cisco tech club days - idemecisco tech club days peter mesjar consulting systems engineer 25.6.2019...
TRANSCRIPT
![Page 1: Cisco Tech Club Days - IDEMECisco Tech Club Days Peter Mesjar Consulting Systems Engineer 25.6.2019 Aby vásinfikovanékoncové zariadenienestálohlavu](https://reader035.vdocuments.site/reader035/viewer/2022081621/612d73881ecc51586942328d/html5/thumbnails/1.jpg)
Cisco Tech Club Days
Peter MesjarConsulting Systems Engineer25.6.2019
Aby vás infikované koncovézariadenie nestálo hlavu
![Page 2: Cisco Tech Club Days - IDEMECisco Tech Club Days Peter Mesjar Consulting Systems Engineer 25.6.2019 Aby vásinfikovanékoncové zariadenienestálohlavu](https://reader035.vdocuments.site/reader035/viewer/2022081621/612d73881ecc51586942328d/html5/thumbnails/2.jpg)
“Otázka za milión” v kybernetickej bezpečnosti
Mám sa obávať novoobjavenejkybernetickej hrozby?
![Page 3: Cisco Tech Club Days - IDEMECisco Tech Club Days Peter Mesjar Consulting Systems Engineer 25.6.2019 Aby vásinfikovanékoncové zariadenienestálohlavu](https://reader035.vdocuments.site/reader035/viewer/2022081621/612d73881ecc51586942328d/html5/thumbnails/3.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved.
https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html
Našťastie nemusímJ
![Page 4: Cisco Tech Club Days - IDEMECisco Tech Club Days Peter Mesjar Consulting Systems Engineer 25.6.2019 Aby vásinfikovanékoncové zariadenienestálohlavu](https://reader035.vdocuments.site/reader035/viewer/2022081621/612d73881ecc51586942328d/html5/thumbnails/4.jpg)
What did TALOS find after Nyetya/Not Pyetya attack
Olympic Destroyer
NavRATVPNFilterGandcrab
VPNFilter new stage3 modules
Thanatos decryptor
Highly targeted iOS MDM campaign
VPNFilter7 additional
stage3 modules
GplayedGplayed banking
RTF campaignSextortion
DNSpionagePersian Stalker
Extending Shamoon 3 coverage
Sextortion to bomb scare
DNSpionage in USPyLocky decryptor
Imminent RATUrsnif
Rise in attacks on Elasticsearch
clusters
JasperLoaderDNSpionage brings
KarkoffSea Turtle
74 facebook groups
https://blog.talosintelligence.com
![Page 5: Cisco Tech Club Days - IDEMECisco Tech Club Days Peter Mesjar Consulting Systems Engineer 25.6.2019 Aby vásinfikovanékoncové zariadenienestálohlavu](https://reader035.vdocuments.site/reader035/viewer/2022081621/612d73881ecc51586942328d/html5/thumbnails/5.jpg)
Fáza pred útokom“Houston” nemáme problémJ
![Page 6: Cisco Tech Club Days - IDEMECisco Tech Club Days Peter Mesjar Consulting Systems Engineer 25.6.2019 Aby vásinfikovanékoncové zariadenienestálohlavu](https://reader035.vdocuments.site/reader035/viewer/2022081621/612d73881ecc51586942328d/html5/thumbnails/6.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved.
![Page 7: Cisco Tech Club Days - IDEMECisco Tech Club Days Peter Mesjar Consulting Systems Engineer 25.6.2019 Aby vásinfikovanékoncové zariadenienestálohlavu](https://reader035.vdocuments.site/reader035/viewer/2022081621/612d73881ecc51586942328d/html5/thumbnails/7.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved.
Typická počítačová sieť dnes
Internet
IPSec VPN koncentrátor
(ASAv)
Prístupová časť siete
IPS novejgenerácie
(FTD)
Dátové centrum Segment manažmentu siete
web
![Page 8: Cisco Tech Club Days - IDEMECisco Tech Club Days Peter Mesjar Consulting Systems Engineer 25.6.2019 Aby vásinfikovanékoncové zariadenienestálohlavu](https://reader035.vdocuments.site/reader035/viewer/2022081621/612d73881ecc51586942328d/html5/thumbnails/8.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved.
Email je stále číslo 1 pre počiatočné kompromitácie koncových zariadení!
![Page 9: Cisco Tech Club Days - IDEMECisco Tech Club Days Peter Mesjar Consulting Systems Engineer 25.6.2019 Aby vásinfikovanékoncové zariadenienestálohlavu](https://reader035.vdocuments.site/reader035/viewer/2022081621/612d73881ecc51586942328d/html5/thumbnails/9.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved.
Acceptance
Controls
Anti-spamDMARC,
DKIM and SPF
Forged Email
Detection
Advanced
Phishing
Protection
Righ
t IP?
Sign
ed?
Alig
ned?
Who
?W
hat?
Whe
re?
How
?
Send
er IP
and
Dom
ain
Repu
tatio
nG
eo-L
ocat
ion
Send
er S
poof
Loca
l Int
elId
entit
yTr
ust
Email Email
Securing Inbound Email: Layers of Defense
![Page 10: Cisco Tech Club Days - IDEMECisco Tech Club Days Peter Mesjar Consulting Systems Engineer 25.6.2019 Aby vásinfikovanékoncové zariadenienestálohlavu](https://reader035.vdocuments.site/reader035/viewer/2022081621/612d73881ecc51586942328d/html5/thumbnails/10.jpg)
“Houston” máme problém!Fáza počas útoku
![Page 11: Cisco Tech Club Days - IDEMECisco Tech Club Days Peter Mesjar Consulting Systems Engineer 25.6.2019 Aby vásinfikovanékoncové zariadenienestálohlavu](https://reader035.vdocuments.site/reader035/viewer/2022081621/612d73881ecc51586942328d/html5/thumbnails/11.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved.
![Page 12: Cisco Tech Club Days - IDEMECisco Tech Club Days Peter Mesjar Consulting Systems Engineer 25.6.2019 Aby vásinfikovanékoncové zariadenienestálohlavu](https://reader035.vdocuments.site/reader035/viewer/2022081621/612d73881ecc51586942328d/html5/thumbnails/12.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved.
Network Fabric
Quarantine
Cisco Integrovaná Kybernetická BezpečnosťDetekcia -> Karanténa -> Riešenie bezpečnostného incidentu
Supplier
Employee
Employee
Quarantine
SharedServer
Server
High RiskSegment
Internet
Stealthwatch FirePower NGIPSor 3rd party AppSuch as Splunk
Change Authorization
PxGr
id
Event: XYZSource IP: 10.4.51.5Role: SupplierResponse: Quarantine
ü
ISE
LAN/Wifi/VPN
zákon č. 69/2018, § 19 povinnosti prevádzkovateľa základnej služby, odsek 6:c) spolupracovať s úradom a ústredným orgánom pri riešení hláseného kybernetického bezpečnostného incidentu a na tento účel im poskytnúť potrebnú súčinnosť, ako aj informácie získané z vlastnej činnosti dôležité pre riešenie kybernetického bezpečnostného incidentu,
![Page 13: Cisco Tech Club Days - IDEMECisco Tech Club Days Peter Mesjar Consulting Systems Engineer 25.6.2019 Aby vásinfikovanékoncové zariadenienestálohlavu](https://reader035.vdocuments.site/reader035/viewer/2022081621/612d73881ecc51586942328d/html5/thumbnails/13.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved.
Cisco Threat Grid = Sandbox + Threat Intelligence
Threat Intelligence• Threat Score• Behavior Indicators• Observables• Analysis Reports
Malware Analysis• Automated Analysis
• Static• Dynamic
• Global Correlation
Malware Analysis / Threat Intelligence
An automated engine observes, deconstructs, and analyzes using multiple techniques
101000 0110 00 0111000 111010011 101 1100001 110
101000 0110 00 0111000 111010011 101 1100001 110
Provides a single solution delivered multiple ways: through the cloud, as an on-premises solution, or integrated into security technologies such as AMP (Advanced Malware Protection).
![Page 14: Cisco Tech Club Days - IDEMECisco Tech Club Days Peter Mesjar Consulting Systems Engineer 25.6.2019 Aby vásinfikovanékoncové zariadenienestálohlavu](https://reader035.vdocuments.site/reader035/viewer/2022081621/612d73881ecc51586942328d/html5/thumbnails/14.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Supported Integrations & Partners
Threat Grid IntegrationsSelect Recipe Integrations
Select Threat Feed Integrations
14
![Page 15: Cisco Tech Club Days - IDEMECisco Tech Club Days Peter Mesjar Consulting Systems Engineer 25.6.2019 Aby vásinfikovanékoncové zariadenienestálohlavu](https://reader035.vdocuments.site/reader035/viewer/2022081621/612d73881ecc51586942328d/html5/thumbnails/15.jpg)
Fáza po útoku“Houston” máme po probléme?
![Page 16: Cisco Tech Club Days - IDEMECisco Tech Club Days Peter Mesjar Consulting Systems Engineer 25.6.2019 Aby vásinfikovanékoncové zariadenienestálohlavu](https://reader035.vdocuments.site/reader035/viewer/2022081621/612d73881ecc51586942328d/html5/thumbnails/16.jpg)
Cisco Threat Response - vyhľadanie IoC (Indication of Compromise)
SHA256 in question
![Page 17: Cisco Tech Club Days - IDEMECisco Tech Club Days Peter Mesjar Consulting Systems Engineer 25.6.2019 Aby vásinfikovanékoncové zariadenienestálohlavu](https://reader035.vdocuments.site/reader035/viewer/2022081621/612d73881ecc51586942328d/html5/thumbnails/17.jpg)
Cisco Threat Response – trasovanie IoC cez sieť
Received via two Emails
![Page 18: Cisco Tech Club Days - IDEMECisco Tech Club Days Peter Mesjar Consulting Systems Engineer 25.6.2019 Aby vásinfikovanékoncové zariadenienestálohlavu](https://reader035.vdocuments.site/reader035/viewer/2022081621/612d73881ecc51586942328d/html5/thumbnails/18.jpg)
Cisco Threat Response – trasovanie IoC cez sieť
From two well-known Public domains
![Page 19: Cisco Tech Club Days - IDEMECisco Tech Club Days Peter Mesjar Consulting Systems Engineer 25.6.2019 Aby vásinfikovanékoncové zariadenienestálohlavu](https://reader035.vdocuments.site/reader035/viewer/2022081621/612d73881ecc51586942328d/html5/thumbnails/19.jpg)
Cisco Threat Response – trasovanie IoC cez sieť
But different Email Subject
![Page 20: Cisco Tech Club Days - IDEMECisco Tech Club Days Peter Mesjar Consulting Systems Engineer 25.6.2019 Aby vásinfikovanékoncové zariadenienestálohlavu](https://reader035.vdocuments.site/reader035/viewer/2022081621/612d73881ecc51586942328d/html5/thumbnails/20.jpg)
Cisco Threat Response – trasovanie IoC cez sieť
Passed via: - Corporate Email Security Appliance- Firepower NGFW
![Page 21: Cisco Tech Club Days - IDEMECisco Tech Club Days Peter Mesjar Consulting Systems Engineer 25.6.2019 Aby vásinfikovanékoncové zariadenienestálohlavu](https://reader035.vdocuments.site/reader035/viewer/2022081621/612d73881ecc51586942328d/html5/thumbnails/21.jpg)
Cisco Threat Response – analýza cieľa
Target mailboxes involved
![Page 22: Cisco Tech Club Days - IDEMECisco Tech Club Days Peter Mesjar Consulting Systems Engineer 25.6.2019 Aby vásinfikovanékoncové zariadenienestálohlavu](https://reader035.vdocuments.site/reader035/viewer/2022081621/612d73881ecc51586942328d/html5/thumbnails/22.jpg)
Cisco Threat Response – analýza cieľa
Two of four recipients have received and acted on a file
![Page 23: Cisco Tech Club Days - IDEMECisco Tech Club Days Peter Mesjar Consulting Systems Engineer 25.6.2019 Aby vásinfikovanékoncové zariadenienestálohlavu](https://reader035.vdocuments.site/reader035/viewer/2022081621/612d73881ecc51586942328d/html5/thumbnails/23.jpg)
Cisco Threat Response – sled udalostí v čase
See the associated activities at the endpoint
Understand which hosts been involved
Investigate deeper
![Page 24: Cisco Tech Club Days - IDEMECisco Tech Club Days Peter Mesjar Consulting Systems Engineer 25.6.2019 Aby vásinfikovanékoncové zariadenienestálohlavu](https://reader035.vdocuments.site/reader035/viewer/2022081621/612d73881ecc51586942328d/html5/thumbnails/24.jpg)
Cisco Threat Response – bloknutie na pár klikov
Blocks file on infrastructure and endpoints
![Page 25: Cisco Tech Club Days - IDEMECisco Tech Club Days Peter Mesjar Consulting Systems Engineer 25.6.2019 Aby vásinfikovanékoncové zariadenienestálohlavu](https://reader035.vdocuments.site/reader035/viewer/2022081621/612d73881ecc51586942328d/html5/thumbnails/25.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Na záver…
![Page 26: Cisco Tech Club Days - IDEMECisco Tech Club Days Peter Mesjar Consulting Systems Engineer 25.6.2019 Aby vásinfikovanékoncové zariadenienestálohlavu](https://reader035.vdocuments.site/reader035/viewer/2022081621/612d73881ecc51586942328d/html5/thumbnails/26.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Integrated Threat DefenseShare intelligence across network, cloud, web, email, and endpoints to see once & block everywhere.
NGIPS Email DNS & WebSD-WANNGFW Endpoint
Talos Threat GridAMP Cloud
![Page 27: Cisco Tech Club Days - IDEMECisco Tech Club Days Peter Mesjar Consulting Systems Engineer 25.6.2019 Aby vásinfikovanékoncové zariadenienestálohlavu](https://reader035.vdocuments.site/reader035/viewer/2022081621/612d73881ecc51586942328d/html5/thumbnails/27.jpg)
@talossecurityblog.talosintelligence.com