See no evil, speak no evil, hear plenty about evil: Using visibility and intelligence to secure your...

14
© 2012 Cisco and/or its affiliates. All rights reserved. Presentation_ ID Cisco Public See No Evil, Speak No Evil, Hear Plenty About Evil: Using Visibility and Intelligence to Secure your Business Darren Anstee Solutions Architect Team Leader, Arbor Networks

description

 

Transcript of See no evil, speak no evil, hear plenty about evil: Using visibility and intelligence to secure your...

Page 1: See no evil, speak no evil, hear plenty about evil: Using visibility and intelligence to secure your business

© 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public

See No Evil, Speak No Evil, Hear Plenty About Evil:Using Visibility and Intelligence to Secure your Business

Darren Anstee

Solutions Architect Team Leader, Arbor Networks

Page 2: See no evil, speak no evil, hear plenty about evil: Using visibility and intelligence to secure your business

© 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public

Stuxnet (Cyberwar)

Flame

Sony

LulzSec

Anonymous

Banking Attacks

Aurora

Shamoon

The New Global & Advanced Threat Landscape

Advanced Security Threats

Multi-Stage Multi-Vector

Page 3: See no evil, speak no evil, hear plenty about evil: Using visibility and intelligence to secure your business

© 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public

Advanced Threats – Overview

3

• What Are They?

‒ Target a specific organisation or vertical over a period of time to achieve a specific goal

‒ Co-ordinated activity & resources within the attacking entity

‒ Use new, modified and / or combinations of attack vectors & methodologies to avoid & evade detection and achieve goal

• Are They (Really) New?

‒ No, they are just focused & resourced hacking.

‒ Goals are varied but have not changed – service disruption, data or IP theft, fraud.

‒ Motivations include industrial or state sponsored espionage, organised crime, ideological hacktivism, competitive advantage

Page 4: See no evil, speak no evil, hear plenty about evil: Using visibility and intelligence to secure your business

© 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public

Advanced Threats – DDoS is Just One Attack Vector

4

• Aimed at disrupting an organisations online presence or service

‒ Broad spread of organisations are reliant on the Internet to sell products, offer services or access cloud based data and applications.

• Common features

‒ Organized DDoS ‘campaigns

‒ No longer JUST packet blasts

‒ Combinations of sophisticated andunsophisticated attacks tools

• Goal can be disruption or distraction

‒ Wide range of motivations

Arbor Worldwide Infrastructure Security

Report, 8th annualP

oliti

cal/i

deol

ogic

al d

ispu

tes

Onl

ine

gam

ing-

rela

ted

Nih

ilism

/van

dalis

m

Unk

now

nD

emon

stra

ting

capa

bilit

yS

ocia

l net

wor

king

-rel

ated

In

ter-

pers

onal

/inte

r-gr

oup

r...

Mis

conf

igur

atio

n/ac

cide

ntal

Com

petit

ive

rival

ry

Div

ersi

onC

rimin

al E

xtor

tion

Atte

mpt

sF

lash

cro

wds

Fin

anci

al m

arke

t man

ipul

a...

Intr

a-cr

imin

al d

ispu

tes

DDoS Attack Motivations

Page 5: See no evil, speak no evil, hear plenty about evil: Using visibility and intelligence to secure your business

© 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public

2005 2006 2007 2008 2009 2010 2011 20121

10

100

1000

Advanced Threats – DDoS EvolutionAtt

ack ComplexityAtt

ack

Scal

e (G

bps)

Crafted StateExhaustion

Slowloris LOIC &Variants

ApacheKiller

RefRef

Multi-vector

HTTP GET / POSTFloods

Malformed HTTP

THC-SSL

DC++

Multi-vector ++

Kamikaze / Brobot /

Amos

RUDY

Page 6: See no evil, speak no evil, hear plenty about evil: Using visibility and intelligence to secure your business

© 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public

Advanced Threats – DDoS Evolution

6

• Big rise in proportion of WISR respondents seeing multi-vector attacks

‒ Up from 27% (2011) to 45.8% (2012)

‒ Most effective attacks target limitations in network perimeter & cloud based defenses

‒ Hardest to mitigate and generally require layered defenses

Multi-Vector Attacks Observed By Respondent

Arbor World-Wide Infrastructure Security

Report, 8th annual

Yes

No

Don't Know

Page 7: See no evil, speak no evil, hear plenty about evil: Using visibility and intelligence to secure your business

© 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public

Advanced Threats – Multi-Stage, Multi-Vector DDoS

• Izz ad-Din al-Qassam Cyber Fighters Attacks on US financial sector in Q4 2012

• Compromised PHP, WordPress, & Joomla servers

• Multiple concurrent attack vectors

‒ GET and POST app layer attacks on HTTP and HTTPS

‒ DNS query app layer attack

‒ Floods on UDP, TCP SYN floods, ICMP & other IP protocols

• Unique characteristics of the attacks

‒ Very high packet per second rates per individual source

‒ Attacks on multiple companies in same vertical

‒ Real-time monitoring of effectiveness

‒ Agility in modifying attack vectors when mitigated

Page 8: See no evil, speak no evil, hear plenty about evil: Using visibility and intelligence to secure your business

© 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public

Advanced Threats – Advanced Persistent Threat (APTs)

• APT is the Hot Topic in Information Security

‒ Aurora (2009) brought the term into the mainstream

‒ They actually incorporate a number of threats

• APT have Common Features

‒ Defined goal, not opportunistic

‒ Stealthy infiltration, horizontal propagation

‒ Obfuscate trail, to ensure continued compromise

‒ Multiple tools / tactics used throughout campaign

‒ Significant resources required over an extended period

• APT Components Parts, Are They Advanced?

‒ Many are off the shelf malware dev kits, though some malware is built from the ground up

‒ Spear phishing & social engineering

‒ Drop an infected key in the car park / smoking area etc..

Page 9: See no evil, speak no evil, hear plenty about evil: Using visibility and intelligence to secure your business

© 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public

APT Attack Targets & Methodology

• Who are the targets?

‒ Governments

Economic offices, military, diplomatic corps, etc. – anyone working overseas. Outside government contractors, advisors (e.g. academic scholars)

‒ Private sector & commercial

Multinational businesses – aerospace, energy, pharmaceutical, finance, technology,

0.00%20.00%40.00%60.00%

Corporate Network Security Concerns‒ 21.7% of respondents

to the WISR survey experienced an APT of some kind on their non-service providing networks in 2012

‒ But, over 50% are concerned they might be targeted in the next 12 months

Arbor Worldwide Infrastructure Security

Report, 8th annual

Page 10: See no evil, speak no evil, hear plenty about evil: Using visibility and intelligence to secure your business

© 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public

Recent APT Malware & Attack Examples

• Xtreme RAT – 2012

‒ Remote Access Trojan (RAT) that allowed remote users to remotely steal data from malware-infected machines. The spear phishing e-mails targeted US and Israeli government institutions.

• Shamoon – 2012

‒ Malware executable spread using network shared drives. Corrupts files and wipes device boot blocks at specified date.

‒ A group named "Cutting Sword of Justice" claimed responsibility for an attack on 30,000 Saudi Aramco workstations causing the company to spend a week restoring their services

Page 11: See no evil, speak no evil, hear plenty about evil: Using visibility and intelligence to secure your business

© 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public 11

Advanced Threats – Multi-Stage, Multi-Vector Attack Example

LulzSec, an offshoot of the Anonymous collective, launched a DDoS attack using Low Orbit Ion Cannon (LOIC) that camouflaged a data breech of up to 100 million customers.

Sony estimates more than $170M (USD) in losses due to the attack while stock analysts expect losses greater than a $1B. Hackers were caught and plead guilty.

Page 12: See no evil, speak no evil, hear plenty about evil: Using visibility and intelligence to secure your business

© 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public

How Should We Defend Ourselves?

• Broad and deep visibility are needed to understand attack traffic and malware behaviors.

‒ We need to be able to SEE what is happening outside and inside our networks.

• Research based actionable intelligence and reputation information are needed.

‒ We need to HEAR about what is going on out there, so that we can leverage the research capabilities within the industry to protect ourselves.

• Intelligent, pinpoint mitigation and detailed forensics

‒ We need to stop threats to protect the availability of our on-line presence / access and ensure that entities within our networks cannot export data / contact known bad actors

Page 13: See no evil, speak no evil, hear plenty about evil: Using visibility and intelligence to secure your business

© 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public 13

The Solution to Stop Advanced Threats

Internet & Enterprise Visibility

Security Intelligence

Threat Protection

A World-Class Research Team (ASERT) Analysing the World’s Internet Traffic (ATLAS) to Stop Emerging Advanced Threats

Know the Network Find the Threat Protect the Business

Built on Global Network Visibility & Security Intelligence

Page 14: See no evil, speak no evil, hear plenty about evil: Using visibility and intelligence to secure your business

© 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public

Arbor’s Enterprise Solution Overview

Arbor Pravail Products

DDoS Protection & Cloud Signaling

Inbound Botnet Blocking (AIF)

Activity Based Detection (ATF)

Behavioral Based Detection

Identity Tracking & Forensics

Application Intelligence

Advanced Threat Landscape

DDoS

Botnets

Advanced Malware (0-Day, Stealthy)

Insider Threats to Steal Data

Mobile Devices & BYOD

Dynamic Applications

Availability Protection: Stop inbound DDoS attacks as well as botnets

Security Intelligence: Visibility and intelligence to monitor and identify misuse of critical applications and sensitive systems

Network Situational Awareness: Risk profiling of threats and alerts with intelligence to understand the context of the activity that created the alert

Arbor’s Enterprise Products are Designed for Today’s Advanced

Threat Landscape