II00I0 II00I0

NGFWAMP for Network

00I0 0000I 00 00I 0I I0II I00I I0I00I I0II0I

I0I0I0 I0I00II0 I0I0I0 0I0I00 I0II0 0I0I 00I0II II0I00 0I0I 000II0I 00I00 I0I00 000 I00

Block

Warn

Allow

Cloud Option

Network Traffic

Flow Analysis

Vector TRAFFIC

AMP for Web & Email


Web & Email Security

Dynamic Malware Analysis

NGIPS

NGIPS/AMP

00I0II0I0II0I00II0I

CLOUD APPS

Identity Services

Trustsec

PEOPLE & DEVICES

BEFORE DURING AFTER

NGIPSv

Vector

CLOUD APPS

Vector

ASAv

CES ESA

StealthwatchASA/Meraki

MX

AnyConnect VPN

AMP Threat Grid

CWS WSA

ASA

ISE

00 III 0 II0I0 II 0I0 00 III0I0 0 II 000

PEOPLE & DEVICES

WEB & EMAILWEB & EMAIL

AMP for Endpoints

AMP for Web & Email

AMP for Network

AMP for Endpoints

NGIPS/AMP

NGIPS

ODNSUmbrella

NGIPSv

Vector ANY PORT

Intelligent cybersecurity to protect against advanced threats

40

Leverage ASA 5500-X Equipment with SSD and FirePOWER Services

Threat Scan Risk AssessmentProof of Value (PoV)

POV Risk Reports

41

Contextual visibility of your network

Network Report Attack Report Advance Malware Report

42

FirePOWER Delivers Best Threat Effectiveness

Security Value Map for Intrusion Prevention System (IPS)

Security Value Map forBreach Detection

43

INTERNETMALWAREBOTNETS/C2PHISHING

SANDBOXPROXY

NGFWNETFLOW

AV AV

AV AV

AV

AV

AV AV

ROUTER/UTM

AV AV

ROUTER/UTM

HERE?

& HERE?&

HERE?

& HERE?

& HERE?

OR HERE?

Where Do You Enforce Security?

CHALLENGESToo Many Alerts via Appliances & AV

Wait Until Payloads Reaches Target

Every Payload Scan Slows Things Down

Too Much Time to Deploy Everywhere

BENEFITSAlerts Reduced 2x; Improves Your SIEM

Traffic & Payloads Never Reach Target

Internet Access Is Faster; Not Slower

Provision Globally in UNDER 30 MINUTES

HQ

Branch Branch

Mobile

Mobile

44

Cisco OpenDNS – Free 14 Day Trial

Stop firefighting!know your threats, know you enemy, stop before attacks before it hits your network!

45

Cisco Security Assessment ProgramNetwork Web Email

Cyber Security Network Threat Scan

Risk Assessment

Cloud Web Security

OpenDNS Web

Security

Web Security

Appliance

Cloud Email Security

Cisco ASA5500x w/ FPWR

Cisco FirePower

Cloud Web Security(CWS)

OpenDNS Web Security

(ODNS)

Web Security Appliance

(WSA)

Cloud Email Security(L-CES)

Email Security

Appliance

Email Security

Appliance(ESA)

46

47

AgendaClosing

Cisco ASA FWPR – More than just a Firewall – Threat focused NGFW

Continuous and Retrospective protection

OpenDNS, protect your network before the event happens!

Evals, Security Audits, POV Risk Reports

Jay McDonaldCisco Security Architecture Business Lead

[email protected]:07917 846737

For more information contact:

Thank you!

Cyber-Attacks: Why They Happen and How to Stop Them

Sean Ball, Forfusion

Technology

Cyber-Attacks: Why They Happen and How to Stop Them (#CyberSecurityNE Slides)