Upload
sean-ball
View
306
Download
2
Embed Size (px)
Citation preview
Cyber-Attacks: Why They Happen and How to Stop Them
Sean Ball, Forfusion
#CyberSecurityNE
IT is a risky business…
Agenda
10.15am - 10.30amIntroduction to The Cloud Innovation Centre and the National Institute for Smart Data InnovationSteve Caughey - Technical Consultant, Cloud Innovation Centre
10.30am – 11.00amCyber-Security in the Real WorldAdam Denyer-Hampton – Security Specialist, Cisco
11.00am – 11.20amProving the Value of Cyber-Security Jay McDonald, Architectural Lead (Security), Comstor
The Cloud Innovation Centreand the National Institute for Smart Data Innovation
Steve CaugheyTechnical Consultant, Cloud Innovation Centre
InnovationCycle
Engagement:
Teaching: Developing next generation talent
Research:Cloud and big data
UniversityResearch teams
Cloud Innovation Centre
• The National Institute for Smart Data Innovation (NISDI) will enable industry to unleash the huge potential for innovation offered by the explosive growth in digital data.
• Once processed and analysed, digital data can become “Smart Data”, enabling new products and services that greatly benefit the country’s economy and its citizens. However, a major skills gap is preventing the UK from realising the potential of Smart Data.
• NISDI will overcome this barrier by creating a unique new facility which brings together industry, the public sector and universities to create the skills, ideas and resources needed to exploit these opportunities.
• Driven by the needs of industry, NISDI will allow the region, the Northern Powerhouse and the UK to become global leaders in this important sector, estimated to be worth around $125bn per annum.
• The National Institute for Smart Data Innovation (NISDI) will enable industry to unleash the huge potential for innovation offered by the explosive growth in digital data.
• Once processed and analysed, digital data can become “Smart Data”, enabling new products and services that greatly benefit the country’s economy and its citizens. However, a major skills gap is preventing the UK from realising the potential of Smart Data.
• NISDI will overcome this barrier by creating a unique new facility which brings together industry, the public sector and universities to create the skills, ideas and resources needed to exploit these opportunities.
• Driven by the needs of industry, NISDI will allow the region, the Northern Powerhouse and the UK to become global leaders in this important sector, estimated to be worth around $125bn per annum.
Security for the Real World
Adam Denyer-HamptonSecurity Specialist
October 2016
Cisco Confidential 13C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Hackers!!!
Cisco Confidential 14C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Designed to evade and reconstitute
Exploit Server
User Proxy Server Status Server Master Server
Requests page
Referred toProxy server
Proxy server gets data from Exploit server
Exploit server sends HTTPrequests to status server
Rollup of logdata pushed to master serverStatus server tracks
HTTP requests/status
Professional Attack Infrastructure -Ransomeware
Cisco Confidential 15C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Exploit Kits
Check vuln 1
Check vuln 2
Vuln 3 success!✖✔✔
Patched?
User Exploit Server✖✔✔
Cisco Confidential 16C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Designed to evade and reconstitute
Exploit Server
User Proxy Server Status Server Master Server
Requests page
Referred toProxy server
Proxy server gets data from Exploit server
Exploit server sends HTTPrequests to status server
Rollup of logdata pushed to master serverStatus server tracks
HTTP requests/status
Professional Attack Infrastructure -Ransomeware
Cisco Confidential 17C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
How Data Breaches Happen
Cisco Confidential 18C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
What can we do?
Cisco Confidential 19C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Integrated Threat Defense Across the Attack Continuum
Firewall/VPN NGIPS
Security Intelligence
Web Security
Advanced MalwareProtection
BEFOREControlEnforceHarden
DURINGDetectBlock
Defend
AFTERScope
ContainRemediate
Attack Continuum
Visibility and Automation
Granular App Control
Modern Threat Control
Retrospective Security
IoCs/IncidentResponse
Cisco Confidential 20C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Superior Network Visibility
Typical Visibility
Cisco® Services
Basicvisibility
Thre
ats
User
s
Web
App
licat
ions
Appl
icatio
n Pr
otoc
olsFi
le Tr
ansf
ers
Mal
ware
Com
man
d an
d Co
ntro
l Ser
vers
Clie
nt A
pplic
atio
nsNe
twor
k Se
rver
sOpe
ratin
g Sy
stem
sRo
uter
s an
d Sw
itche
sM
obile
Dev
ices
Prin
ters
VoIP
Pho
nes
Virtu
al M
achi
nes
Cisco Confidential 21C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Attack Lineage
IPS Events
Malware BackdoorsExploit Kits
Web App AttacksCnC Connections
Admin Privilege Escalations
SI Events
Connections to Known CnC IPs
Malware Events
Malware DetectionsOffice/PDF/Java Compromises
Malware ExecutionsDropper Infections
Cisco Confidential 22C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Continuous Retrospective Security
1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 000001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110
Continuous Feed
Continuous Analysis
Telemetry Stream
Web
WWW
Endpoints NetworkEmail Devices
IPS
File Fingerprint and Metadata
File and Network I/O
Process Information
Breadth ofControl Points
Cisco Confidential 23C97-732214-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Conclusions
Comstor Security Initiative
Jay McDonald Cisco Security Architecture Business
Lead
25
The Security Problem
Changing Business Models
Dynamic Threat Landscape
Complexity and Fragmentation
26
The Industrialization of Hacking
20001990 1995 2005 2010 2015 2020
Viruses1990–2000
Worms2000–2005
Spyware and Rootkits2005–Today
APTs CyberwareToday +
Hacking Becomesan Industry
Sophisticated Attacks, Complex Landscape
Phishing, Low Sophistication
27
The Security Problem
28
Social Security$1
MedicalRecord>$50
DDOS as a Service
~$7/hour
WELCOME TO THE HACKERS’ ECONOMY
DDoS
CreditCard Data$0.25-$60
Bank Account Info>$1000
depending on account type and balance
$
Exploits$1000-$300K
Facebook Account$1 for an account
with 15 friends
Spam$50/500K emails
Malware Development
$2500(commercial malware)
Global Cybercrim
eMarket:
$450B-$1T
Mobile Malware$150
How Industrial Hackers Monetize the Opportunity
29
100 0111100 011 1010011101 1000111010011101 10001110 10011 101 010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
The Problem with Legacy Next-Generation Firewalls
Focus on the Apps But miss the threat…
Legacy NGFWs can reduce attack surface area but advanced malware often evades security controls.
100 0111100 011 1010011101 1
30
What does this mean to me?
31
The Basics: Security questions to get you started
• What is your biggest security concern and is your security spend and expertise properly allocated to address that risk?
• Do you have a clear picture of your overall security posture and of how it relates to industry best practices?
• Do you currently conduct security assessments, such as penetration tests / threat scan on a bi-annual basis?
• How realistic is your plan to address the security gaps that you might have today ?
• Do you have an established process to address computer security breaches?
• How confident are you of your ability to demonstrate compliance?
• Given the skills gap that exists in security, do you view the ability to recruit and retain talent and expertise as a top priority?
32
Understand the threats
• Report highlights include:• How industry efforts have crippled major attacks• Why cybercriminals are shifting their tactics to make money• What expert have to say about major vulnerabilities• How adaptive, integrated solutions can quicken time to detection• How enterprises fare in security preparedness
http://www.cisco.com/c/en/us/products/security/annual_security_report.html
33
5 Questions to Ask When a Security Breach Has Occurred
• 1) Has an attack occurred?• 2) What is the scope of the compromise?• 3) How do we contain the attack?• 4) How do we prevent future attacks?• 5) Should we communicate breaches?
http://www.business.com/internet-security/5-questions-to-ask-when-a-security-breach-has-occurred/
34
What do we do?!!
35
…. And Breathe …
36
Threat Landscape Demands more than Application Control
36
100%of companies connect to domains that host
malicious files or services
54%of breaches
remain undiscoveredfor months
60%of data is stolen in hours
avoids detection and attacks swiftly
It is a Community that hides in plain sight
37
Cisco Sees More Than the Competition
Network Servers
Operating Systems
Routers and Switches
Mobile Devices
Printers
VoIP Phones
Virtual Machines
Client Applications
Files
Users
Web Applications
Application Protocols
Services
Malware
Command and Control
Servers
VulnerabilitiesNetFlow
NetworkBehavior
Processes
38
The Cisco Security Model
BEFOREDiscoverEnforce Harden
AFTERScope
ContainRemediate
Attack Continuum
Network Endpoint Mobile Virtual Cloud
Detect Block Defend
DURING
Point in Time Continuous
3939
RECURSIVE DNS
ANY PORT
ADMIN
NGFW/UTM
Filter
URL
Leading Threat Intelligence Research Group
I0I00I00I0I 0II0 I00I0 00I0II0 00I0I00I 0I0II00I0 I00I 0I00 I0I00 II0I 0 II0 I I0I00I0II0I I0II 00I 0I0 00II0I0II0I0I0II 0I00II
II0I
00I
00 I0
0000
I00
00I00I0I00I00I0I00I0II00II00I0 I00I 000 I0I 0I0II000I0 0I00 I0II00 I0I000I00I00I 000I00I0 I00I
Roaming User 00II0I 0I00II00I00I 000I00I0
0I00I0001 1100
III0I 00I00I 000I00I0II0I I0I0 00 I0I I00I0II 00I00I0I 00I0I00I0 00II0I0I 00II0II0I 00I0II II
AMP for Endpoints
00I00I0I00I00I0I00I0II00II00I0 I00I 0I00 I00I 0I0 I000I I0 0I00II 00I0 I0I 00I I0I 00 I0I0I 00I I0I 00 I0I0 0I I0I0I 0 0I0II0 I00 I0I0I0I00 I0I0 I0I0 0I0 I0I00 I00 I0I I00 0I0II 00II00I 0 I00I0 0I0I0 00I0I0 I00I I0I 0I0I 0I I0 0 I00I I0I0 I00I 0I0I 0I0 0I0I0 I0 0 I0 0 I 0I0 0 I 0 I0I0 0I0I I0I0 I0 0 I00 I0 0I0 0 I0 I00 I 00 I0 0 I 0I0 0I0 0 I0 0 I 0 0I 0I 0I0 I00 I0I0I 00I I0I 00 I0I0 0I I0I0I 0 0I0II0 I00 I0I0I0I00 I0I0 I00 I0I0I 00I I0I 00 I0I0 0I I0I0I 0 0I0II0 I00II0 0I0I0I00 I0I0 I0I0I0I 00I I0I 00 I0I0 0I I0I0I 0 0I0II0 I00 I0I0I0I00 I0I0 I00 I0I0I 00I I0I 00 I0I0 0I I0I0I 0 0I0II0 I00 I0I0I0I00 I0I0 I00 I0I0I 00I I0I 00 I0I0 0I I0I0I 0 0 I0I0I 00I I0I 00 I0I0 0I I0I0I 0 0I0II0 I00 0II0I000II0I0I 0I0II0 I00 I0I0I0I00 I0I0 I00 I0I0I 00I I0I 00 I0I0 0I 0I0II0 I00 I0I0I0I00 I0I0 I00 I0I0I 00I I0I 00 I0I0 0I 0I0II0 I00 I0I0I0I00 I0I0 I00 I0I0I 00I I0I 00 0I0I 0I00 00II0I 00I00I I00I0 00I 0000I00I00II0I 00I00I 00I00II0I I00I I0I0 I00I 0I0I 0I0 0I0I0 I0 0 I0 0 I 0I0 0 I 0 I0I0 0I0I I0I0 I0 0 I00 0
I00I0II00I0I00II0I00II0II0I000I0I000II0I00I00I0I00I00I000II0
II0I
00I
00I 0
I00I
00I
0I0I
0I00
I00I 00II0I0II0 0II0II0I 00I0I)I00II0I0 00I0I00 00II0II0I 0I0I 00II0II000I00I 000I00I00 I0I00
CTA
II00I0 I00I 0I00 I0I00 II0I 0 II0 I I0I00I0II0I I0 00I00I
0I0I0II00I0I0III00I0I0I0I0I0I0I00II0I0II 000II0II00I00I0I
II0 II0II 0II II00I0 I00I 0I00 I0I00 II0I 0 II0 I I0I00I0II0I I0I00I 0II0I 0II0 0II0I I00I0I 000II0I 00II00I I0II00I 00II0I0III000I 0I0I II00I0 I00I 0I00 I0I00 II0I 0 II0 I I0I00I0II0I I0I00I 0I0I 00II 0II0I 0II0I0II00I00 00II0I0II0I0I 00I000I0I00I 0000I
II0I0II 00II0I00 00I00I00I
I0I0I0 I0I00III0 0I0II II0I00 0I00II0
AMP for Endpoints
Endpoint User
I00I0II00I0I00II0I00II0II0I000I0I000II0I00I00I0I00I00I000II0
VPN
DATACENTER
I00I
00I
0II0
II000
II0 0
0II 0
II 0I
0 00
0I00
I 00I
0I II
0000
I0I0
I0
00I0
I000
I0I0
I
0II I
I0I0
II00
I0I0
000
0000
II0I
I0 0
0II0
I 000
000I
I
0II I
I0I0
II00
I0I0
000
0000
II0I
I0 0
0II0
I 000
000I
II
I0II0I II0II0 0I 0 I
000II000I0I
000II000I0I
0I 0I 00 II 0II 0I 0I0I0
0II I0II00I0 II00I0
NGFWAMP for Network
00I0 0000I 00 00I 0I I0II I00I I0I00I I0II0I
I0I0I0 I0I00II0 I0I0I0 0I0I00 I0II0 0I0I 00I0II II0I00 0I0I 000II0I 00I00 I0I00 000 I00
Block
Warn
Allow
Cloud Option
Network Traffic
Flow Analysis
Vector TRAFFIC
AMP for Web & Email
I00I0II00I0I00II0I00II0II0I000I0I000II0I00I00I0I00I00I000II0
Web & Email Security
Dynamic Malware Analysis
NGIPS
NGIPS/AMP
00I0II0I0II0I00II0I
CLOUD APPS
Identity Services
Trustsec
PEOPLE & DEVICES
BEFORE DURING AFTER
NGIPSv
Vector
CLOUD APPS
Vector
ASAv
CES ESA
StealthwatchASA/Meraki
MX
AnyConnect VPN
AMP Threat Grid
CWS WSA
ASA
ISE
00 III 0 II0I0 II 0I0 00 III0I0 0 II 000
PEOPLE & DEVICES
WEB & EMAILWEB & EMAIL
AMP for Endpoints
AMP for Web & Email
AMP for Network
AMP for Endpoints
NGIPS/AMP
NGIPS
ODNSUmbrella
NGIPSv
Vector ANY PORT
Intelligent cybersecurity to protect against advanced threats
40
Leverage ASA 5500-X Equipment with SSD and FirePOWER Services
Threat Scan Risk AssessmentProof of Value (PoV)
POV Risk Reports
41
Contextual visibility of your network
Network Report Attack Report Advance Malware Report
42
FirePOWER Delivers Best Threat Effectiveness
Security Value Map for Intrusion Prevention System (IPS)
Security Value Map forBreach Detection
43
INTERNETMALWAREBOTNETS/C2PHISHING
SANDBOXPROXY
NGFWNETFLOW
AV AV
AV AV
AV
AV
AV AV
ROUTER/UTM
AV AV
ROUTER/UTM
HERE?
& HERE?&
HERE?
& HERE?
& HERE?
OR HERE?
Where Do You Enforce Security?
CHALLENGESToo Many Alerts via Appliances & AV
Wait Until Payloads Reaches Target
Every Payload Scan Slows Things Down
Too Much Time to Deploy Everywhere
BENEFITSAlerts Reduced 2x; Improves Your SIEM
Traffic & Payloads Never Reach Target
Internet Access Is Faster; Not Slower
Provision Globally in UNDER 30 MINUTES
HQ
Branch Branch
Mobile
Mobile
44
Cisco OpenDNS – Free 14 Day Trial
Stop firefighting!know your threats, know you enemy, stop before attacks before it hits your network!
45
Cisco Security Assessment ProgramNetwork Web Email
Cyber Security Network Threat Scan
Risk Assessment
Cloud Web Security
OpenDNS Web
Security
Web Security
Appliance
Cloud Email Security
Cisco ASA5500x w/ FPWR
Cisco FirePower
Cloud Web Security(CWS)
OpenDNS Web Security
(ODNS)
Web Security Appliance
(WSA)
Cloud Email Security(L-CES)
Email Security
Appliance
Email Security
Appliance(ESA)
46
47
AgendaClosing
Cisco ASA FWPR – More than just a Firewall – Threat focused NGFW
Continuous and Retrospective protection
OpenDNS, protect your network before the event happens!
Evals, Security Audits, POV Risk Reports
Jay McDonaldCisco Security Architecture Business Lead
[email protected]:07917 846737
For more information contact:
Thank you!
Cyber-Attacks: Why They Happen and How to Stop Them
Sean Ball, Forfusion