senior csirt investigator at privacy, access and …...“there's now a growing sense of...
TRANSCRIPT
Henry SternSenior CSIRT Investigator
At Privacy, Access and Security Congress 2012October 4, 2012
“ There's now a
growing sense of
fatalism: It's no longer
if or when you get
hacked, but the
assumption that
you've already been
Cisco Highly Confidential – do not distribute2
”
you've already been
hacked, with a focus
on minimizing the
damage.
Source: Security’s New Reality: Assume the Worst; Dark Reading
Event Analysis
Investigations
12 hr
�
12 hr
�
!!!!!!
!!!
!!
!!
!events
+ data
!!!!
Cisco Highly Confidential – do not distribute
inconclusive
solved
APT
false positive
• remediations
• incident summaries
• best practices
• product guidance
• metrics
✔
2000 2005 2011 Next
Cisco Posture
Unprotected
desktops
Unmanaged
desktops
Proliferating
device types
Cloud-connected
ecosystem
Malware Worms Rapidly
changing and
proliferating
Sophisticated Beyond Windows
Network Behavior
Disruptive Compromised
hosts remotely
Opaquely
compromised
Cloaked as
normal traffic
Posture Evolution
Cisco Highly Confidential – do not distribute
Behaviorcontrolled hosts exfiltrate
sensitive data
Threat Depth
Annoyance Individual host Sensitive
infrastructure
Embedded
CiscoResponse
Deploy AV 1) Deploy CSA
2) Detect
botnets via
IDS
1) Detect via
reputation
2) Automate
prevention
3) Detect via
behavior
1) Augment
detection with
intel
2) Detect via
precursors
3) Diversify
intelligence
and methods
CSOC VisionHow to address loss of threat visibility
Signature Signature Behavior
Flows Signature
Past 2012 2013
Cisco Highly Confidential – do not distribute 5
Intel
Flows
Intel Intel
Data Loss Visibility
Example Incident1. Detect Compromised Host
� Time: 2012-xx-xx xx:xx:xx
� Owner: ELIDED
� IP: 171.68.x.x
� Hostname: ELIDED-WXP07
� Site: SAN JOSE
Cisco Highly Confidential – do not distribute
� Country: UNITED STATES
� Theatre: AMER
� Hits:
ELIDED: 2
ELIDED: 2
6
Example Incident2. Mitigate via BGP Blackhole
Cisco Highly Confidential – do not distribute
Example Incident3. Locate
Compromised Hosts: Query
Cisco Highly Confidential – do not distribute
Search for all
internal hosts
connecting to this command-and-
control server
Example Incident3. Locate Compromised Hosts
Cisco Highly Confidential – do not distribute
These hosts are
compromised
Example Incident
4. Identify Victims
Search by
multiple IPs
Cisco Highly Confidential – do not distribute
Yields owner
info, including
DHCP history
Example Incident
4. Identify Victims
Search
by IP
Cisco Highly Confidential – do not distribute
Yields info on
owning group
Example Incident
5. Remediate Victims
iTrack iTrack
Cisco Highly Confidential – do not distribute
Case number 80208-4570
Infect Count 3
Virus Strain Exploit
Owner Dept 20072668
Last Infected 2009-05-05 10:13AM
Cisco Highly Confidential – do not distribute 13Cisco Highly Confidential – do not distribute 13