Emerging Threats

BRKSEC-2001

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

2

© 2008, Cisco Systems, Inc. All rights reserved. 14330_04_2008_c1.scr

1

Agenda
What? Where? Why? Trends Year in Review Case Studies Threats on the Horizon Threat Containment

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

3

What? Where? Why?

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

4

© 2008, Cisco Systems, Inc. All rights reserved. 14330_04_2008_c1.scr

2

What? Where? Why?
What is a Threat?
A warning sign of possible trouble

Where are Threats?
Everywhere you can, and more importantly cannot, think of

Why are there Threats?
The almighty dollar (or euro, etc.), the underground cyber crime industry is growing with each year

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

5

Examples of Attacks
Targeted Hacking Malware Outbreaks Economic Espionage Intellectual Property Theft or Loss Network Access Abuse Theft of IT Resources

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

6

© 2008, Cisco Systems, Inc. All rights reserved. 14330_04_2008_c1.scr

3

Where Can I Get Attacked?
Operating System Network Services Applications Users

Attack

Attack

Anywhere
BRKSEC-2001 14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

Everywhere
7

Operational Evolution of Threats
Threat Evolution
Policy and Process Definition Mitigation Technology Evolution
Reaction

Emerging Threat Unresolved Threat

Nuisance Threat

Reactive Process

Socialized Process

Formalized Process

Operational Burden

Manual Process

Human “In the Loop”

Automated Response

End-User Awareness

No End-User Knowledge

“Help-Desk” Aware— Know Enough to Call

End-User Increasingly Self-Reliant

BRKSEC-2001 14330_04_2008_c1

Support Burden

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

8

© 2008, Cisco Systems, Inc. All rights reserved. 14330_04_2008_c1.scr

4

Operational Evolution of Threats
Threat Evolution
Policy and Process Definition Mitigation Technology Evolution
Reaction

Emerging Threat Unresolved Threat

Nuisance Threat

Reactive Process

Socialized Process

Formalized Process

Operational Burden

Manual Process

Human “In the Loop”

Automated Response

End-User Awareness

No End-User Knowledge
“New”, Unknown, or Problems We Haven’t Solved Yet

“Help-Desk” Aware— Know Enough to Call

End-User Increasingly Self-Reliant

Support Burden

Largest Volume of Problems Focus of Most of Day to Day Security Operations
9

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

Why?
Fame
Not so much anymore (more on this with Trends)

Money
The root of all evil…(more on this with the Year in Review)

War
A battlefront just as real as the air, land, and sea

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

10

© 2008, Cisco Systems, Inc. All rights reserved. 14330_04_2008_c1.scr

5

Trends

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

11

Trends
Evolution of Hacker Motivation No longer the Lone Hacker The Cybercrime Industry Hosting Services Designer Malcode BotNets Spyware Phishing Fast Flux
BRKSEC-2001 14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

12

© 2008, Cisco Systems, Inc. All rights reserved. 14330_04_2008_c1.scr

6

Evolution of Motivation
2002 2003 2004 2005 2006 2007 2008

Fame
SQL Slammer Netsky, Bagle, MyDoom Zotob

Money

Business

= Major Media Event

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

13

Evolution of Motivation
Fame is not all it’s cracked up to be
To make money effectively and without detection you need to be unknown

People are prepared for what they know

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

14

© 2008, Cisco Systems, Inc. All rights reserved. 14330_04_2008_c1.scr

7

Operational Evolution of Threats
Threat Evolution
Policy and Process Definition Mitigation Technology Evolution
Reaction

Emerging Threat Unresolved Threat

Nuisance Threat

Reactive Process

Socialized Process

Formalized Process

Operational Burden

Manual Process

Human “In the Loop”

Automated Response

End-User Awareness

No End-User Knowledge
“New”, Unknown, or Problems We Haven’t Solved Yet

“Help-Desk” Aware— Know Enough to Call

End-User Increasingly Self-Reliant

Support Burden

Largest Volume of Problems Focus of Most of Day to Day Security Operations
15

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

No Longer the Lone Hacker
Hackers are forming development teams to work on creating malicious code Highly intelligent individuals are collaborating to create new viruses and other malicious code Software development tools for handling large projects are being used Development is not unlike normal software development in the IT industry The shared information and talents of many very skilled hackers when working together can be worse than any one working alone
BRKSEC-2001 14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

16

© 2008, Cisco Systems, Inc. All rights reserved. 14330_04_2008_c1.scr

8

The Cybercrime Industry
Group develops custom malcode Custom malcode is made available for purchase ISP administrators are paid to host malicious code on sites that they control Malcode collects usernames and passwords as well as credit card numbers Credit card numbers and usernames and passwords are for sale

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

17

Cybercrime Industry: In the Past
Writers
Tool and Toolkit Writers Malware Writers Worms Viruses Trojans Compromise Environment

Asset
Compromise Individual Host or Application

End Value
Fame Theft Espionage (Corporate/ Government)

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

18

© 2008, Cisco Systems, Inc. All rights reserved. 14330_04_2008_c1.scr

9

Cybercrime Industry: Today
Writers
Tool and Toolkit Writers

First Stage Abusers
Hacker/Direct Attack

Middle Men
Compromised Host and Application

Second Stage Abusers

End Value
Fame Theft Espionage (Corporate/ Government) Extorted Pay-Offs

Malware Writers Worms Viruses Trojans Spyware Information Harvesting Machine Harvesting Bot-Net Creation Extortionist/ DDoS-for-Hire

Bot-Net Management: For Rent, for Lease, for Sale Personal Information Information Brokerage Internal Theft: Abuse of Privilege

Spammer Commercial Sales Phisher Fraudulent Sales

Pharmer/DNS Poisoning

Click-Through Revenue Financial Fraud

Identity Theft Electronic IP Leakage

$$$ Flow of Money $$$
BRKSEC-2001 14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

19

Cybercrime Industry: Hosting Services
Hosting services are for sale as part of the total package Hosting sites can hold a database of collected information Hosting sites can serve as a sales portal for individuals wishing to purchase stolen information Standard rates for data sales are being established

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

20

© 2008, Cisco Systems, Inc. All rights reserved. 14330_04_2008_c1.scr

10

Designer Malcode
Malcode that is designed to bypass virus scanners is made for sale Malcode is designed to collect information and upload it to a database Backup malcode is also available to replace the active malcode once it begins to be detected by virus scanners Malcode is designed to be very difficult to reverse engineer, or determine its functionality making it harder to detect and harder to trace where the data is being sent
BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

21

“Noise” Level

Large Scale Worms

Public Awareness

Targeted Attacks

2000

Time
Cisco Public

2008

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

22

© 2008, Cisco Systems, Inc. All rights reserved. 14330_04_2008_c1.scr

11

Cyber Crime Profit Level
Targeted Attacks

Illicit Dollars Gained

Large Scale Worms
2000 2008

Time
Cisco Public

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

23

Botnets
Botnet: A collection of compromised machines running programs under a common command and control infrastructure Building the Botnet:
Viruses, worms; infected spam; drive-by downloads; etc.

Controlling the Botnet:
Covert-channel of some form; typically IRC or custom IRC-like channel Historically have used free DNS hosting services to point bots to the IRC server Recent attempts to sever the command infrastructure of botnets has resulted in more sophisticated control systems Control services increasingly placed on compromised high-speed machines (e.g. in academic institutions) Redundant systems and blind connects are implemented for resiliency

Further Example as a Case Study
Source: www.wikipedia.com
BRKSEC-2001 14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

24

© 2008, Cisco Systems, Inc. All rights reserved. 14330_04_2008_c1.scr

12

Using a Botnet to Spend Spam
1. A botnet operator propagates by viruses, worms, spam, and malicious websites 2. The PCs log into an IRC server or other communications medium 3. A spammer purchases access to the botnet from the operator 4. The spammer sends instructions via the IRC server to the infected PCs— 5. …causing them to send out spam messages to mail servers
Source: www.wikipedia.com
BRKSEC-2001 14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

25

What about Spyware?
Still a major threat
Drive-by downloads still a major source of infestation ActiveX vulnerabilities in particular enable this However, confusing or misleading EULAs still a problem

A Trojan by any other name—
Spyware is increasingly indistinguishable from other forms of malware Nasty race condition: sheer number of variants makes it very difficult for technology solutions to hit 100% accuracy at a given moment

Rise of intelligent spyware
Directed advertising is more valuable than undirected More sophisticated spyware matches user-gathered data with directed advertising Bot-based spyware is also more valuable, as it can be updated over time
BRKSEC-2001 14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

26

© 2008, Cisco Systems, Inc. All rights reserved. 14330_04_2008_c1.scr

13

Phishing, Pharming, and Identity Theft
Phishing
MUNDO-BANK.COM
ited olic Uns mail E

Pharming
MUNDO-BANK.COM
S DN ning o ois P

172.168.1.1
MUNDO-BANK.COM Come see us at www.mundo-bank.com <172.168.254.254>
MUNDOBANK.COM

172.168.1.1
MUNDOBANK.COM

172.168.254.254

e nlin lar O egu nking 172.168.254.254 R Ba Hosts File: mundo-bank.com = 172.168.254.254

Identity theft continues to be a problem Phishing scams growing in sophistication every day Protecting your users: implement some technology, but don’t forget user education!!
BRKSEC-2001 14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

If you’re a target: Consider “personalization” technologies (e.g. user-chosen images on a webpage) Support identified mail initiatives, like DKIM

27

Fast Flux
Malicious IP addresses are changing quickly Botnets are the new DNS Servers Very low time to live (TTL) in A Record Infected hosts acting as DNS servers Traditional DNS-based security measure not longer effective

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

28

© 2008, Cisco Systems, Inc. All rights reserved. 14330_04_2008_c1.scr

14

What Does this Mean?
People utilizing the emerging threats of today want them to stay unknown What you don’t hear about is what you should be concerned about Intelligence is important

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

29

Operational Evolution of Threats
Threat Evolution
Policy and Process Definition Mitigation Technology Evolution
Reaction

Emerging Threat Unresolved Threat

Nuisance Threat

Reactive Process

Socialized Process

Formalized Process

Operational Burden

Manual Process

Human “In the Loop”

Automated Response

End-User Awareness

No End-User Knowledge
“New”, Unknown, or Problems We Haven’t Solved Yet

“Help-Desk” Aware— Know Enough to Call

End-User Increasingly Self-Reliant

Support Burden

Largest Volume of Problems Focus of Most of Day to Day Security Operations
30

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

© 2008, Cisco Systems, Inc. All rights reserved. 14330_04_2008_c1.scr

15

Year in Review

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

31

2007 as a Year
Security fad: Month of Bugs
Fuzzers offer tremendous way to find vulnerabilities

Application vulnerabilities up 17% from 2006
According to the Cisco IntelliShield

Botnets control channels up 57% from 2006
According to ShadowServer.Org

1,200 new websites per day hosting malware
According to MessageLabs

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

32

© 2008, Cisco Systems, Inc. All rights reserved. 14330_04_2008_c1.scr

16

2007 as a Year
Global spam up 50% from 2006, considerable up tick in types of spam attachment
According to IronPort

One unique phishing scam every 2 minutes in 2007
According to the PhishTank

Over 10 targeted malcode attacks per day, up from 1 per day in 2006
According to MessageLabs

163 million records with personal data compromised in 2007—up from 48 million in 2006
According to Attrition.Org
BRKSEC-2001 14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

33

Fuzzers in Action—Month of Bugs
Trend started in Mid 2006 with Month of Browser Bugs Jan ’07—Month of Apple Bugs (MoAB) Mar ’07—Month of PHP Bugs (MoPB) April ’07—Month of MySpace Bugs (MoMYB) May ’07—Month of ActiveX Bugs (MoAXB) June ’07—Month of Search Engine Bugs (MoSEB)

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

34

© 2008, Cisco Systems, Inc. All rights reserved. 14330_04_2008_c1.scr

17

Stock Advice from Spam
Canadian company Diamant Art’s stock price tripled in one day from .08 cents to .25 cents No positive news released from the company Spam touting the stock solely responsible for raise in stock price Most spam stock only increases stock price ~2%, which is quickly lost

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

35

Stop Trading Spam Stocks
March 2007 US Securities and Exchange Commission announced that 25 stocks were going to be suspended from trading for 10 days Not viewed as an effective way to stop stock spam It is a start, government bodies are starting to wake up

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

36

© 2008, Cisco Systems, Inc. All rights reserved. 14330_04_2008_c1.scr

18

F.B.I. Nabs BotHerders
June 2007, the US F.B.I. announced the arrest of 3 different BotHerders who were responsible for over 1 million infected machines Step in the right direction, even if it was relatively small group The real news: If the F.B.I. is on your trail then your technology has matured

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

37

iPhone Releases, Gets Hacked
July 2007, less than one month after the US release of Apple’s highly anticipated iPhone a major vulnerability was discovered enabling a complete compromise New vector, new attack As other vendors scramble to match the iPhone in functionality similar attacks are likely

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

38

© 2008, Cisco Systems, Inc. All rights reserved. 14330_04_2008_c1.scr

19

Google Ads Link to Malicious Sites
December 2007, a security researcher discovers that several sites using Google ads were linking to malicious websites Google swiftly reacted by shutting down the ad providers No way to know for certain how many users were infected nor who was at fault

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

39

Radio Frequency ID (RFID) Cloning
Last 12 months has seen several different demonstrations highlighting technology to clone RFID tags Legal methods used to suppress demonstrations Current demonstrations are more theoretical and not likely to be easily carried out
RFID is an automatic identification method, relying on storing and remotely retrieving data using devices called RFID tags
- Wikipedia
BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

40

© 2008, Cisco Systems, Inc. All rights reserved. 14330_04_2008_c1.scr

20

Pretexting Makes Headlines
Hewlett Packard admits using pretexting to investigate internal officers Xbox Live accounts suffer from pretexting attacks
Group calling itself Clan Infamous claimed to steal 10 accounts a day Pretexting is the act of creating and using an invented scenario (the pretext) to persuade a target to release information or perform an action and is usually done over the telephone
- Wikipedia

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

41

P2P Networks Used for DoS Attacks
Flaw in open source peer-to-peer hub software DC++ Allowed attacker to direct clients to any site resulting in a DoS Large amount of blackmail money demanded to prevent attack

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

42

© 2008, Cisco Systems, Inc. All rights reserved. 14330_04_2008_c1.scr

21

Conclusions from 2007
Botnets have come into their own Targeted attacks are increasingly the norm Cybercrime industry pushing “innovation” in malware Focus on applications

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

43

Case Studies

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

44

© 2008, Cisco Systems, Inc. All rights reserved. 14330_04_2008_c1.scr

22

Case Studies
Corporate Liability
TJX Company’s customer database compromised

Malware in Action
Storm worm analyzed

Malware Industry
Gozi worm’s cybercrime links

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

45

Corporate Liability—About the Company
TJX is the parent company for a family of discount retailers United States
Marshalls TJ-Maxx HomeGoods

Canada
Winners HomeSense

UK, Ireland, Germany
TK-Maxx
BRKSEC-2001 14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

46

© 2008, Cisco Systems, Inc. All rights reserved. 14330_04_2008_c1.scr

23

Corporate Liability—How it Happened
Attack originated at a Marshalls store in St. Paul, Minnesota Attackers used telescope-shaped antenna to read WiFi signals

WiFi enabled price scanners targeted to get network access info Once on the network, database was targeted Data harvesting started mid 2005 and carried through end of 2006

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

47

Corporate Liability—What was Affected
Initially thought to be 45.6M credit card numbers compromised, later updated to 90M Included “Track 2 Data” Biggest credit card number heist in history Over 80 GB of network traffic send to outside server

90,000,000
BRKSEC-2001 14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

48

© 2008, Cisco Systems, Inc. All rights reserved. 14330_04_2008_c1.scr

24

Corporate Liability—Example of Use
Nov. ’06 Florida law enforcement claims at least 10 thieves used credit card data in a gift card scheme Over $8M in gift cards purchased 6 people tied to gift card scheme were arrested Gift card scheme was carried out months before TJX discovered the compromise

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

49

Corporate Liability—Aftermath
Believed to be responsible for between $68M and $83M fraud in over 13 countries Class-action consumer lawsuit settled
$20 store voucher 3 years credit monitoring $20,000 ID Theft Coverage

Banks and financial institutions sued
Yet to be determined

Estimated costs to TJX are over $150M

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

50

© 2008, Cisco Systems, Inc. All rights reserved. 14330_04_2008_c1.scr

25

Corporate Liability—Conclusions
Every company needs to be concerned Does not have to be credit cards Governments creating laws requiring disclosure One incident can cost much more than years of a quality security infrastructure

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

51

Malware in Action—Storm Worm
Started as PDF spam in early 2007 Evolved to use e-card and YouTube invites Uses spam with links to malicious sites as main vector of propagation Utilizes social engineering techniques to trick users to malicious sites

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

52

© 2008, Cisco Systems, Inc. All rights reserved. 14330_04_2008_c1.scr

26

Malware in Action—Storm Worm
Email spam example:
To: Tony Hall From: Dale Hammond Subject: Dear Friend Hi. Nice to meet u and my friend operates a company .i have got something from him and i must say that the quality is so good .SO i tell u the truth and hope u can connect him and welocme to his website www.ouregoods.com. If u have any questions u can add ouregoods@hotmail.com we are pleasure to help ,good luck to u!

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

53

Malware in Action—Storm Worm
Infected Webserver

1

BotHerder 2

1. BotHerder updates malcode on webtrap 2. Initiate new spam pointing to webtrap 3. User reads the spam and clicks link 4. User machine infected
BRKSEC-2001 14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

4 3 Infected

54

© 2008, Cisco Systems, Inc. All rights reserved. 14330_04_2008_c1.scr

27

Malware in Action—Storm Worm

game0.exe—Backdoor/downloader game1.exe—SMTP relay game2.exe—Email address stealer game3.exe—Email virus spreader game4.exe—DDoS attack tool game5.exe—Updated copy of Storm Worm dropper
Source: www.secureworks.com
BRKSEC-2001 14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

55

Malware in Action—Storm Worm
403014 Copy(c:\game0.exe->C:\WINDOWS\disnisa.exe) 77e6bc59 WriteFile(h=7a0) 403038 RegOpenKeyExA (HKCU\Software\Microsoft\Windows\CurrentVersion\Run) 40305f RegSetValueExA (disnisa)

Copies itself to C:\Windows\disnisa.exe Set registry to run on startup

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

56

© 2008, Cisco Systems, Inc. All rights reserved. 14330_04_2008_c1.scr

28

Malware in Action—Storm Worm
402ba0 WinExec(w32tm/config/syncfromflags:manual /manualpeerlist:time.windows.com,time.nist.gov,100) 77e7d0b7 WaitForSingleObject(788,64) 40309b CreateProcessA(C:\WINDOWS\disnisa.exe,(null),0,(null)) 4030df WinExec(netsh firewall set allowedprogram "C:\WINDOWS\disnisa.exe" enable,100)
Sync with Microsoft Time Server Start process Edit firewall rules to allow network access
BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

57

Malware in Action—Storm Worm
77e7ac53 CreateRemoteThread(h=ffffffff, start=404b05) 40da1b bind(b8, port=7018) 40d9c7 listen(h=b8 ) 40a262 WaitForSingleObject(d4,2710)

Connect with remote machine Wait for a command

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

58

© 2008, Cisco Systems, Inc. All rights reserved. 14330_04_2008_c1.scr

29

Hub and Spoke Topology
Controller communicates directly with bots Simplest but limited ability to scale Single points of failure
BotHerder DNS record to BotHerder

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

59

Peer To Peer (P2P) Topology
All bots perform distribution Multiple paths from controller to bots Scales well, very resilient No single point of failure

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

60

© 2008, Cisco Systems, Inc. All rights reserved. 14330_04_2008_c1.scr

30

Storm Worm Conclusions
Very sophisticated “Victim of its own success”, yet still difficult to shut down Just one example, there are others we don’t know about

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

61

The Industry in Action: GOZI
GOZI was a custom made application designed to harvest data Went undetected for over 50 days Collected at least 10,000 records belonging to over 5,000 home users

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

62

© 2008, Cisco Systems, Inc. All rights reserved. 14330_04_2008_c1.scr

31

GOZI: The Discovery
Originally discovered because a user reported that an account he accessed at work was compromised Work computer was searched, suspicious malware discovered Not one of the 30 leading anti-virus companies detected Gozi at the time

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

63

GOZI: The Highlights
Targeted SSL data Modularized code (Professional grade) Spread through iFrame IE browser vulnerability No detection in anti-virus produces for weeks, months Customized to target specific sensitive data Posted on-line for “customer” purchases of stolen data Home PCs largely infected Accounts at top financial, retail, health care, and government services affected Estimated black market value of at least $2 million
Source: www.secureworks.com
BRKSEC-2001 14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

64

© 2008, Cisco Systems, Inc. All rights reserved. 14330_04_2008_c1.scr

32

GOZI: The Investigation
Organization ready to code new undetectable malware Willing to offer tech support Others willing to help with infection Gozi main server located in Russia

Source: www.secureworks.com
BRKSEC-2001 14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

65

GOZI: Conclusions
Truly a new industry Pushing the envelop, trying to stay undetected Operating in countries where it is difficult to get shut down

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

66

© 2008, Cisco Systems, Inc. All rights reserved. 14330_04_2008_c1.scr

33

Threats on the Horizon

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

67

Threats on the Horizon
Automated social engineering Web 2.0 Voice over IP threats Video files format vulnerabilities Mobile devices Data leakage Outsourcing Distributed workforce

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

68

© 2008, Cisco Systems, Inc. All rights reserved. 14330_04_2008_c1.scr

34

Automated Social Engineering
In an effort to convince users to “click here”, malware will use collected data to enhance the veracity of targeted spam Malcode can scan previous emails in a person’s inbox and send a “reply”
Simply adding: Hey, Forgot to tell you to check out this site: http://bad.site.com

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

69

Web 2.0
Hugely popular social sites (MySpace, Facebook) offer many potential victims for attackers Data easy to gather to assist in targeted attacks Very dynamic, big potential for buggy software to be present Attracts users who are not necessarily computer proficient

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

70

© 2008, Cisco Systems, Inc. All rights reserved. 14330_04_2008_c1.scr

35

Voice over IP Threats
“Vishing”—voice way to attempt a phishing scheme Well understood business risk is promoting integration of security technologies in voice deployments Limited pool of technical experts on voice within attacker community Follow the money: No well-established business model driving financial incentives to attack

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

71

Voice Security Opportunities
Eavesdropping:
Earliest attacks focused on this (VOMIT); however, effective deployment of secure voice makes this very difficult (easier to use other means to access info)

SPIT: SPAM over internet telephony
Potential to be a serious annoyance, but significant barriers to this being an effective source of profit (Vishing) Some are technical, but most involve our current use patterns for telephony (used on a per-phone basis, not in a “list” format)

Denial of service
Disgruntled employees or extortionists may target the voice infrastructure by a variety of mechanisms
BRKSEC-2001 14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

72

© 2008, Cisco Systems, Inc. All rights reserved. 14330_04_2008_c1.scr

36

Video File Format Vulnerabilities
Researchers in 2007 continued to uncovered many important to critical video file format vulnerabilities in:
QuickTime Real Player Windows Media Player Flash

Documented examples of video file attacks in 2007, not yet mainstream With rise of video it is only a matter of time The next “hot” YouTube video just might be dangerous…
BRKSEC-2001 14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

73

New Opportunity: Proliferation of Devices
The Challenge
• New types of devices are joining the network:
Hand-helds, smart phones, cameras, tools, physical security systems, etc.

Opportunities for Attack
• Attacks on the back-end
All of these systems provides an ingress point into some form of back-end system Both the method of communication and the device itself are targets

• Diversity of OSs:
More devices means more operating systems and custom applications

• Attacks on the device
Proliferation leaves many opportunities for taking control of a system

• Embedded OSs
Process controllers, kiosks, ATMs, lab tools, etc. IT department often not involved in procurement—little attention paid to security For example, one environment got hacked from an oscilloscope

• Attacks on data
Sensitive data is becoming increasingly distributed and uncontrolled

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

74

© 2008, Cisco Systems, Inc. All rights reserved. 14330_04_2008_c1.scr

37

Attacks on Data: Data Leakage
Still a hot topic this year Broad term encompassing multiple different challenges:
Security of Data at rest Security of Data in motion Identity-based access control Both malicious and inadvertent disclosures

Issue has become topical typically for “Compliance” reasons However, broader topic involves business risk management
How do I avoid inadvertent disclosures? How do I protect my information assets from flowing to my competitors? How do I avoid ending up in the news?
BRKSEC-2001 14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

75

Architectural View of Data Leakage: New Challenges
Server/Application Systems
Endpoint Enforcement Points Centralized Data Stores: Structured and Unstructured

Network Transit

End Users

Endpoint Systems

Application Front End

Internal Consumers Transit Enforcement Points External Consumers Endpoint Enforcement Points Decentralized Data Stores

What’s Changed? Enforcement points and data consumers are roughly the same; however, a new actor introduced: “Data” Quantization Problem: How to group data elements into units of information relevant to the business?
BRKSEC-2001 14330_04_2008_c1

Technical Translation Problem: How to reliably test a given data set for membership in a “unit of information” (e.g. how to verifiably determine if a given mass of bits is “source code”) Policy Construction Problem: How to scalable build policy for data flows across a large environment?
76

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

© 2008, Cisco Systems, Inc. All rights reserved. 14330_04_2008_c1.scr

38

Mobile Data Continues: PC on a Stick
New “smart drives” and other similar technology extending the existing threats to data posed by portable storage devices Devices carry a virtual computing environment in a secure storage, typically plugged in via USB to any open computer All workspace, preference, and data information is kept within the device, but computing resources of the host machine are used for manipulation and processing

Challenges:
Analogous to SSL VPN security challenges, only now you can lose the device in a cab Unknown endpoint environment challenges: keyboard loggers and splicers, monitor taps, webcams Malicious software embedded in data or documents
BRKSEC-2001 14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

77

Trend: Outsourcing
Motivations: Outsourcers have all the potential to
be disgruntled employees in search of revenge, only more so—outsourcers typically feel less loyalty to the outsourcing organization

Opportunity: In many organizations, outsourcers are given full intranet access Considerations:
How do you balance the need to access required applications while providing necessary controls to mitigate risk? When negotiating contracts, are there any provisions for data security and integrity? Are there any provisions to audit the security posture? What legal recourses does the organization have in the event of compromise? Jurisdictional issues, liability and responsibility, etc.

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

78

© 2008, Cisco Systems, Inc. All rights reserved. 14330_04_2008_c1.scr

39

Trend: Distributed Workforce
De-perimeterization is real
True “federated” security systems are a long ways off yet

Layers of defense and policy enforcement are critical
Drop bad traffic as close to the source as possible, but ensure you’ve got at least a couple of “last lines of defense”

Costs and risks to data integrity should be a part of any calculation to adopt new business practices
There may be hidden costs that are not well understood

People and Processes Key to Mitigate Risk
User awareness and effective business processes are as important to technology solutions
BRKSEC-2001 14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

79

Coping with Threats

Conclusion and Recommendations

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

80

© 2008, Cisco Systems, Inc. All rights reserved. 14330_04_2008_c1.scr

40

What’s My Exposure? Appropriate Risk Mitigation
Risk is at the core of all security policy decisions
Level of Mitigation

With emerging threats, there’s always something out there that can affect your business Effective understanding of business risk is critical to determining priorities in your response plan The Challenge: Every application is business critical to someone

Risk Averse Risk Tolerant

Level of Risk Aversion

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

81

Example: Network-Based Structured Data Controls
Credit Card 1234-5678-9012-3456 Social Security 123-45-6789 Driver’s License A123456 Employee ID S-924600 Patient ID 134-AR-627

Mask Mask Block Mask Block
Request

Credit Card XXXX-XXXX-XXXX-3456 Social Security XXX-XX-XXXX Driver’s License A123456 Employee ID XXXX Patient ID 134-AR-627

Response

Cisco AVS 3100
BRKSEC-2001 14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

82

© 2008, Cisco Systems, Inc. All rights reserved. 14330_04_2008_c1.scr

41

Tackling Malware: Solutions Across the Network
Data Center Management Network Remote/Branch Office

Internet Connections

Corporate Network

Internet

Corporate LAN

Remote Access Systems

Business Partner Access Extranet Connections

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

83

Tackling Malware: Solutions Across the Network
Data Center Management Network Remote/Branch Office
STOP

Endpoint Protection
Infection prevention: Cisco Security Agent Infection remediation: desktop anti-virus; Microsoft and other antispyware SW

GO

Internet Connections

Corporate Network

Internet

STOP

Corporate LAN
GO STOP GO

GO

Remote Access Systems Network Admission Control
Ensure endpoint policy compliance

Network-Based Business Content Control Partner Multi-function Access security devices Extranet Intrusion prevention Connections systems
Proxies
84

Firewalls

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

© 2008, Cisco Systems, Inc. All rights reserved. 14330_04_2008_c1.scr

42

Mitigating Risk of Data Leakage: Basic Steps
1. Protect Non-managed Machines: Remote access (employee, partner, and vendor) from non-managed machines pose a serious risk. Deploy protection technology in your remote access systems such as Cisco Secure Desktop in the Cisco ASA 5500 2. Deploy Network-based Structured Data Controls: Data elements such as Credit Card numbers or SSNs can be monitored and controlled in return traffic using application firewalls (such as AVS 3100) 3. Lockdown Managed Endpoints: Lock down removable media systems, such as USB ports and CD burners, using Cisco Security Agent 4. Application Access Control: Enforce “need to know” access control policies in the network at transit control points (e.g. in firewalls) 5. Content Inspection Services: Build out a network-wide sensor grid for visibility and audit. Primary focus areas: email; instant messaging
BRKSEC-2001 14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

85

Incident Response Basics
Incident Response Life Cycle
Pre-Incident Planning

Most important step: Step 1 Second most important step: Step 5 Most commonly skipped step: Step 1

1
Post-Incident Policy and Process Analysis Detection

5

2 and Analysis

Second most commonly skipped step: Step 5

4
Recovery

3
Containment and Control

Adapted from reports at www.gartner.com and www.securityfocus.com
BRKSEC-2001 14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

86

© 2008, Cisco Systems, Inc. All rights reserved. 14330_04_2008_c1.scr

43

What Should I Do?
Process, process, process:
Implement strong processes up front, document them, and use them

User education campaigns:
Ensure there is an end-user education component of your broader information security strategy

Make effective use of technology:
Technology exists to mitigate much of your risk of exposure to new threats—make sure you’re using what’s available

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

87

Technology Recommendations
Stay informed: Subscribe to a threat information service
A cost effective way to stay on top of things

Stay informed: Actually read the information coming from your threat information service
Summaries are quick

Utilize your infrastructure
Use tools that you already have available

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

88

© 2008, Cisco Systems, Inc. All rights reserved. 14330_04_2008_c1.scr

44

Technology Recommendations
Change the game: Deploy NAC
Raise the bar on the level of protection at the internal edge

Develop and implement a complete “incident response system”
Include technologies like IPS that enable visibility and protection; ensure you’ve got the tools to help (like MARS) Get tested! Engage a reputable penetration testing firm

Deploy anomaly technologies
Anomaly detection technologies can catch some emerging threats before they’re well known

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

89

Intelligence Service Example
Cisco IntelliShield Alert Manager
Threat and Vulnerability Intelligence Alerting Service Receive Vital Intelligence that Is Relevant and Targeted to Your Environment
Tactical, operational and strategic intelligence Vendor neutral Life cycle reporting Vulnerability workflow management system Comprehensive searchable alert database

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

90

© 2008, Cisco Systems, Inc. All rights reserved. 14330_04_2008_c1.scr

45

Intelligence Summary Example
Cisco IntelliShield Cyber Risk Reports
A Strategic Intelligence Report that Highlights Current Security Activity and Mid-to Long-range Perspectives
Addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. The PSARs are a result of collaborative efforts, information sharing, and collective security expertise of senior analysts from Cisco security services that include the IntelliShield team
BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

91

Utilize Your Infrastructure
Cisco Applied Intelligence Responses
Actionable Intelligence that Can Be Used on Existing Cisco Infrastructure

Vulnerability Characteristics Mitigation Technique Overview Risk Management Device-Specific Mitigation and Identification
Cisco IOS® Routers and Switches Cisco IOS NetFlow Cisco ASA, PIX®, and FWSM Firewalls Cisco Intrusion Prevention System Cisco Security Monitoring, Analysis, and Response System
BRKSEC-2001 14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

92

© 2008, Cisco Systems, Inc. All rights reserved. 14330_04_2008_c1.scr

46

Incident Response and Threat Prevention Systems
CS-MARS Cisco Security Agent (CSA) Cisco ISR Routers CSA Cisco ASA 5500 Adaptive Security Appliance Cisco Catalyst® Service Modules CSM

Considerations for Building a System
Monitoring Console: A strong monitoring console is essential—without that, you’re blind Breadth of Network Control Points: Have IPS technology ready in as many locations as possible, even if you’re not using it—it’ll be there when you need it Fine-grained Endpoint Control: Ensure your endpoint security software provides granular use control, in addition to protective services

Internet

Intranet

Branch Protection Day Zero Endpoint Protection Converged Perimeter Protection

Integrated Data Center Protection Server Protection

Monitoring, Correlation, and Response Security Management

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

93

Some Closing Thoughts
Do not get overwhelmed Small steps can make a big difference Remember, to survive a bear attack, you don’t have to be fastest person…you just need to be faster than the next guy Do not be the least prepared

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

94

© 2008, Cisco Systems, Inc. All rights reserved. 14330_04_2008_c1.scr

47

Q and A

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

95

Recommended Reading
Continue your Cisco Live learning experience with further reading from Cisco Press Check the Recommended Reading flyer for suggested books

Available Onsite at the Cisco Company Store
BRKSEC-2001 14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

96

© 2008, Cisco Systems, Inc. All rights reserved. 14330_04_2008_c1.scr

48

Complete Your Online Session Evaluation
Give us your feedback and you could win fabulous prizes. Winners announced daily. Receive 20 Passport points for each session evaluation you complete. Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.
Don’t forget to activate your Cisco Live virtual account for access to all session material on-demand and return for our live virtual event in October 2008. Go to the Collaboration Zone in World of Solutions or visit www.cisco-live.com.

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

97

BRKSEC-2001 14330_04_2008_c1

© 2008 Cisco Systems, Inc. All rights reserved.

Cisco Public

98

© 2008, Cisco Systems, Inc. All rights reserved. 14330_04_2008_c1.scr

49

Sign up to vote on this title
UsefulNot useful