Cisco Live AMP

Local Edition

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public

Local Edition

Protecting Against Emerging ThreatsChristopher Hoff

Advanced Malware Security Specialist

<SESSION ID>

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 3

Agenda

• History of malware – How did we get here?

• Malware Trends: 2102 & 2013 cyber attacks

• Context is Key to Defense

• Q&A


The Industrialization of Malware

20001990 1995 2005 2010 2015 2020

Hacking Becomesan Industry

Sophisticated Attacks, Complex Landscape

Phishing, Low Sophistication

Viruses1990–2000

Worms2000–2005

Spyware and Rootkits2005–Today

APTs CyberwareToday

Sourcefire Confidential Internal or Partner Use Only


Malware as a Service

Exploit Kits let anyone be a cyber criminal

• Subscription Services• 24/7 Tech Support• Easy Configuration and Deployment• C&C and Botnet Included• Referral Services


More than Just a File

Survey What does environment look like? What are the countermeasures?

Write Craft context-aware malware to penetrate this environment

Test Validate malware works, can evade countermeasures

ExecuteDeploy malware. Move laterally, establish secondary access

AccomplishExtract data, destroy, plant evidence, compromise.


Don’t be Distracted by the DDoS

LOIC: Low Orbit Ion Cannon- TCP, UDP, HTTP flood - Anonymous (not so much) - "Hivemind" feature for remote/central control, botnet control - Social network campaigns to recruit users to joining DDoS

HOIC: High Orbit Ion Cannon- HTTP flood only- Boost Scripts: Evasion, randomization

JS LOIC

Brobat / itsoknoproblembro


The end user… by the numbers

9% of users have at least one malware detection event, of which:

‒ 66% are repeat offenders

‒ 20% are frequent offenders

‒ 1.6% of users are completely pwned (>100 detections)

Approximate stats (one-month period). Source: Sourcefire VRT

I like to see what happens.

I am a clicker. I click links regardless.


Context of Malware

Sourcefire Confidential Internal or Partner Use Only

Don’t think of isolated instances; instead, think ecosystem Address ecosystem, otherwise re-infections occur

Clean

MaliciousOriginal Dropper

Unknown

What about the files dropped by

the dropper?


Context Beyond the Event Horizon

Antivirus

Sandboxing

Initial Disposition = Clean

Point-in-time Detection

Initial Disposition = Clean

Cisco AMP

Blind to scope of compromise

Actual Disposition = Bad = Too Late!!

Turns back time

Visibility and Control are Key

Not 100%Analysis Stops

Sleep TechniquesUnknown ProtocolsEncryptionPolymorphism

Actual Disposition = Bad = Blocked

Retrospective Detection,Analysis Continues


The Malware Triage NightmareResponding to an infection = Headaches = Time = $$ = Limited Effectiveness

Where do I start? How bad is the situation? What systems were impacted? What did the threat do? How do we recover? How do we keep it from

happening again?


Putting the Defenses into Context


Context is Key

Looking at the whole picture


Context for Network Assets



Context for File Movement









Context on the Endpoint



Context unites different problem spaces …


Boundary

End-point

Infrastructure

From where?

To what?

To whom?

Where an event occurs defines the first questions analysts ask

Placing the event in the right context is critical in reducing valuable analyst time

during a security incident


Feedback

Don’t forget to give us your feedback!

20


Register for Cisco Live

Cisco Live

www.ciscolive.com/us

2121

Technology

Cisco Live AMP