emerging threats: cisco security intelligence operations
DESCRIPTION
Emerging Threats: Cisco Security Intelligence Operations. Jeff Shipley Cisco Security Research and Operations. Agenda. Cisco Security Intelligence Operations. Cyber Risk Highlights and Emerging Threats for 2010-2011. Recommendations. Who Are We, What Do We Know, and How Do We Know?. - PowerPoint PPT PresentationTRANSCRIPT
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 1Cisco Public 1Cisco Public 1© 2011 Cisco and/or its affiliates. All rights reserved.
Emerging Threats:
Cisco Security Intelligence Operations
Jeff ShipleyCisco Security Research and Operations
Cisco Public 2© 2011 Cisco and/or its affiliates. All rights reserved.
Agenda
Cisco Security Intelligence Operations
Cyber Risk Highlights and Emerging Threats for 2010-2011
Recommendations
Who Are We, What Do We Know, and
How Do We Know?
Cisco Security Intelligence OperationsProtect the Customer : Protect the Company
Cisco Security Intelligence Operations including:
Global Threat Operations CentersIntelliShield Threat and Vulnerability AnalysisManaged Services and IPSSensorBase and SenderBase AnalystsCorporate Security Programs Office, Global Policy & Government Affairs
Global in scope Encompasses network, content,
physical & geopolitical security
Cisco Public 5© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Security Intelligence Operations
Incident Response
Groups
CERTs
SANS
BugTraq
Full Disclosure
OSVDB
Cisco TOCs
Cisco AppliedIntelligence
Cisco PSIRT
Cisco IPS
NIST
External Security Research
Cisco RMS
Cisco CSPO
Cisco IronPort
Internal Security
Operations
Internal Security Research
ISACs
Researchers
FIRST
Cisco ScanSafe
Physical
What We Watch: Seven Categories of Cyber Risk
1. Cyber Vulnerabilities and Threat
2. Physical
3. Legal
4. Trust
5. Identity
6. Human
7. Geopolitical
Risk = Vulnerability x Threat x Impact
What and Where are the Current Threats?
Our Top Ten• Botnets (Toolkits)• Web Exploits: SQL Injection / Cross-site Scripting• Data and Intellectual Property Theft• Malicious Business Documents (PDF, Office)• Social Networks / Web 2.0• Cloud and Virtualization • Implied and Transient Trust (Social networks, Web)• Open Wireless Networks• Denial of Service Attacks (DoS / DDoS)• IPv6/DNSSEC Deployments
Cybercrime Industry
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Cybercrime Industry: TodayDevelopers Middle Men
Second Stage
Abusers
Bot-Net Management: For
Rent, for Lease,
for Sale
Bot-Net Creation
Personal
Information
Electronic IP
Leakage
$$$ Flow of Money $$$
Worms
Spyware
Tool and Toolkit
Writers
Viruses
Trojans
Malware Writers
First Stage
Abusers
Machine
Harvesting
Information
Harvesting
Hacker / Direct
Attack
Internal Theft:
Abuse of
Privilege
Information
Brokerage
Spammers/
Affiliates
Phishers
Extortionist/
DDoS-for-Hire
Pharmer/DNS
Poisoning
Identity Theft
Compromised
Host and
Application
End Value
Financial Fraud
Commercial Sales
Fraudulent Sales
Click-Through
Revenue
Espionage
(Corporate/
Government)
Fame
Extorted Pay-Offs
Theft
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Time
Public Awareness
ILOVEYOU
2000 2011
Reducing the Noise Level
CODE REDSLAMMER
MY DOOMSTORM
ZeuSRustock.C
Conficker
KoobfaceStuxnet
SpyEye
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Cisco Cybercrime ROI Matrix
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
2011 Q2 Global Threat Trends
• Malware UP 272%
• SQL Attacks UP 350%
• DoS Attacks UP 43%
• Phishing UP ~30%
• Spam DOWN 20%
Cisco Public 14© 2011 Cisco and/or its affiliates. All rights reserved.
Social Networking: Opportunity and Vulnerability
• Business and network expansion
• Risk to Privacy, Identity, Trust, IP protection
• Small World Relationships
• The criminals are already there: Koobface, false security warnings, tinyurls, transient trust, anonymized data reconstruction, compromised accounts, ‘Like’ jacking
• Policy and User Awareness: users are there, organizations are still trying to catch up
• Who is the customer? (Schneier)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
The fake “Robin Sage” Twitter account was intended to attract highly placed officials
within government and security. “App’s are the criminals eyes”
Fake Profiles and Applications
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Phishing and Variants• Traditional phishing still
in use, but limited
• Spear-phishing: - Targeted phishing - IT Admins - Specific job roles - Specific companies
• Whaling- Phishing attempts specifically targeting a high value target- C level execs
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Mobile Devices:Symbian attacks had limited success, smart phone attacks are more about exploiting the apps and users, haven’t targeted OS vulnerabilities yet, limited malware development (Zitmo – ZeuS in the Mobile)
VoIP Abuse: Brute force attacks on public PBX, intercepts and mailboxes, ‘vishing*’, network access point to jump VLANs, insider fraud. DDoS of VoIP services.
*vishing: social engineering using voice call phishing, usually for financial gain, or sensitive information.
Cybercrime ROI: Potentials
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Scammers trick social network users into “liking” an intriguing Facebook page, allowing the scammers to see user profiles.
Spamming Gets Social, and Mobile
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
App Stores and Download Security Models
Apple – tightly controlled
RIM – tightly controlled
Microsoft - proprietary controlled
Android – Wide open, few checks, open operating system
Third Party sites: no guarantees
‘Apps’ are the Criminals Eyes
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Advance Fee Fraud: Nigerian 419, Black Money…any and every scam involving the advancing of real money for promised returns
Pharma Spam:Very popular with spam Botnets; purchasing drugs at very low cost, illegal in host country, snake oil
Spyware/Scareware:‘You are infected’, but ‘we can fix it.’ Fake AV was the 2009 and 2010 Top Money Maker for criminals
Click Redirect Fraud: ( and ‘Like’ jacking)Web forms, account information, credit cards, personal information
ROI Cash Cows: oldies, but goodies
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Web Exploits:iFrame injection, compromised advertisement feeds, javascript, Search Engine Optimization, toolkits making it easier to hide
Data Theft Trojans:Zeus/SpyEye is still the king, and improving toolkits. Code exposure will likely spur even more activity
Money Laundering:The criminals weakest point, actively changing methods, cashing out
ROI Stars
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Web malware encountered tripled in first half of 2011
Web searches resulted in 9% of Web malware encounters , with an average of 33% resulting from Google search engine results pages
Toolkits making it easier: Blackhole, Neosploit, Phoenix and Random JS
Web Malware
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Despite takedown and ‘vacations’, top Botnets reinvent,
reshape, and retool. Shifting Botnet Activity: In 2010, the Top 10 largest botnets accounted for approximately 47% of all botnet compromised victims – down from 81% of the 2009 Top 10. Smaller and more numerous in 2011 (Top 20, 50?)
Damballa: Eight out of the Top 10 botnet operators utilized popular “off-the-shelf” construction kits. Only “TDL/TDSS Gang” and “Eleonore Downloader Gang” are not known to be using DIY kits.
Criminals #1 Tool: Botnet Trends
Vulnerability Trends
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
The Apple Example: managing open source software
Few exploits are currently being created for Apple specific platforms, but exploits are for open source vulnerabilities.
This is a totally hidden area of vulnerability for most organizations
Vendor Security Improving: SDLC, researchers and vendors coordination, responsible and coordinated disclosure
Annual Vendor Vulnerabilities
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
In 2010, Java exploits rose while PDF exploits fell .
Favoring Java: Going Cross-Platform
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
The Tipping Point
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
U.S. Smartphone Usage • 72.5 million people in the U.S. used mobile devices (+15% Q\Q)• Top Smartphone Platforms Ending MAR 2011:
DEC 2010 MAR 2011 CHGGoogle 28.7% 34.7% +6.0RIM 31.6% 27.1% -4.5Apple 25.0% 25.5% +0.5Microsoft 8.4% 7.5% -0.9Palm 3.7% 2.8% -0.9
• What are they doing? DEC 2010 MAR 2011 CHGSent text message to another phone 68.0% 68.6% +0.6Used browser 36.4% 38.6% +2.2Played games 23.2% 25.7% +2.5Used Downloaded Apps 34.4% 37.3% +2.9Accessed Social Networking Site or Blog 24.7% 27.3% +2.9Listened to music on mobile phone 15.7% 17.9% +2.2
Source - comScore Reports March 2011
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
1. Sex Appeal – its still the best seller
2. Greed - too good to be true?
3. Vanity - you are special right?
4. Trust – Implied or transient
5. Sloth – don’t check, its probably okay…
6. Compassion – please…donations, lost, need help, any emergency, disaster….
7. Urgency – ‘must act now’, ‘time is running out’…
Social Engineering: 7 Human Weaknesses
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
The problem of weak, guessable passwords is not a new one, but it isn’tgoing away—in fact, it’s getting worse due to reuse
Secondary Authentication has its own weaknesses; and could open the user to get phished (email account as authentication factor, secret questions?)
Too many passwords, and using the same password on multiple web sites
Multi-Factor authentication using device or location, SMS one-time passwords…improving but heavily depends on implementation controls
Passwords: Access and Authentication
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Implied Trust: An individual, business or organizations that users are familiar with and implicitly trust: Email security updates form major vendors, their banks, government agencies, FedEx/UPS/DHL
Transient Trust: The six degrees of separation/Small World Experiment, chain of trust, friend of a friend, of a friend…inherently flawed trust model used on social networks
Trust: Implied and Transient
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Advanced, persistent, and a threat - This is not your script kiddies attack- It is not you typical blended/combined
attack
What is your risk?- Are you really vulnerable?- Is it a real threat?- What is the real impact?
Throw “Black Swan” in there too?
APT’s will become more common, continue to evolve, increase in sophistication, automation and availability
"Advanced Persistent Threats"
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
• Sourced from Botnets and attack tools – think DDoS as a Service (DDaaS)
• Diverse targets disrupting service to millions of customers– Cloud computing provider– Web hosting provider – Security provider – DNS registrar– Telecom provider
• Targeting DNS to amplify attacks
• Not extortion attempts
• LOIC tool – Anonymous/LulzSec
Distributed Denial of Service Attacks
Threats on the Horizon
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
• More types of new devices being added to networks
• Diversity of OS’s and Apps
• New network entryand exit points
• More data in more places
“…software glitches that need to be fixed—are part of the 'new reality' of making complex cell phones in large volumes.“
—Jim Balsillie, Co-CEO Research In Motion RIM CEO
Productivity Technologies
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Productivity Technologies• Corporate network has
expanded and is key platform for growth
• Also more permeable:Remote accessWeb-based toolsMobile devices
• Essential to today’s workforce
• Dont be King Canute (Knud), you cant stop the rising tide
Enable or Limit?
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Distributed Workforce• Borderless networking is real and now, but…
True “federated” security systems are a ways off yet
• Layers of defense and policy enforcement are criticalDrop bad traffic as close to the source as possible, but ensure you’ve got at least a couple of “last lines of defense”
Identity Based Networking can help
• People and Processes Key to Mitigate RiskUser awareness and effective business processes are as important as technology solutions
What to Do?
Cisco Public 39© 2011 Cisco and/or its affiliates. All rights reserved.
Things You Can Do - Corp Stick to the Basics: Defense in Depth, Risk
Management, Incident Response, Logging/Monitoring
Establish policy, procedures and processes and enforce them with active controls
Use your existing technology to its full capabilities
Protect in both direction: inbound and outbound
Educate your users and staff
Stay focused: Don’t be distracted by the threat du jour
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
• Strategy, Policy and Procedures
• Security Architecture
• Risk Management
• Holistic Approach
• (Your) Best Practices
• Continuous Monitoring• Incident Response• Awareness and Training
• Business Continuity\ Disaster Recovery
Cyber Security Strategy
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Defense in Depth Security ControlsSecurity is not binary, its percentages
41
DataSystemsAssets
Administrative Human/Policy Technical Application/Service
Technical System/Platform Technical Network/Logical
Physical & Environment
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Continuous Monitoring: FY 2011 Chief Information Officer Federal Information Security Management Act Reporting Metrics/SANS Control #6
IDS/IPSAV/Anti- ‐Malware/Anti- ‐SpywareSystem LogsApplication logsPatch StatusVulnerability ScansDNS loggingConfiguration/Change Management system alertsFailed Logins for privileged accountsPhysical security logs for access to restricted areasData Loss Prevention dataRemote Access logsNetwork device logsAccount monitoring Locked out Disabled Terminated personnel Transferred personnel Dormant accounts Passwords that have reached the maximum password age Passwords that never expireOutbound traffic to include large transfers of data, unencrypted or encrypted.Port scansNetwork access control lists and firewall rule sets
Cisco Public 43© 2011 Cisco and/or its affiliates. All rights reserved.
Things You Can Do - Users• Secure the browsers:
www.us-cert.gov/reading_room/ securing_browser/
• Manage Passwords Use the Available Tools
• Manage Your Mobile Devices and Users Password, Encryption, Remote Mgmt
• Establish Social Network Privacy Settings
• Avoid Free and Public Wi-Fi Connections
Thank You
visit us for more at
www.cisco.com/security