Cisco Connect Toronto 2017 - Anatomy-of-attack

© 2016 Cisco and/or its affiliates. All rights reserved. 1

CiscoConnect

Anatomy of an AttackChris Parker-JamesConsulting Systems Engineer, Cloud Security

October 12th, 2017


AgendaAnatomy of an Attack

What’s Changed? Cisco’s Solution

Cisco Umbrella

Cisco Cloudlock

Why Cisco?


Anatomy of a cyber attack

Reconnaissance and infrastructure setup

Domain registration, IP, ASN Intel

Monitor adaption based on results

Target expansion

Wide-scale expansion

Defense signatures built

Patient zero hit

© 2016 Cisco and/or its affiliates. All rights reserved. 4© 2016 Cisco and/or its affiliates. All rights reserved. 4

Locky/WannacryRansomware


Mapping attacker infrastructure

SEP 12-26 DAYS

Umbrella

AUG 17

LOCKY

*.7asel7[.]top

?Domain → IP

Association

?IP → Sample

Association

?IP → Network

Association

?IP → Domain

Association

?WHOIS

Association

?Network → IP

Association


91.223.89.201 185.101.218.206

600+ Threat Grid files

SHA256:0c9c328eb66672ef1b84475258b4999d6df008

*.7asel7[.]top LOCKY

Domain → IPAssociation

AS 197569IP → NetworkAssociation

1,000+ DGA domains

ccerberhhyed5frqa[.]8211fr[.]top

IP → DomainAssociation

IP → SampleAssociation

CERBER



-26 DAYS AUG 21

Umbrella

JUL 18

JUL 21

Umbrella

JUL 14 -7 DAYS

jbrktqnxklmuf[.]info

mhrbuvcvhjakbisd[.]xyz

LOCKY

LOCKY

DGA

Network → DomainAssociation

DGA

Threat detected same daydomain was registered.

Threat detected beforedomain was registered.

DOMAINREGISTERED

JUL 22-4 DAYS



Google OAuth attack


Sequence of events (1 of 2)

Attacker sets up infrastructure and fake app; sends

phishing email

Victimopens email

and clicks link

1 2

!

Victim is sent to Google’s OAuth page for authentication and to grant permissions.

Then the user will be redirected to an attacker-controlled website


Sequence of events (2 of 2)

On the backend…If allowed, Google provisions an

OAuth token, appends it to redirect_uri, and instructs victim’s browser to redirect to attacker’s

domain

Attackergains access to OAuth token once the user is redirected to one of the

attacker-controlled domains

Note: users were redirected to these domains whether they

clicked Deny or Allow

4 5

g-cloud[.]win

Attackeruses the granted privileges (email

contacts, delete emails, etc.)

6

Victimprompted to allow/deny

access

3

Uses access to send emails from victim’s account and propagate the worm


How Cisco Security can help

Victimredirected to

attacker’s domain

Attackergains access to

OAuth token

AttackerHas persistent access to the

victims’ account

Victimopens email

and clicks link

Victimgrants access to

their account

If attack is successful, Cloudlock

revokes OAuth token

Umbrella blocks user redirect to

malicious domain. Attacker never

receives OAuth token if blocked here.

Umbrella Investigateused to research attacker’s

infrastructure

Email Security

blocks malicious

emails


The way we work has changed.


Branch office

What’s changed

Apps, data, and identities move to the cloud

Business drives use of cloud apps and collaboration is easier

No longer need VPN to get work done

Branch offices have direct internet access

HQ Roaming


Branch office

How risk is different today

Users not protected by traditional security stack

Gaps in visibility and coverage

Expose sensitive info (inadvertently or maliciously)

Users can install and use risky apps on their own

HQ Roaming


Branch office

Our solution

UmbrellaSecure access to the internet

CloudlockSecure usage of cloud apps

HQ Roaming


Cisco cloud securityShared focus, complementary use cases

Visibility and control

Threat protection

Forensics

Data protection

Malware / ransomware

Cloudlock

For Shadow IT and connected cloud apps (OAuth)

Protect cloud accounts from compromise and malicious insiders

Analyze audit cloud logs

Assess cloud data risk and ensure compliance

Prevent cloud-native (OAuth) attacks

Umbrella

For all internet activity

Stop connections to malicious internet destinations

Investigate attacks with internet-wide visibility

Block C2 callbacks and prevent data exfiltration

Prevent initial infection and C2 callbacks


Cisco UmbrellaSecure access to the internet


First line of defense against internet threatsUmbrella

SeeVisibility to protect access everywhere

LearnIntelligence to see attacks

before they launch

BlockStop threats before

connections are made


UmbrellaStart blocking in minutes

Easiest security product you’ll ever deploy

Signup1

2 Point your DNS

3 Done


How fast do we resolve DNS requests?

Measured in milliseconds

Source: MSFT Office 365 Researcher, ThousandEyes Blog Post, May 2017

157

130

119

92

78

75

74

50

45

33

SafeDNS

FreeDNS

DNS.WATCH

Comodo

Level3

OpenNIC

Verisign

Dyn

Umbrella

Google

Overall

75

132

106

39

17

38

43

12

17

25

North America

135

41

34

44

32

52

43

31

31

29

Europe/EMEA

197

275

268

198

167

119

112

80

59

39

Asia/APC

184

225

218

119

110

108

140

73

99

42

Latin America

322

195

169

164

171

81

176

165

23

38

Africa


Enterprise-wide deployment in minutes

DEPLOYMENT

Cisco endpoint

No additional agents to deploy with AnyConnect

Or Umbrella roaming client works alongside other VPNs for DNS and IP redirection

AnyConnect WLAN controller

ISR 4K

Cisco networking

Out-of-the-box integration Use of tags for granular

filtering and reporting Policies per VLAN/SSID

Other network devices

DNS/DHCP serversWireless APs

Simple configuration change to redirect DNS

Policies for corporate and guests


Where does Umbrella fit?MalwareC2 CallbacksPhishing

HQ

Sandbox

NGFW

Proxy

Netflow

AV AV

BRANCH

Router/UTM

AV AV

ROAMING

AV

First line It all starts with DNS

Precedes file execution and IP connection

Used by all devices

Port agnostic


Built into foundation of the internet

Umbrella provides:

Connection for safe requests

Prevention for user and malware-initiated connections

Proxy inspection for risky URLs

Safe request

Blocked request


Cisco Talos feedsCisco WBRSPartner feeds

Custom URL block list

Requests for “risky” domainsIntelligent proxy

URL inspection

File inspection AV EnginesCisco AMP

ENFORCEMENT


Prevents connections before and during the attack

Command and control callbackMalicious payload drop

Encryption keys

Updated instructions

Web and email-based infectionMalvertising / exploit kit

Phishing / web link

Watering hole compromise

Stop data exfiltration and ransomware encryption

ENFORCEMENT


Our view of the internet

100Brequests per day

12Kenterprise customers

85Mdaily active

users

160+countriesworldwide

INTELLIGENCE


Intelligence to see attacks before launched

Data Cisco Talos feed of malicious

domains, IPs, and URLs Umbrella DNS data —

100B requests per day

Security researchers Industry renown researchers Build models that can automatically

classify and score domains and IPs

Models Dozens of models continuously

analyze millions of live events per second

Automatically uncover malware, ransomware, and other threats

INTELLIGENCE


Statistical models

Guilt by inference Co-occurrence model

Geolocation Model Secure rank model

Guilt by association Predictive IP Space Modeling Passive DNS and WHOIS Correlation

Patterns of guilt Spike rank model

Natural Language Processing rank model

Live DGA prediction

INTELLIGENCE

2M+ live events per second

11B+ historical events


Co-occurrence modelDomains guilty by inference

a.com b.com c.com x.com d.com e.com f.com

time - time +

Co-occurrence of domains means that a statistically significant number of identities have requested both domains consecutively in a short timeframe

Possible malicious domain Possible malicious domainKnown malicious domain

INTELLIGENCE


Spike rank modelPatterns of guilt

y.com

DAYSD

NS

REQ

UES

TSMassive amount of DNS request volume data is gathered and

analyzed

DNS request volume matches known exploit kit pattern and predicts future attack

DGA MALWARE EXPLOIT KIT PHISHING

y.com is blocked before it can launch full attack

INTELLIGENCE


Predictive IP Space Monitoring Guilt by association

Pinpoint suspicious domains and observe their IP’s fingerprint

Identify other IPs – hosted on the same server – that share the same fingerprint

Block those suspicious IPs and any related domains

DOMAIN

209.67.132.476

209.67.132.477

209.67.132.478

209.67.132.479

INTELLIGENCE


‘Sender Rank’ model: predict domains related to spammers

Identify queries to spam reputation services

Our 85M+ users leverage email reputation services check for

spam; we see requests made to check domains found in emails

MAIL SERVERS

REPUTATION SERVICES

a.spam.ru. checkspam.comb.spam.ru. checkspam.com

Domain of service

Domain of sender

Model aggregates hourly graphs per domainShort bursts of 1000s of

“Hailstorm” spam uses many FQDNs, e.g. subdomains, to hide from reputation services

a.spam.ru

…

b.spam.ru

z.spam.ru

spam.ru

suspect domain

identified

Model identifies owners of “Hailstorm” domains

After confirmation, query WHOIS records to get

registrant of sender domain

?

?

?

Type of domain

Domain popularity

Historical activity

Confirm “Hailstorm” domain

check behavior patterns

Block 10,000s of domains before new attacks happen

Attackers often register more domains to embed links in phishing

or C2 callbacks in malware

badguy

Model automatically places registrants on a watch list

New domains registered at a future time

Model automatically verifies new domains

New malicious domain blocked by Umbrella

INTELLIGENCE


1. Any user (free or paid) requests the domain1

2. Every minute, we sample from our streaming DNS logs.3. Check if domain was seen before & if whitelisted2.4. If not, add to category, and within minutes, DNS resolvers are updated globally.

Domains used in an attack.

Umbrella’s Auto-WHOIS model may predict as malicious.

Attackers register domains.

Before expiration3, if any user requests this domain, it’s logged or blocked as newly seen.

Later, Umbrella statistical models or reputation systems identify as malicious.

‘Newly Seen Domains’ category reduces risk of the unknown

EVENTS1. May have predictively blocked it already, and

likely the first requestor was a free user. 2. E.g. domain generated for CDN service.3. Usually 24 hours, but modified for best results, as needed.

Reputation systems protected

CiscoUmbrella

24 HOURS

protected

DAYS TO WEEKS

not yet a threat

not yet a threat

unprotected

potentiallyunprotected

MINUTES

INTELLIGENCE


Our efficacy

3M+daily new

domain names

Discover

60K+daily malicious

destinations

Identify

7M+malicious destinations while resolving DNS

Enforce

INTELLIGENCE


What sets Umbrella apart from competitors

Easiestconnect-to-cloud

deployment

Fastest and most reliable

cloud infrastructure

Broadestcoverage of malicious destinations and files

Most open platform for integration

Most predictiveintelligence to stop

threats earlier


Cisco CloudlockSecure usage of cloud apps


User

Cloudlock can provide visibility and control over global cloud activities


Key questions organizations have

ApplicationsDataUsers/Accounts Who is doing what in

my cloud applications? How do I detect account

compromises? Are malicious insiders

extracting information?

Do I have toxic and regulated data in the cloud? Do I have data that is being

shared inappropriately? How do I detect policy

violations?

How can I monitor app usage and risk? Do I have any 3rd party

connected apps? How do I revoke risky apps?


Cisco Cloudlock addresses customers’ most critical cloud security use cases

Discover and Control

User and EntityBehavior Analytics

Cloud Data Loss Prevention (DLP) Apps Firewall

Cloud Malware

Shadow IT/OAuth Discovery and Control

Data Exposures and Leakages

Privacy and Compliance Violations

Compromised Accounts

Insider Threats


Here’s an example of why you need cloud user security

North America9:00 AM ETLogin

Africa10:00 AM ETData export Distance from the US

to the Central African Republic: 7362 miles

At a speed of 800 mph, it would take 9.2 hours to travel between them

In one hour


Have you ever been to 68 countries in one week?


More than 24,000 files per organization publicly accessible

Data exposure per organization

Accessible by external collaborators

Accessible publicly

Accessible organization-wide

2%

10%

12%

24,000 filespublicly accessible per organization

of external sharing done with non-corporate email addresses70%

Source: Cloudlock CyberLab


33 mins

22 mins18mins 17mins 15mins

10mins

Consider “connected” cloud apps: Pokémon Go

Daily time spent in Pokémon Go by average iOS user

Pokémon Go breaks another record:Higher daily average user time than Facebook, Snapchat, and Instagram

Source: SensorTower

40

30

20

10

0

Pokémon Go

The picture can't be displayed.

Facebook Snapchat Twitter Instagram Slither

Time to reach 100 million users worldwide

An Unusual Start: Pokémon Go breaking all mobile gaming records globally.

1 month (estimated)

4.5 yrs

7 yrs

16 yrs

75 yrs

YEAR OF LAUNCH

1878

1879

1900

2004

2016The picture can't be displayed.


Identities Data Apps

Cisco CloudlockCloud Access Security Broker (CASB)


Public APIs

Cisco NGFW / Umbrella

ManagedUsers

ManagedDevices

ManagedNetwork

UnmanagedUsers

UnmanagedDevices

UnmanagedNetwork

CASB – API Access (cloud to cloud)


Cloudlock has over 70 pre-defined policies

PII SIN/ID

numbers Driver license

numbers Passport

numbers

Education Inappropriate

content Student loan

application information FERPA

compliance

General Email address IP address Passwords/

login information

PHI HIPAA Health

identification numbers (global) Medical

prescriptions

PCI Credit card

numbers Bank account

numbers SWIFT codes


Cloudlock provides automated response actions

Detect Alert(Admin/Users)

Security Workflows

Response Actions

API Integrations


Smartest Intelligence CyberLab, crowd-sourced community

trust ratings

Proven Track Record Deployed at over 700

organizations and supporting deployments over 750,000

users

FedRAMP In ProcessThe only FedRAMP In Process CASB working towards an Authority to

Operate via Agency Authorization

Cisco Ecosystem Integrated, architectural

approach to security, vendor viability

Cloud-Native Full value instantly, no disruption

Differentiators

CiscoCloudlock


Why Cisco Cloud Security?


Why customers love Cisco cloud security

Cisco cloud security

Most effective protection

Simplest to deploy

and manage

Most open platform

Most reliable


Real customer results

“Deployed to 30,000 employees in less than 60 minutes”

“Reduced infections by 98%...saved 1.7 months

of user downtime per year”

“Cut incident response time by 25-30%”

Umbrella

“Reduced public exposure by 62%

in one day”

“Intelligently reduced OAuth-connected apps by 34% in one week”

“Deployed to 125,000 employees in less than 5 minutes”

Cloudlock


Try Umbrella and Cloudlock today.

Tackle ransomware and other threats with: UmbrellaEnable the secure use of the cloud with:Cloudlock

Thank you.

Cisco Connect Toronto 2017 - Anatomy-of-attack

Technology

Transcript of Cisco Connect Toronto 2017 - Anatomy-of-attack