ICT Security –Kladovo, maj 2015 Vidljivost događaja na ... · –Sofisticirani Phishing napadi...
Transcript of ICT Security –Kladovo, maj 2015 Vidljivost događaja na ... · –Sofisticirani Phishing napadi...
![Page 1: ICT Security –Kladovo, maj 2015 Vidljivost događaja na ... · –Sofisticirani Phishing napadi –APT (Advanced Persisstent Threat) –Promena izgleda Web stranica •Aktivnosti](https://reader030.fdocuments.in/reader030/viewer/2022041218/5e07bc4e0504e5259013ba22/html5/thumbnails/1.jpg)
Vidljivost događaja na mreži kao osnova sistema zaštite
Dejan Spasić, B.Sc.E.E.IT Security Department Executive ManagerCCIE #15476 Service [email protected]
ICT Security – Kladovo, maj 2015
![Page 2: ICT Security –Kladovo, maj 2015 Vidljivost događaja na ... · –Sofisticirani Phishing napadi –APT (Advanced Persisstent Threat) –Promena izgleda Web stranica •Aktivnosti](https://reader030.fdocuments.in/reader030/viewer/2022041218/5e07bc4e0504e5259013ba22/html5/thumbnails/2.jpg)
222MDS Informatički inženjeringICT Securiity Kladovo 2015
Cyber kriminal – globalni fenomen
![Page 3: ICT Security –Kladovo, maj 2015 Vidljivost događaja na ... · –Sofisticirani Phishing napadi –APT (Advanced Persisstent Threat) –Promena izgleda Web stranica •Aktivnosti](https://reader030.fdocuments.in/reader030/viewer/2022041218/5e07bc4e0504e5259013ba22/html5/thumbnails/3.jpg)
333MDS Informatički inženjeringICT Securiity Kladovo 2015
Ko su napadači?
• Hacktivists– Onemogućavanje servisa – DDoS
– Promena izgleda Web stranica
• Hackers/Cyber Criminals: – Sofisticirani Phishing napadi
– APT (Advanced Persisstent Threat)
– Promena izgleda Web stranica
• Aktivnosti na nacionalnom nivou?
![Page 4: ICT Security –Kladovo, maj 2015 Vidljivost događaja na ... · –Sofisticirani Phishing napadi –APT (Advanced Persisstent Threat) –Promena izgleda Web stranica •Aktivnosti](https://reader030.fdocuments.in/reader030/viewer/2022041218/5e07bc4e0504e5259013ba22/html5/thumbnails/4.jpg)
444MDS Informatički inženjeringICT Securiity Kladovo 2015
Tehnike napada
• Web bazirani napadi
• Maliciozni softver – distribucija preko Mail i Web servisa
• DDoS – distribuirani DoS napadi
• Interne pretnje
• Krađa
![Page 5: ICT Security –Kladovo, maj 2015 Vidljivost događaja na ... · –Sofisticirani Phishing napadi –APT (Advanced Persisstent Threat) –Promena izgleda Web stranica •Aktivnosti](https://reader030.fdocuments.in/reader030/viewer/2022041218/5e07bc4e0504e5259013ba22/html5/thumbnails/5.jpg)
555MDS Informatički inženjeringICT Securiity Kladovo 2015
Trendovi• Prosečno vreme otkrivanja
napada 205 dana • 69% incidenata otkriveno od
strane eksternih partnera
• Javno objavljeni slučajevi velikih incidenata (Target – podaci o 40 miliona kreditnih kartica, Cryptolocker, Sony – Playstation network, krađa podataka)
Izvor: M-Trends® 2015: A VIEW FROM THE FRONT LINES
![Page 6: ICT Security –Kladovo, maj 2015 Vidljivost događaja na ... · –Sofisticirani Phishing napadi –APT (Advanced Persisstent Threat) –Promena izgleda Web stranica •Aktivnosti](https://reader030.fdocuments.in/reader030/viewer/2022041218/5e07bc4e0504e5259013ba22/html5/thumbnails/6.jpg)
666MDS Informatički inženjeringICT Securiity Kladovo 2015
Statistika
![Page 7: ICT Security –Kladovo, maj 2015 Vidljivost događaja na ... · –Sofisticirani Phishing napadi –APT (Advanced Persisstent Threat) –Promena izgleda Web stranica •Aktivnosti](https://reader030.fdocuments.in/reader030/viewer/2022041218/5e07bc4e0504e5259013ba22/html5/thumbnails/7.jpg)
777MDS Informatički inženjeringICT Securiity Kladovo 2015
Integracija SourceFire tehnologije
• CONTEXT IS EVERYTHING – kompletna analitika događaja i mrežnog saobraćaja
Cisco LIVE: Martin Roesch – Cisco and Sourcefire: A Threat-Centric Security Approach (BRKSEC-2761)
“Context gives me the ability to discriminate my security events, to select easily from the thousands of events I get to the ten events that actually matter.”
Sourcefire NGIPS customer
“Context enables me to set access controls that make sense. I can select which users can access which public resources based on their job function.”
Sourcefire NGFW customer
“Context enables me to set access controls that make sense. I can select which users can access which public resources based on their job function.”
Sourcefire NGFW customer
![Page 8: ICT Security –Kladovo, maj 2015 Vidljivost događaja na ... · –Sofisticirani Phishing napadi –APT (Advanced Persisstent Threat) –Promena izgleda Web stranica •Aktivnosti](https://reader030.fdocuments.in/reader030/viewer/2022041218/5e07bc4e0504e5259013ba22/html5/thumbnails/8.jpg)
888MDS Informatički inženjeringICT Securiity Kladovo 2015
Cisco FirePower - Koncept
OS & version identifikovano
Serverske aplikacije i verzije
Klijentski softver
Koji host
Verzije klijenta
Aplikacija
b10
![Page 9: ICT Security –Kladovo, maj 2015 Vidljivost događaja na ... · –Sofisticirani Phishing napadi –APT (Advanced Persisstent Threat) –Promena izgleda Web stranica •Aktivnosti](https://reader030.fdocuments.in/reader030/viewer/2022041218/5e07bc4e0504e5259013ba22/html5/thumbnails/9.jpg)
Slide 8
b10 ili softverski definisane mrežebraca, 3/5/2015
![Page 10: ICT Security –Kladovo, maj 2015 Vidljivost događaja na ... · –Sofisticirani Phishing napadi –APT (Advanced Persisstent Threat) –Promena izgleda Web stranica •Aktivnosti](https://reader030.fdocuments.in/reader030/viewer/2022041218/5e07bc4e0504e5259013ba22/html5/thumbnails/10.jpg)
999MDS Informatički inženjeringICT Securiity Kladovo 2015
Arhitektura sistema• Managemant centar
– Centralno upravljanje– Definicija polisa– Analiza događaja, korelacija– Mapa mreže (korisnici, uređaji,
hostovi, aplikacije)– Paneli - Dashboard vs Context Explorer
Hardware– Cisco ASA sa FirePower servisima– Cisco FirePower (SourceFire uređaji)
Servisi– IPS – dinamička primena polisa– Web Security– AMP (Advanced Malware Protection) – Cisco TALOS Security Intelligence and
Research Group
Obrada događaja
FirePower Managemant Centar
Generisanje događaja– IPS– Malware– File– Access Control– Inteligence– Discovery– Flow
FirePower uređaji
![Page 11: ICT Security –Kladovo, maj 2015 Vidljivost događaja na ... · –Sofisticirani Phishing napadi –APT (Advanced Persisstent Threat) –Promena izgleda Web stranica •Aktivnosti](https://reader030.fdocuments.in/reader030/viewer/2022041218/5e07bc4e0504e5259013ba22/html5/thumbnails/11.jpg)
101010MDS Informatički inženjeringICT Securiity Kladovo 2015
Indication of Compromise
Reconnaissance Weaponization Delivery Exploatation C2 Lateral Movement
• Ciklus napada
Izvor: Intrusion Along the Kill Chain, SANS Digital Forensic
• Korelacija događaja, indikacija kompromitovanja hosta
Exfiltration
![Page 12: ICT Security –Kladovo, maj 2015 Vidljivost događaja na ... · –Sofisticirani Phishing napadi –APT (Advanced Persisstent Threat) –Promena izgleda Web stranica •Aktivnosti](https://reader030.fdocuments.in/reader030/viewer/2022041218/5e07bc4e0504e5259013ba22/html5/thumbnails/12.jpg)
111111MDS Informatički inženjeringICT Securiity Kladovo 2015
Advanced Malware ProtectionZaštita u realnom vremenu (Point-in-Time Protection) Kontinualna analiza (Retrospective Security)
Podrška za razne sisteme
![Page 13: ICT Security –Kladovo, maj 2015 Vidljivost događaja na ... · –Sofisticirani Phishing napadi –APT (Advanced Persisstent Threat) –Promena izgleda Web stranica •Aktivnosti](https://reader030.fdocuments.in/reader030/viewer/2022041218/5e07bc4e0504e5259013ba22/html5/thumbnails/13.jpg)
121212MDS Informatički inženjeringICT Securiity Kladovo 2015
Arhitektura sistema zaštite
![Page 14: ICT Security –Kladovo, maj 2015 Vidljivost događaja na ... · –Sofisticirani Phishing napadi –APT (Advanced Persisstent Threat) –Promena izgleda Web stranica •Aktivnosti](https://reader030.fdocuments.in/reader030/viewer/2022041218/5e07bc4e0504e5259013ba22/html5/thumbnails/14.jpg)
131313MDS Informatički inženjeringICT Securiity Kladovo 2015
Rekapitulacija
• Kontekst - Vidljivost saobraćaja i događaja
• IPS dinamičko podešavanje, AMP, IoC
• Nova security arhitektura bazirana na fazamaCyber napada – Before, During, After
• NSS Labs – FirePower na vrhu po efikasnosti i TCO
![Page 15: ICT Security –Kladovo, maj 2015 Vidljivost događaja na ... · –Sofisticirani Phishing napadi –APT (Advanced Persisstent Threat) –Promena izgleda Web stranica •Aktivnosti](https://reader030.fdocuments.in/reader030/viewer/2022041218/5e07bc4e0504e5259013ba22/html5/thumbnails/15.jpg)
Vidljivost događaja na mreži kao osnova sistema zaštite
Hvala na pažnji !!!
ICT Security – Kladovo, maj 2015
![Page 16: ICT Security –Kladovo, maj 2015 Vidljivost događaja na ... · –Sofisticirani Phishing napadi –APT (Advanced Persisstent Threat) –Promena izgleda Web stranica •Aktivnosti](https://reader030.fdocuments.in/reader030/viewer/2022041218/5e07bc4e0504e5259013ba22/html5/thumbnails/16.jpg)
151515MDS Informatički inženjeringICT Securiity Kladovo 2015
FirePower donosi vidljivost
Kategorije Primeri FirePowerTipični
IPSTipičniNGFW
Threats Attacks, Anomalies ✔ ✔ ✔
Users AD, LDAP, POP3 ✔ ✗ ✔
Web Applications Facebook Chat, Ebay ✔ ✗ ✔
Application Protocols HTTP, SMTP, SSH ✔ ✗ ✔
File Transfers PDF, Office, EXE, JAR ✔ ✗ ✔
Malware Conficker, Flame ✔ ✗ ✗
Command & Control Servers C&C Security Intelligence ✔ ✗ ✗
Client Applications Firefox, IE6, BitTorrent ✔ ✗ ✗
Network Servers Apache 2.3.1, IIS4 ✔ ✗ ✗
Operating Systems Windows, Linux ✔ ✗ ✗
Routers & Switches Cisco, Nortel, Wireless ✔ ✗ ✗
Mobile Devices iPhone, Android, Jail ✔ ✗ ✗
Printers HP, Xerox, Canon ✔ ✗ ✗
VoIP Phones Avaya, Polycom ✔ ✗ ✗
Virtual Machines VMware, Xen, RHEV ✔ ✗ ✗
![Page 17: ICT Security –Kladovo, maj 2015 Vidljivost događaja na ... · –Sofisticirani Phishing napadi –APT (Advanced Persisstent Threat) –Promena izgleda Web stranica •Aktivnosti](https://reader030.fdocuments.in/reader030/viewer/2022041218/5e07bc4e0504e5259013ba22/html5/thumbnails/17.jpg)
161616MDS Informatički inženjeringICT Securiity Kladovo 2015
Impact Assesment
Correlates all intrusion events to an impact of the attack against the target
Impact Flag Administrator Action Why
1 Act immediately, vulnerable
Event corresponds to vulnerability mapped to host
2Investigate, potentially vulnerable
Relevant port open or protocol in use, but no vuln mapped
3Good to know, currently not vulnerable
Relevant port not open or protocol not in use
4 Good to know, unknown target
Monitored network, but unknown host
0 Good to know, unknown network
Unmonitored network
![Page 18: ICT Security –Kladovo, maj 2015 Vidljivost događaja na ... · –Sofisticirani Phishing napadi –APT (Advanced Persisstent Threat) –Promena izgleda Web stranica •Aktivnosti](https://reader030.fdocuments.in/reader030/viewer/2022041218/5e07bc4e0504e5259013ba22/html5/thumbnails/18.jpg)
171717MDS Informatički inženjeringICT Securiity Kladovo 2015
Context Explorer u akciji
OS & version identifikovano
Serverske aplikacije i verzije
Klijentski softver
Koji host
Verzije klijenta
Aplikacija
Identifikacija korisnika i na kojim drugim sistemima je identifikovan isti korisnik