Henry SternSenior CSIRT Investigator

At Privacy, Access and Security Congress 2012October 4, 2012

“ There's now a

growing sense of

fatalism: It's no longer

if or when you get

hacked, but the

assumption that

you've already been

Cisco Highly Confidential – do not distribute2

”

you've already been

hacked, with a focus

on minimizing the

damage.

Source: Security’s New Reality: Assume the Worst; Dark Reading

Event Analysis

Investigations

12 hr

�

12 hr

�

!!!!!!

!!!

!!

!!

!events

+ data

!!!!

Cisco Highly Confidential – do not distribute

inconclusive

solved

APT

false positive

• remediations

• incident summaries

• best practices

• product guidance

• metrics

✔

2000 2005 2011 Next

Cisco Posture

Unprotected

desktops

Unmanaged

desktops

Proliferating

device types

Cloud-connected

ecosystem

Malware Worms Rapidly

changing and

proliferating

Sophisticated Beyond Windows

Network Behavior

Disruptive Compromised

hosts remotely

Opaquely

compromised

Cloaked as

normal traffic

Posture Evolution

Cisco Highly Confidential – do not distribute

Behaviorcontrolled hosts exfiltrate

sensitive data

Threat Depth

Annoyance Individual host Sensitive

infrastructure

Embedded

CiscoResponse

Deploy AV 1) Deploy CSA

2) Detect

botnets via

IDS

1) Detect via

reputation

2) Automate

prevention

3) Detect via

behavior

1) Augment

detection with

intel

2) Detect via

precursors

3) Diversify

intelligence

and methods

CSOC VisionHow to address loss of threat visibility

Signature Signature Behavior

Flows Signature

Past 2012 2013

Cisco Highly Confidential – do not distribute 5

Intel

Flows

Intel Intel

Data Loss Visibility

Example Incident1. Detect Compromised Host

� Time: 2012-xx-xx xx:xx:xx

� Owner: ELIDED

� IP: 171.68.x.x

� Hostname: ELIDED-WXP07

� Site: SAN JOSE

Cisco Highly Confidential – do not distribute

� Country: UNITED STATES

� Theatre: AMER

� Hits:

ELIDED: 2

ELIDED: 2

6

Example Incident2. Mitigate via BGP Blackhole

Cisco Highly Confidential – do not distribute

Example Incident3. Locate

Compromised Hosts: Query

Cisco Highly Confidential – do not distribute

Search for all

internal hosts

connecting to this command-and-

control server

Example Incident3. Locate Compromised Hosts

Cisco Highly Confidential – do not distribute

These hosts are

compromised

Example Incident

4. Identify Victims

Search by

multiple IPs

Cisco Highly Confidential – do not distribute

Yields owner

info, including

DHCP history

Example Incident

4. Identify Victims

Search

by IP

Cisco Highly Confidential – do not distribute

Yields info on

owning group

Example Incident

5. Remediate Victims

iTrack iTrack

Cisco Highly Confidential – do not distribute

Case number 80208-4570

Infect Count 3

Virus Strain Exploit

Owner Dept 20072668

Last Infected 2009-05-05 10:13AM

Cisco Highly Confidential – do not distribute 13Cisco Highly Confidential – do not distribute 13