II CONGRESO INTERNACIONAL DE TI E INVESTIGACIÓN

"LA IMPORTANCIA DE LAS TI EN LA NUEVA NORMALIDAD"

 Oct 21, 2016
Mirai Botnet DDoS Attack on Dyn

“In a relatively short time, we've taken a system

built to resist destruction by nuclear weapons
and made it vulnerable to toasters*.”
Jeff Jarmoc, Salesforce.com Head of Security

*Actually mostly webcams, but toasters are more quotable.

Today’s Security Landscape has become

Complex…
Who is good, and who is bad?
In short: It’s all about “Cats vs. Rats.”

Scratchy: CFO

Itchy: our attacker. Mordiac: IT Admin

 The Challenge
• Attackers are skilled and motivated
• Attackers are engineers
• Learn from others, reuse code or write your own
• Test before putting in production:
– Will it bypass antivirus?
– Will it bypass IPS?
– Will it bypass NGFW?
– Will it bypass Sandboxing?

4
Types of Malware
Man in the Middle
Spoofing & Reflected (DDoS)
ICMP Vulnerabilities (SMURF ATTACK)
TCP SYN Flooding
SQL INJECTION
 Vectors of an Attack

Physical Digital
• Intel Gather
• Surveil • Scan
• Pick • Assess
• Force • Exploit
• Conceal • Persist
• Persist
Converged •
•
Propagate
Exfiltrate
Attack Converged
attacks are most
Social effective and most
• Targeted Phishing difficult to thwart
• Conning Guards/Staff
• Impersonation
• Phone Phishing
• Create Spies

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Tools Used – By Attackers
 The Kill Chain
Focus on Methodology,
Not Tools!
• Original work by Lockheed Martin
–Inspiration from military kill chain
• Model describing structure of attack
• Note that attackers are not legally bound to
follow the exact model ….
• Still useful to understand stages of attacks
–Instead of focusing on specific exploits

*http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf
Zero-Day Attack
Perimeter Enterprise Network
(Inbound)
2 Reconnaissance and
Network Traversal
1 Infiltration and
Backdoor establishment

CnC Server
Attacker

5 Data
Admin Node 3 Exploitation and
Exfiltration
Perimeter Privilege Elevation
(Outbound) Staging and
4 Persistence (Repeat 2,3,4)
 Key Point: Integrate Your Defenses
• Avoid silos!
• Cooperation between:
• Security
• Network
• Desktop/Clients
• Active Directory
• IoT
• Training
• …
 Next-Gen Security Infrastructure Must Address…
PROTECTION VISIBILITY MITIGATION AUTOMATION
Stay ahead of View the network Detect and contain after Respond quickly with
the evolving threat holistically and compromise has integrated defense
landscape heuristically already occurred systems

0
1
1
1
0
1110011 110011 101000 011 1110011 0
110011 101000 011
1
0
0
1
1
1
0
Cybersecurity Goals

• Confidentiality =
Protect sensitive data

• Integrity =
Ensure no unauthorized modifications

• Availability =
Authorized people can access it
Assets, Vulnerabilities, and Countermeasures
Network Vulnerability

Vulnerabilities

• Weakness in system
• Configuration error, missing patch,
design flaw, etc.
• Signature security defend attacks
(exploiting)
against vulnerabilities. Examples IPS,
Anti-Virus
 Many Targets to Consider

Servers Botnet Data Loss Multiple Alarms User

Compromised Communication Complaints

HQ

HQ

Branch Network

Users
Cloud

Data Center

Admin

Roaming Users

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
 IoT Challenges

Patch Delays

Limited Security Development

Rogue Devices
 Known and Unknown Threats
Known – Attack has been seen and characterized.
 Develop signatures for detection
 Behavior triggers
 Domains blocked
 Antivirus / IPS leverage this

Unknown – Attack not known and characterized

 Signatures do not exist
 Behavior and anomaly detection focused
 Breach detection / Sandboxing / Honeypots
Defending Across the Attack Continuum
Questions ?