Upload
cisco-public-sector
View
391
Download
5
Embed Size (px)
Citation preview
Local Edition
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Local Edition
Protecting Against Emerging ThreatsChristopher Hoff
Advanced Malware Security Specialist
<SESSION ID>
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Agenda
• History of malware – How did we get here?
• Malware Trends: 2102 & 2013 cyber attacks
• Context is Key to Defense
• Q&A
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
The Industrialization of Malware
20001990 1995 2005 2010 2015 2020
Hacking Becomesan Industry
Sophisticated Attacks, Complex Landscape
Phishing, Low Sophistication
Viruses1990–2000
Worms2000–2005
Spyware and Rootkits2005–Today
APTs CyberwareToday
Sourcefire Confidential Internal or Partner Use Only
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Malware as a Service
Exploit Kits let anyone be a cyber criminal
• Subscription Services• 24/7 Tech Support• Easy Configuration and Deployment• C&C and Botnet Included• Referral Services
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
More than Just a File
Survey What does environment look like? What are the countermeasures?
Write Craft context-aware malware to penetrate this environment
Test Validate malware works, can evade countermeasures
ExecuteDeploy malware. Move laterally, establish secondary access
AccomplishExtract data, destroy, plant evidence, compromise.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Don’t be Distracted by the DDoS
LOIC: Low Orbit Ion Cannon- TCP, UDP, HTTP flood - Anonymous (not so much) - "Hivemind" feature for remote/central control, botnet control - Social network campaigns to recruit users to joining DDoS
HOIC: High Orbit Ion Cannon- HTTP flood only- Boost Scripts: Evasion, randomization
JS LOIC
Brobat / itsoknoproblembro
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
The end user… by the numbers
9% of users have at least one malware detection event, of which:
‒ 66% are repeat offenders
‒ 20% are frequent offenders
‒ 1.6% of users are completely pwned (>100 detections)
Approximate stats (one-month period). Source: Sourcefire VRT
I like to see what happens.
I am a clicker. I click links regardless.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Context of Malware
Sourcefire Confidential Internal or Partner Use Only
Don’t think of isolated instances; instead, think ecosystem Address ecosystem, otherwise re-infections occur
Clean
MaliciousOriginal Dropper
Unknown
What about the files dropped by
the dropper?
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Context Beyond the Event Horizon
Antivirus
Sandboxing
Initial Disposition = Clean
Point-in-time Detection
Initial Disposition = Clean
Cisco AMP
Blind to scope of compromise
Actual Disposition = Bad = Too Late!!
Turns back time
Visibility and Control are Key
Not 100%Analysis Stops
Sleep TechniquesUnknown ProtocolsEncryptionPolymorphism
Actual Disposition = Bad = Blocked
Retrospective Detection,Analysis Continues
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
The Malware Triage NightmareResponding to an infection = Headaches = Time = $$ = Limited Effectiveness
Where do I start? How bad is the situation? What systems were impacted? What did the threat do? How do we recover? How do we keep it from
happening again?
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Putting the Defenses into Context
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Context is Key
Looking at the whole picture
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Context for Network Assets
Looking at the whole picture
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Context for File Movement
Looking at the whole picture
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Context for File Movement
Looking at the whole picture
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Context for File Movement
Looking at the whole picture
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Context on the Endpoint
Looking at the whole picture
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Context unites different problem spaces …
Looking at the whole picture
Boundary
End-point
Infrastructure
From where?
To what?
To whom?
Where an event occurs defines the first questions analysts ask
Placing the event in the right context is critical in reducing valuable analyst time
during a security incident
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Feedback
Don’t forget to give us your feedback!
20
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Register for Cisco Live
Cisco Live
www.ciscolive.com/us
2121