Professional Documents
Culture Documents
BRKSEC-2001
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 2
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 3
What?
Where?
Why?
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 4
What is a Threat?
A warning sign of possible trouble
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 5
Examples of Attacks
Targeted Hacking
Malware Outbreaks
Economic Espionage
Intellectual Property Theft or Loss
Network Access Abuse
Theft of IT Resources
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 6
Network Services
Applications
Users
Attack Attack
Anywhere Everywhere
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 7
Policy and
Reaction
Socialized Formalized
Process Reactive Process
Process Process
Definition
Operational
Mitigation
Burden
Human Automated
Technology Manual Process
“In the Loop” Response
Evolution
End-User
Support
Burden
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 8
Policy and
Reaction
Socialized Formalized
Process Reactive Process
Process Process
Definition Operational
Mitigation
Burden
Human Automated
Technology Manual Process
“In the Loop” Response
Evolution
End-User
Support
Burden
Why?
Fame
Not so much anymore (more on this with Trends)
Money
The root of all evil…(more on this with the Year in Review)
War
A battlefront just as real as the air, land, and sea
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 10
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 11
Trends
Fame
SQL Slammer Netsky,
Bagle,
MyDoom Money
Zotob
Business
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 13
Evolution of Motivation
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 14
Policy and
Reaction
Socialized Formalized
Process Reactive Process
Process Process
Definition Operational
Mitigation
Burden
Human Automated
Technology Manual Process
“In the Loop” Response
Evolution
End-User
Support
Burden
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 16
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 17
Worms Espionage
Compromise (Corporate/
Viruses Environment Government)
Trojans
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 18
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 20
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 21
“Noise” Level
Public
Awareness
Targeted Attacks
2000 2008
Time
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 22
Targeted Attacks
Illicit
Dollars
Gained
2000 2008
Time
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 23
Botnets
Botnet: A collection of compromised machines running programs
under a common command and control infrastructure
Building the Botnet:
Viruses, worms; infected spam; drive-by downloads; etc.
Source: www.wikipedia.com
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 24
Source: www.wikipedia.com
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 25
ited
olic S
Uns mail DN ning
E is o
Po
172.168.1.1 172.168.1.1
MUNDO- MUNDO-
MUNDO-BANK.COM BANK.COM BANK.COM
Come see us at
www.mundo-bank.com
ine
<172.168.254.254>
Onl
egular ing
172.168.254.254 R Bank 172.168.254.254
Hosts File:
mundo-bank.com = 172.168.254.254
Fast Flux
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 28
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 29
Policy and
Reaction
Socialized Formalized
Process Reactive Process
Process Process
Definition
Operational
Mitigation
Burden
Human Automated
Technology Manual Process
“In the Loop” Response
Evolution
End-User
Support
Burden
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 31
2007 as a Year
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 32
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 34
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 35
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 36
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 37
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 38
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 39
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 40
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 41
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 42
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 43
Case Studies
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 44
Corporate Liability
TJX Company’s customer database compromised
Malware in Action
Storm worm analyzed
Malware Industry
Gozi worm’s cybercrime links
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 45
Canada
Winners
HomeSense
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 47
90,000,000
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 48
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 49
Corporate Liability—Aftermath
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 50
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 51
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 52
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 53
Infected 1 BotHerder
Webserver
4
1. BotHerder updates
malcode on webtrap
2. Initiate new spam 3
pointing to webtrap
3. User reads the spam
and clicks link Infected
4. User machine
infected
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 54
game0.exe—Backdoor/downloader
game1.exe—SMTP relay
game2.exe—Email address stealer
game3.exe—Email virus spreader
game4.exe—DDoS attack tool
game5.exe—Updated copy of Storm Worm dropper
Source: www.secureworks.com
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 55
403014 Copy(c:\game0.exe->C:\WINDOWS\disnisa.exe)
77e6bc59 WriteFile(h=7a0)
403038 RegOpenKeyExA
(HKCU\Software\Microsoft\Windows\CurrentVersion\Run)
40305f RegSetValueExA (disnisa)
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 56
402ba0 WinExec(w32tm/config/syncfromflags:manual
/manualpeerlist:time.windows.com,time.nist.gov,100)
77e7d0b7 WaitForSingleObject(788,64)
40309b
CreateProcessA(C:\WINDOWS\disnisa.exe,(null),0,(null))
4030df WinExec(netsh firewall set allowedprogram
"C:\WINDOWS\disnisa.exe" enable,100)
Sync with Microsoft Time Server
Start process
Edit firewall rules to allow network access
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 57
77e7ac53 CreateRemoteThread(h=ffffffff,
start=404b05)
40da1b bind(b8, port=7018)
40d9c7 listen(h=b8 )
40a262 WaitForSingleObject(d4,2710)
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 58
Controller communicates
directly with bots
Simplest but limited ability
to scale
Single points of failure
BotHerder
DNS record to BotHerder
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 59
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 60
Very sophisticated
“Victim of its own success”, yet still difficult to
shut down
Just one example, there are others we don’t
know about
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 61
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 62
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 63
Source: www.secureworks.com
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 65
GOZI: Conclusions
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 66
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 67
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 68
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 69
Web 2.0
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 70
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 71
Eavesdropping:
Earliest attacks focused on this (VOMIT); however, effective
deployment of secure voice makes this very difficult (easier to
use other means to access info)
Denial of service
Disgruntled employees or extortionists may target the voice
infrastructure by a variety of mechanisms
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 72
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 73
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 74
Endpoint
Enforcement Points Internal Consumers
Application
Front End
Endpoint Enforcement
Centralized Data Transit Enforcement Points
Stores: Points
Structured and
Unstructured External Consumers Decentralized Data
Stores
Trend: Outsourcing
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 78
De-perimeterization is real
True “federated” security systems are a long ways off yet
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 80
Level of Mitigation
there’s always something
out there that can affect Risk Averse
your business
Effective understanding Risk Tolerant
of business risk is critical
to determining priorities in
your response plan
Level of Risk Aversion
The Challenge: Every
application is business
critical to someone
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 81
Example: Network-Based
Structured Data Controls
Request
Response
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 82
Management
Network
Internet
Connections
Corporate Network
Internet
Corporate
LAN Business
Remote Access Partner
Systems Access
Extranet
Connections
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 83
Tackling Malware:
Solutions Across the Network
Remote/Branch Office
Data Center Endpoint Protection
Infection prevention:
STOP Cisco Security Agent
Management
Infection remediation:
Network GO desktop anti-virus;
Microsoft and other anti-
spyware SW
Internet
Connections
Corporate Network
Internet
STOP
Corporate Network-Based
LAN Business
Content Control
GO Remote Access Partner
Multi-function
Systems Access security devices
GO
Firewalls
STOP
Network Admission Extranet
Control Intrusion prevention
GO Connections
systems
Ensure endpoint
policy compliance Proxies
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 84
4 3
Containment
Recovery
and Control
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 87
Technology Recommendations
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 88
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 89
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 90
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 91
Vulnerability Characteristics
Mitigation Technique Overview
Risk Management
Device-Specific Mitigation
and Identification
Cisco IOS® Routers and Switches
Cisco IOS NetFlow
Cisco ASA, PIX®, and FWSM Firewalls
Cisco Intrusion Prevention System
Cisco Security Monitoring, Analysis,
and Response System
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 92
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 93
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 94
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 95
Recommended Reading
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 97
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 98