defeating blended threat - cisco · hackers are smarter and have the resources to compromise your...

34
Brian Cotaz Consulting Systems Engineer July 15,2015 Cisco Solution Summit Defeating Blended Threat with Cisco Content Security Solution

Upload: others

Post on 02-Oct-2020

3 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Defeating Blended Threat - Cisco · Hackers are smarter and have the resources to compromise your organization ... technique used by spammers to cover their tracks, go under the radar

Brian Cotaz

Consulting Systems Engineer

July 15,2015

Cisco Solution Summit

Defeating Blended Threat with Cisco Content Security Solution

Page 2: Defeating Blended Threat - Cisco · Hackers are smarter and have the resources to compromise your organization ... technique used by spammers to cover their tracks, go under the radar

The Blended Threat

Page 3: Defeating Blended Threat - Cisco · Hackers are smarter and have the resources to compromise your organization ... technique used by spammers to cover their tracks, go under the radar

The Reality Organizations Are Under Attack

1990 1995 2000 2005 2010 2015 2020

Viruses 1990–2000

Viruses 2000–2005

Spyware and Rootkits 2005–Today

APTs Cyberware Today +

Phishing, Low

Sophistication Hacking Becomes

an Industry Sophisticated Attacks,

Complex Landscape

of large companies

targeted by malicious traffic 95% of organizations interacted

with websites hosting malware 100%

Cybercrime is lucrative, barrier to entry is low

Hackers are smarter and have the resources to compromise your organization

Malware is more sophisticated

Organizations face tens of thousands of new malware samples per hour

Page 4: Defeating Blended Threat - Cisco · Hackers are smarter and have the resources to compromise your organization ... technique used by spammers to cover their tracks, go under the radar

Creating Increasingly Exposed Users and Organizations

Malware

Infections Acceptable

Use Violations Data Loss

IPv6 Spam

Blended Threats

Targeted Attacks APTs

Advanced Malware

Rootkits

Worms

Trojan Horse

Email is the #1 Threat Vector

Page 5: Defeating Blended Threat - Cisco · Hackers are smarter and have the resources to compromise your organization ... technique used by spammers to cover their tracks, go under the radar

Most dangerous threats

Approach

Tactic

Impact

Threat

vector

Infect or inject a trusted site

Conduct reconnaissance

on a target

Deliver an exploit that will attack

Target users through

compromised links

Leverage social engineering

Deliver an exploit that will attack

Deliver malware with stealth and

self-deleting programs

Gain access through DLL injection

and control firewalls, antivirus, ect

Compromises system control,

personal data and authorizations

Dropper Watering hole Spear phishing

Page 6: Defeating Blended Threat - Cisco · Hackers are smarter and have the resources to compromise your organization ... technique used by spammers to cover their tracks, go under the radar

Sample attack: Joe CFO case Waiting for his plane

Meet Joe. He is heading to a well

deserved vacation.

He’s catching up on email using the

airport Wi-Fi while he waits for his

flight.

Page 7: Defeating Blended Threat - Cisco · Hackers are smarter and have the resources to compromise your organization ... technique used by spammers to cover their tracks, go under the radar

Checks his email

Joe just got an email from

his vacation resort.

Your Tropical Getaway

Joe,

Thank you for choosing us. We look forward to seeing you.

Before your arrival, please verify your information here: www.vacationresort.com

Best, Resort Team

Page 8: Defeating Blended Threat - Cisco · Hackers are smarter and have the resources to compromise your organization ... technique used by spammers to cover their tracks, go under the radar

Instinctively, he clicks on the link

No problem, right? Everything looks

normal.

The site may even be a trusted site,

or maybe a site that is newly minted.

Your Tropical Getaway

Joe,

Thank you for choosing us. We look forward to seeing you.

Before your arrival, please verify your information here: www.vacationresort.com

Best, Resort Team

Page 9: Defeating Blended Threat - Cisco · Hackers are smarter and have the resources to compromise your organization ... technique used by spammers to cover their tracks, go under the radar

Joe is now infected

Joe opens the link and the resort

video plays.

Although he doesn’t know it, Joe’s

machine has been compromised by a

flash based video exploit.

The malware now starts to harvest

Joe’s confidential information:

• Passwords

• Credentials

• Company access authorizations

Page 10: Defeating Blended Threat - Cisco · Hackers are smarter and have the resources to compromise your organization ... technique used by spammers to cover their tracks, go under the radar

Cisco Annual Security Report 2015

Page 11: Defeating Blended Threat - Cisco · Hackers are smarter and have the resources to compromise your organization ... technique used by spammers to cover their tracks, go under the radar

Attackers:

Shifts in the attack vectors

Java

Silverlight

PDF

Flash

Java drop 34%

Silverlight

rise 228%

PDF and Flash steady

Log Volume

Page 12: Defeating Blended Threat - Cisco · Hackers are smarter and have the resources to compromise your organization ... technique used by spammers to cover their tracks, go under the radar

Attackers:

A growing appetite

to leverage targeted

phishing campaigns

Example: Snowshoe SPAM attack

SPAM up

250%

Page 13: Defeating Blended Threat - Cisco · Hackers are smarter and have the resources to compromise your organization ... technique used by spammers to cover their tracks, go under the radar

Attackers:

Malvertising is on the rise:

low-limit exfiltration makes

infection hard to detect

In October 2014, there is a spike of

250%

Page 14: Defeating Blended Threat - Cisco · Hackers are smarter and have the resources to compromise your organization ... technique used by spammers to cover their tracks, go under the radar

Users becoming complicit

enablers of attacks

Untrustworthy sources

Clickfraud and Adware

Outdated browsers

10% 64% IE requests

running latest

version

Chrome requests

running latest

version

vs

Page 15: Defeating Blended Threat - Cisco · Hackers are smarter and have the resources to compromise your organization ... technique used by spammers to cover their tracks, go under the radar

Feeding the Beast

43% Opened an email I suspected was spam

11% Clicked on a link in an email I suspected was spam

15% Opened a spam email, to learn more about the offered products or services

Source: MAAWG

Page 16: Defeating Blended Threat - Cisco · Hackers are smarter and have the resources to compromise your organization ... technique used by spammers to cover their tracks, go under the radar

Cisco Content Security Solution

Page 17: Defeating Blended Threat - Cisco · Hackers are smarter and have the resources to compromise your organization ... technique used by spammers to cover their tracks, go under the radar

To Defeat Those Blended Threats Requires Greater Intelligent and Visibility across Attack Continuum

Attack Continuum

Before

Discover

Enforce

Harden

During

Detect

Block

Defend

After

Scope

Contain

Remediate

Network Endpoint Mobile Virtual Cloud Email Web

WWW

Point-in-time Continuous

Page 18: Defeating Blended Threat - Cisco · Hackers are smarter and have the resources to compromise your organization ... technique used by spammers to cover their tracks, go under the radar

180,000+ file samples per day

FireAMP™ community

Advanced Microsoft

and industry disclosures

Snort and ClamAV open source

communities

Honeypots

Sourcefire AEGIS™ program

Private and public threat feeds

Dynamic analysis

Cisco Content Security integration with Threat Intelligence Built on unmatched collective security analytics

10I000 0II0 00 0III000 II1010011 101 1100001 110

110000III000III0 I00I II0I III0011 0110011 101000 0110 00

I00I III0I III00II 0II00II I0I000 0110 00

101000 0II0 00 0III000 III0I00II II II0000I II0

1100001110001III0 I00I II0I III00II 0II00II 101000 0110 00

100I II0I III00II 0II00II I0I000 0II0 00

Cisco®

Talos

Threat

Intelligence Research

Response

ESA/WSA

Email Endpoints Web Networks IPS Devices

WWW

1.6 million global sensors

100 TB of data received per day

150 million+ deployed endpoints

600+ engineers, technicians,

and researchers

35% worldwide email traffic

13 billion web requests

24x7x365 operations

40+ languages

Page 19: Defeating Blended Threat - Cisco · Hackers are smarter and have the resources to compromise your organization ... technique used by spammers to cover their tracks, go under the radar

Cisco Advanced Malware Protection Built on Unmatched Collective Security Intelligence

1.6 million

global sensors

100 TB

of data received per day

150 million+

deployed endpoints

600

engineers, technicians,

and researchers

35%

worldwide email traffic

13 billion

web requests

24x7x365 operations

4.3 billion web blocks per day

40+ languages

1.1 million incoming malware

samples per day

AMP Community

Private/Public Threat Feeds

Talos Security Intelligence

AMP Threat Grid Intelligence

AMP Threat Grid Dynamic

Analysis

10 million files/month

Advanced Microsoft

and Industry Disclosures

Snort and ClamAV Open Source

Communities

AEGIS Program

Email Endpoints Web Networks IPS Devices

WWW Automatic

updates

in real time

101000 0110 00 0111000 111010011 101 1100001 110

1100001110001110 1001 1101 1110011 0110011 101000 0110 00

1001 1101 1110011 0110011 101000 0110 00

101000 0110 00 0111000 111010011 101 1100001

1100001110001110 1001 1101 1110011 0110011 10100

1001 1101 1110011 0110011 101000 0110 00

Cisco®

Collective

Security

Intelligence Cisco Collective

Security Intelligence Cloud

AMP Advanced Malware Protection

Page 20: Defeating Blended Threat - Cisco · Hackers are smarter and have the resources to compromise your organization ... technique used by spammers to cover their tracks, go under the radar

Delivers the First Line of Detection

All detection is less than 100% effective

Reputation Filtering and File Sandboxing

Dynamic

Analysis

Machine

Learning

Fuzzy

Finger-printing

Advanced

Analytics

One-to-One

Signature

Page 21: Defeating Blended Threat - Cisco · Hackers are smarter and have the resources to compromise your organization ... technique used by spammers to cover their tracks, go under the radar

Real-Time Emulation

Real-Time Sandbox : Defend Blended Threats Analysis for Zero-Day Defense

Page 22: Defeating Blended Threat - Cisco · Hackers are smarter and have the resources to compromise your organization ... technique used by spammers to cover their tracks, go under the radar

Cisco Advanced Malware Protection

Point-in-Time Protection

File Reputation and Sandboxing

Retrospective Security

Continuous Analysis

Page 23: Defeating Blended Threat - Cisco · Hackers are smarter and have the resources to compromise your organization ... technique used by spammers to cover their tracks, go under the radar

And Continues to Analyze What Happened

0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110

1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00

0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00

Web

WWW

Endpoints Network Email Devices

IPS

File Fingerprint and Metadata

Process Information

Continuous feed

Continuous analysis

File and Network I/O

Breadth and Control points:

Telemetry Stream

Talos + Threat Grid Intelligence

Trajectory Behavioral

Indications

of Compromise

Threat

Hunting

Retrospective

Detection

Page 24: Defeating Blended Threat - Cisco · Hackers are smarter and have the resources to compromise your organization ... technique used by spammers to cover their tracks, go under the radar

Marketing Message Classification

At Buy.com, your privacy

is a top priority. Please

read our privacy policy

details.…

All information collected

from you will be shared

with Buy.com and its

affiliate companies.

Privacy Policy

Page 25: Defeating Blended Threat - Cisco · Hackers are smarter and have the resources to compromise your organization ... technique used by spammers to cover their tracks, go under the radar

Graymail

The Graymail solution will provide:

• Protection against malicious threats masquerading as unsubscribe links

• A uniform interface for all subscription management to end-users

• Better visibility to the email administrators and end-users into such emails

Page 26: Defeating Blended Threat - Cisco · Hackers are smarter and have the resources to compromise your organization ... technique used by spammers to cover their tracks, go under the radar

End User Experience Safe Unsubscription Status: Success

Page 27: Defeating Blended Threat - Cisco · Hackers are smarter and have the resources to compromise your organization ... technique used by spammers to cover their tracks, go under the radar

URL Defense : Defend Blended Threats

Email Contains URL

Cisco® Talos

URL Reputation and

Categorization

Replace

Defang/Block

Rewrite

Send to Cloud

BLOCKEDwww.playb

oy.comBLOCKED

BLOCKEDwww.proxy

.orgBLOCKED

“This URL is blocked by

policy”

Page 28: Defeating Blended Threat - Cisco · Hackers are smarter and have the resources to compromise your organization ... technique used by spammers to cover their tracks, go under the radar

The top

malicious URLs

Users clicked

Date/time,

rewrite reason,

URL action

Web Interaction Tracking : Defend Blended Threats

URL Rewritten

Users Click

Rewritten URL

Based on

Email ID

Based on

LDAP group

Based on IP

Address

Stop 0-Day

Dynamic

Intelligence

Educate users

Rewritten

URL Report

List of users

accessing

rewritten

URLs

Add malicious

URLs to

blacklist

Page 29: Defeating Blended Threat - Cisco · Hackers are smarter and have the resources to compromise your organization ... technique used by spammers to cover their tracks, go under the radar

Missed-Spam Analysis

Categories of Missed Spam (Customer submissions since Jan/14)

Offer

Phish

Scam

Job

Lottery Drug

Loan Dating Insurance

Porn

Seminar

Diplomas Mkt Svcs Casino Link Malware

Luxury Stocks

Administrator can set rate limit for individual senders

Majority of Offer spam uses Snowshoe techniques

Snowshoe spam – technique used by spammers to cover their tracks, go under the radar. Its objective is to defeat traditional Anti-Spam techniques.

Short campaigns – morphs fast – constantly changing

Fine line to balance catch rate and false positive

Not “new” techniques, however, usage has increased

Anti-Sender Reputation Anti-Content Analysis

Never use the same IP to send more than x amount of spam in more than y period of time.

Never send the same spam from the same IP.

Never use the same series of words

Never reuse the same images

Never use the same URL

Page 30: Defeating Blended Threat - Cisco · Hackers are smarter and have the resources to compromise your organization ... technique used by spammers to cover their tracks, go under the radar

The Spam Landscape

Increase in “Snowshoe” spam

Spam broken down by Sender Type

Page 31: Defeating Blended Threat - Cisco · Hackers are smarter and have the resources to compromise your organization ... technique used by spammers to cover their tracks, go under the radar

Anti-Snowshoe Steps to Take in Battling Spam

“Maintain leadership in antispam efficacy through ever-changing threat

landscape to protect our customers and keep ahead of the competition”

Sensor footprint expansion for early

awareness of snowshoe campaigns

Increase automation and auto

classification of emails for faster

response

Better defense against snowshoe

spam through enhanced contextual

analysis

Page 32: Defeating Blended Threat - Cisco · Hackers are smarter and have the resources to compromise your organization ... technique used by spammers to cover their tracks, go under the radar

Email Protection Before

After During

File

Retrospection

File

Sandboxing

Anti-Spam

and

Anti-Virus

Mail Flow

Policies

Data Loss

Protection

Encryption

Before During

X X X X X X

X X X X

X

Inbound

Email

Outbound

Email

Mail Flow

Policies

Email

Reputation

Acceptance

Controls Content

Controls

File

Reputation

Anti-Spam and

Anti-Virus

Outbreak

Filters

Cloud

Talos Cisco

Appliance Virtual

Reporting

Message Track

Management

HQ Admin

Allow Warn Block Partial Block

Page 33: Defeating Blended Threat - Cisco · Hackers are smarter and have the resources to compromise your organization ... technique used by spammers to cover their tracks, go under the radar

Web

Filtering Webpage

Web

Reputation Application

Visibility and

Control

Parallel AV

Scanning Data Loss

Prevention

File

Reputation Cognitive

Threat

Analytics*

X X X X

Before After

www.website.com

During

X

File

Retrospection

www

Roaming User

Reporting

Log Extraction

Management

Branch Office

www www

Allow Warn Block Partial Block Campus Office

WCCP Explicit/PAC Load Balancer PBR AnyConnect® Admin Traffic

Redirections

www

HQ

File

Sandboxing

X

Client

Authentication

Technique

Web Protection Cloud

Talos Cisco

Appliance Virtual

Page 34: Defeating Blended Threat - Cisco · Hackers are smarter and have the resources to compromise your organization ... technique used by spammers to cover their tracks, go under the radar

Thank you