Emerging Threats: Cisco Security Intelligence Operations

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 1Cisco Public 1Cisco Public 1© 2011 Cisco and/or its affiliates. All rights reserved.

Emerging Threats:

Cisco Security Intelligence Operations

Jeff ShipleyCisco Security Research and Operations

Cisco Public 2© 2011 Cisco and/or its affiliates. All rights reserved.

Agenda


Cyber Risk Highlights and Emerging Threats for 2010-2011

Recommendations

Who Are We, What Do We Know, and

How Do We Know?

Cisco Security Intelligence OperationsProtect the Customer : Protect the Company

Cisco Security Intelligence Operations including:

Global Threat Operations CentersIntelliShield Threat and Vulnerability AnalysisManaged Services and IPSSensorBase and SenderBase AnalystsCorporate Security Programs Office, Global Policy & Government Affairs

Global in scope Encompasses network, content,

physical & geopolitical security



Incident Response

Groups

CERTs

SANS

BugTraq

Full Disclosure

OSVDB

Cisco TOCs

Cisco AppliedIntelligence

Cisco PSIRT

Cisco IPS

NIST

External Security Research

Cisco RMS

Cisco CSPO

Cisco IronPort

Internal Security

Operations

Internal Security Research

ISACs

Researchers

FIRST

Cisco ScanSafe

Physical

What We Watch: Seven Categories of Cyber Risk

1. Cyber Vulnerabilities and Threat

2. Physical

3. Legal

4. Trust

5. Identity

6. Human

7. Geopolitical

Risk = Vulnerability x Threat x Impact

What and Where are the Current Threats?

Our Top Ten• Botnets (Toolkits)• Web Exploits: SQL Injection / Cross-site Scripting• Data and Intellectual Property Theft• Malicious Business Documents (PDF, Office)• Social Networks / Web 2.0• Cloud and Virtualization • Implied and Transient Trust (Social networks, Web)• Open Wireless Networks• Denial of Service Attacks (DoS / DDoS)• IPv6/DNSSEC Deployments

Cybercrime Industry

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 10

Cybercrime Industry: TodayDevelopers Middle Men

Second Stage

Abusers

Bot-Net Management: For

Rent, for Lease,

for Sale

Bot-Net Creation

Personal

Information

Electronic IP

Leakage

$$$ Flow of Money $$$

Worms

Spyware

Tool and Toolkit

Writers

Viruses

Trojans

Malware Writers

First Stage

Abusers

Machine

Harvesting

Information

Harvesting

Hacker / Direct

Attack

Internal Theft:

Abuse of

Privilege

Information

Brokerage

Spammers/

Affiliates

Phishers

Extortionist/

DDoS-for-Hire

Pharmer/DNS

Poisoning

Identity Theft

Compromised

Host and

Application

End Value

Financial Fraud

Commercial Sales

Fraudulent Sales

Click-Through

Revenue

Espionage

(Corporate/

Government)

Fame

Extorted Pay-Offs

Theft


Time

Public Awareness

ILOVEYOU

2000 2011

Reducing the Noise Level

CODE REDSLAMMER

MY DOOMSTORM

ZeuSRustock.C

Conficker

KoobfaceStuxnet

SpyEye


Cisco Cybercrime ROI Matrix


2011 Q2 Global Threat Trends

• Malware UP 272%

• SQL Attacks UP 350%

• DoS Attacks UP 43%

• Phishing UP ~30%

• Spam DOWN 20%


Social Networking: Opportunity and Vulnerability

• Business and network expansion

• Risk to Privacy, Identity, Trust, IP protection

• Small World Relationships

• The criminals are already there: Koobface, false security warnings, tinyurls, transient trust, anonymized data reconstruction, compromised accounts, ‘Like’ jacking

• Policy and User Awareness: users are there, organizations are still trying to catch up

• Who is the customer? (Schneier)


The fake “Robin Sage” Twitter account was intended to attract highly placed officials

within government and security. “App’s are the criminals eyes”

Fake Profiles and Applications


Phishing and Variants• Traditional phishing still

in use, but limited

• Spear-phishing: - Targeted phishing - IT Admins - Specific job roles - Specific companies

• Whaling- Phishing attempts specifically targeting a high value target- C level execs


Mobile Devices:Symbian attacks had limited success, smart phone attacks are more about exploiting the apps and users, haven’t targeted OS vulnerabilities yet, limited malware development (Zitmo – ZeuS in the Mobile)

VoIP Abuse: Brute force attacks on public PBX, intercepts and mailboxes, ‘vishing*’, network access point to jump VLANs, insider fraud. DDoS of VoIP services.

*vishing: social engineering using voice call phishing, usually for financial gain, or sensitive information.

Cybercrime ROI: Potentials


Scammers trick social network users into “liking” an intriguing Facebook page, allowing the scammers to see user profiles.

Spamming Gets Social, and Mobile


App Stores and Download Security Models

Apple – tightly controlled

RIM – tightly controlled

Microsoft - proprietary controlled

Android – Wide open, few checks, open operating system

Third Party sites: no guarantees

‘Apps’ are the Criminals Eyes


Advance Fee Fraud: Nigerian 419, Black Money…any and every scam involving the advancing of real money for promised returns

Pharma Spam:Very popular with spam Botnets; purchasing drugs at very low cost, illegal in host country, snake oil

Spyware/Scareware:‘You are infected’, but ‘we can fix it.’ Fake AV was the 2009 and 2010 Top Money Maker for criminals

Click Redirect Fraud: ( and ‘Like’ jacking)Web forms, account information, credit cards, personal information

ROI Cash Cows: oldies, but goodies


Web Exploits:iFrame injection, compromised advertisement feeds, javascript, Search Engine Optimization, toolkits making it easier to hide

Data Theft Trojans:Zeus/SpyEye is still the king, and improving toolkits. Code exposure will likely spur even more activity

Money Laundering:The criminals weakest point, actively changing methods, cashing out

ROI Stars


Web malware encountered tripled in first half of 2011

Web searches resulted in 9% of Web malware encounters , with an average of 33% resulting from Google search engine results pages

Toolkits making it easier: Blackhole, Neosploit, Phoenix and Random JS

Web Malware


Despite takedown and ‘vacations’, top Botnets reinvent,

reshape, and retool. Shifting Botnet Activity: In 2010, the Top 10 largest botnets accounted for approximately 47% of all botnet compromised victims – down from 81% of the 2009 Top 10. Smaller and more numerous in 2011 (Top 20, 50?)

Damballa: Eight out of the Top 10 botnet operators utilized popular “off-the-shelf” construction kits. Only “TDL/TDSS Gang” and “Eleonore Downloader Gang” are not known to be using DIY kits.

Criminals #1 Tool: Botnet Trends

Vulnerability Trends


The Apple Example: managing open source software

Few exploits are currently being created for Apple specific platforms, but exploits are for open source vulnerabilities.

This is a totally hidden area of vulnerability for most organizations

Vendor Security Improving: SDLC, researchers and vendors coordination, responsible and coordinated disclosure

Annual Vendor Vulnerabilities


In 2010, Java exploits rose while PDF exploits fell .

Favoring Java: Going Cross-Platform


The Tipping Point


U.S. Smartphone Usage • 72.5 million people in the U.S. used mobile devices (+15% Q\Q)• Top Smartphone Platforms Ending MAR 2011:

DEC 2010 MAR 2011 CHGGoogle 28.7% 34.7% +6.0RIM 31.6% 27.1% -4.5Apple 25.0% 25.5% +0.5Microsoft 8.4% 7.5% -0.9Palm 3.7% 2.8% -0.9

• What are they doing? DEC 2010 MAR 2011 CHGSent text message to another phone 68.0% 68.6% +0.6Used browser 36.4% 38.6% +2.2Played games 23.2% 25.7% +2.5Used Downloaded Apps 34.4% 37.3% +2.9Accessed Social Networking Site or Blog 24.7% 27.3% +2.9Listened to music on mobile phone 15.7% 17.9% +2.2

Source - comScore Reports March 2011


1. Sex Appeal – its still the best seller

2. Greed - too good to be true?

3. Vanity - you are special right?

4. Trust – Implied or transient

5. Sloth – don’t check, its probably okay…

6. Compassion – please…donations, lost, need help, any emergency, disaster….

7. Urgency – ‘must act now’, ‘time is running out’…

Social Engineering: 7 Human Weaknesses


The problem of weak, guessable passwords is not a new one, but it isn’tgoing away—in fact, it’s getting worse due to reuse

Secondary Authentication has its own weaknesses; and could open the user to get phished (email account as authentication factor, secret questions?)

Too many passwords, and using the same password on multiple web sites

Multi-Factor authentication using device or location, SMS one-time passwords…improving but heavily depends on implementation controls

Passwords: Access and Authentication


Implied Trust: An individual, business or organizations that users are familiar with and implicitly trust: Email security updates form major vendors, their banks, government agencies, FedEx/UPS/DHL

Transient Trust: The six degrees of separation/Small World Experiment, chain of trust, friend of a friend, of a friend…inherently flawed trust model used on social networks

Trust: Implied and Transient


Advanced, persistent, and a threat - This is not your script kiddies attack- It is not you typical blended/combined

attack

What is your risk?- Are you really vulnerable?- Is it a real threat?- What is the real impact?

Throw “Black Swan” in there too?

APT’s will become more common, continue to evolve, increase in sophistication, automation and availability

"Advanced Persistent Threats"


• Sourced from Botnets and attack tools – think DDoS as a Service (DDaaS)

• Diverse targets disrupting service to millions of customers– Cloud computing provider– Web hosting provider – Security provider – DNS registrar– Telecom provider

• Targeting DNS to amplify attacks

• Not extortion attempts

• LOIC tool – Anonymous/LulzSec

Distributed Denial of Service Attacks

Threats on the Horizon


• More types of new devices being added to networks

• Diversity of OS’s and Apps

• New network entryand exit points

• More data in more places

“…software glitches that need to be fixed—are part of the 'new reality' of making complex cell phones in large volumes.“

—Jim Balsillie, Co-CEO Research In Motion RIM CEO

Productivity Technologies


Productivity Technologies• Corporate network has

expanded and is key platform for growth

• Also more permeable:Remote accessWeb-based toolsMobile devices

• Essential to today’s workforce

• Dont be King Canute (Knud), you cant stop the rising tide

Enable or Limit?


Distributed Workforce• Borderless networking is real and now, but…

True “federated” security systems are a ways off yet

• Layers of defense and policy enforcement are criticalDrop bad traffic as close to the source as possible, but ensure you’ve got at least a couple of “last lines of defense”

Identity Based Networking can help

• People and Processes Key to Mitigate RiskUser awareness and effective business processes are as important as technology solutions

What to Do?


Things You Can Do - Corp Stick to the Basics: Defense in Depth, Risk

Management, Incident Response, Logging/Monitoring

Establish policy, procedures and processes and enforce them with active controls

Use your existing technology to its full capabilities

Protect in both direction: inbound and outbound

Educate your users and staff

Stay focused: Don’t be distracted by the threat du jour


• Strategy, Policy and Procedures

• Security Architecture

• Risk Management

• Holistic Approach

• (Your) Best Practices

• Continuous Monitoring• Incident Response• Awareness and Training

• Business Continuity\ Disaster Recovery

Cyber Security Strategy


Defense in Depth Security ControlsSecurity is not binary, its percentages

41

DataSystemsAssets

Administrative Human/Policy Technical Application/Service

Technical System/Platform Technical Network/Logical

Physical & Environment


Continuous Monitoring: FY 2011 Chief Information Officer Federal Information Security Management Act Reporting Metrics/SANS Control #6

IDS/IPSAV/Anti- ‐Malware/Anti- ‐SpywareSystem LogsApplication logsPatch StatusVulnerability ScansDNS loggingConfiguration/Change Management system alertsFailed Logins for privileged accountsPhysical security logs for access to restricted areasData Loss Prevention dataRemote Access logsNetwork device logsAccount monitoring Locked out Disabled Terminated personnel Transferred personnel Dormant accounts Passwords that have reached the maximum password age Passwords that never expireOutbound traffic to include large transfers of data, unencrypted or encrypted.Port scansNetwork access control lists and firewall rule sets


Things You Can Do - Users• Secure the browsers:

www.us-cert.gov/reading_room/ securing_browser/

• Manage Passwords Use the Available Tools

• Manage Your Mobile Devices and Users Password, Encryption, Remote Mgmt

• Establish Social Network Privacy Settings

• Avoid Free and Public Wi-Fi Connections

http://www.us-cert.gov/reading_room/

Thank You

visit us for more at

www.cisco.com/security