470 likes | 734 Views
Emerging Threats: Cisco Security Intelligence Operations. Jeff Shipley Cisco Security Research and Operations. Agenda. Cisco Security Intelligence Operations. Cyber Risk Highlights and Emerging Threats for 2010-2011. Recommendations. Who Are We, What Do We Know, and How Do We Know?.
E N D
Emerging Threats:Cisco Security Intelligence Operations Jeff Shipley Cisco Security Research and Operations
Agenda Cisco Security Intelligence Operations Cyber Risk Highlights and Emerging Threats for 2010-2011 Recommendations
Cisco Security Intelligence OperationsProtect the Customer : Protect the Company • Cisco Security Intelligence Operations including: • Global ThreatOperations Centers • IntelliShield Threat and Vulnerability Analysis • Managed Services and IPS • SensorBase and SenderBase Analysts • Corporate Security Programs Office, Global Policy & Government Affairs • Global in scope • Encompasses network, content, physical & geopolitical security
NIST ISACs Cisco IronPort Cisco ScanSafe Cisco RMS Cisco TOCs Physical CERTs SANS FIRST Cisco CSPO Cisco AppliedIntelligence Full Disclosure Researchers BugTraq Cisco PSIRT OSVDB Cisco IPS Cisco Security Intelligence Operations Internal Security Operations Incident Response Groups External Security Research Internal Security Research
What We Watch: Seven Categories of Cyber Risk Cyber Vulnerabilities and Threat Physical Legal Trust Identity Human Geopolitical Risk = Vulnerability x Threat x Impact
Our Top Ten Botnets (Toolkits) Web Exploits: SQL Injection / Cross-site Scripting Data and Intellectual Property Theft Malicious Business Documents (PDF, Office) Social Networks / Web 2.0 Cloud and Virtualization Implied and Transient Trust (Social networks, Web) Open Wireless Networks Denial of Service Attacks (DoS / DDoS) IPv6/DNSSEC Deployments
$$$ Flow of Money $$$ Cybercrime Industry: Today First Stage Abusers Second Stage Abusers Developers Middle Men End Value Hacker / Direct Attack Tool and Toolkit Writers Fame Compromised Host and Application Theft Malware Writers Espionage (Corporate/ Government) Extortionist/ DDoS-for-Hire Machine Harvesting Bot-Net Creation Worms Extorted Pay-Offs Spammers/ Affiliates Viruses Bot-Net Management: For Rent, for Lease, for Sale Commercial Sales Trojans Phishers Fraudulent Sales Information Harvesting Personal Information Spyware Pharmer/DNS Poisoning Click-Through Revenue Information Brokerage Financial Fraud Internal Theft: Abuse of Privilege Identity Theft Electronic IP Leakage
Reducing the Noise Level ILOVEYOU CODE RED SLAMMER MY DOOM Public Awareness STORM ZeuS Conficker Rustock.C Koobface Stuxnet SpyEye 2000 2011 Time
2011 Q2 Global Threat Trends • Malware UP 272% • SQL Attacks UP 350% • DoS Attacks UP 43% • Phishing UP ~30% • Spam DOWN 20%
Social Networking: Opportunity and Vulnerability Business and network expansion Risk to Privacy, Identity, Trust, IP protection Small World Relationships The criminals are already there: Koobface, false security warnings, tinyurls, transient trust, anonymized data reconstruction, compromised accounts, ‘Like’ jacking Policy and User Awareness: users are there, organizations are still trying to catch up Who is the customer? (Schneier)
Fake Profiles and Applications The fake “Robin Sage” Twitter account was intended to attract highly placed officials within government and security. “App’s are the criminals eyes”
Phishing and Variants • Traditional phishing still in use, but limited • Spear-phishing: - Targeted phishing - IT Admins - Specific job roles - Specific companies • Whaling • - Phishing attempts specifically targeting a high value target • - C level execs
Cybercrime ROI: Potentials • Mobile Devices: • Symbian attacks had limited success, smart phone attacks are more about exploiting the apps and users, haven’t targeted OS vulnerabilities yet, limited malware development (Zitmo – ZeuS in the Mobile) • VoIP Abuse: • Brute force attacks on public PBX, intercepts and mailboxes, ‘vishing*’, network access point to jump VLANs, insider fraud. DDoS of VoIP services. • *vishing: social engineering using voice call phishing, usually for financial gain, or sensitive information.
Spamming Gets Social, and Mobile Scammers trick social network users into “liking” an intriguing Facebook page, allowing the scammers to see user profiles.
‘Apps’ are the Criminals Eyes App Stores and Download Security Models Apple – tightly controlled RIM – tightly controlled Microsoft - proprietary controlled Android – Wide open, few checks, open operating system Third Party sites: no guarantees
ROI Cash Cows: oldies, but goodies • Advance Fee Fraud: • Nigerian 419, Black Money…any and every scam involving the advancing of real money for promised returns • Pharma Spam: • Very popular with spam Botnets; purchasing drugs at very low cost, illegal in host country, snake oil • Spyware/Scareware: • ‘You are infected’, but ‘we can fix it.’ Fake AV was the 2009 and 2010 Top Money Maker for criminals • Click Redirect Fraud: ( and ‘Like’ jacking)Web forms, account information, credit cards, personal information
ROI Stars • Web Exploits: • iFrame injection, compromised advertisement feeds, javascript, Search Engine Optimization, toolkits making it easier to hide • Data Theft Trojans: • Zeus/SpyEye is still the king, and improving toolkits. Code exposure will likely spur even more activity • Money Laundering: • The criminals weakest point, actively changing methods, cashing out
Web Malware • Web malware encountered tripled in first half of 2011 • Web searches resulted in 9% of Web malware encounters , with an average of 33% resulting from Google search engine results pages • Toolkits making it easier: Blackhole, Neosploit, Phoenix and Random JS
Criminals #1 Tool: Botnet Trends • Despite takedown and ‘vacations’, top Botnets reinvent, reshape, and retool. • Shifting Botnet Activity: In 2010, the Top 10 largest botnets accounted for approximately 47% of all botnet compromised victims – down from 81% of the 2009 Top 10. Smaller and more numerous in 2011 (Top 20, 50?) • Damballa: Eight out of the Top 10 botnet operators utilized popular “off-the-shelf” construction kits. Only “TDL/TDSS Gang” and “Eleonore Downloader Gang” are not known to be using DIY kits.
Annual Vendor Vulnerabilities • The Apple Example: managing open source software • Few exploits are currently being created for Apple specific platforms, but exploits are for open source vulnerabilities. • This is a totally hidden area of vulnerability for most organizations • Vendor Security Improving: SDLC, researchers and vendors coordination, responsible and coordinated disclosure
Favoring Java: Going Cross-Platform In 2010, Java exploits rose while PDF exploits fell.
U.S. Smartphone Usage • 72.5 million people in the U.S.used mobile devices (+15% Q\Q) • Top Smartphone Platforms Ending MAR 2011: DEC 2010 MAR 2011 CHGGoogle 28.7% 34.7% +6.0RIM 31.6% 27.1% -4.5Apple 25.0% 25.5% +0.5Microsoft 8.4% 7.5% -0.9Palm 3.7% 2.8% -0.9 • What are they doing? DEC 2010 MAR 2011 CHGSent text message to another phone 68.0% 68.6% +0.6Used browser 36.4% 38.6% +2.2Played games 23.2% 25.7% +2.5Used Downloaded Apps 34.4% 37.3% +2.9Accessed Social Networking Site or Blog 24.7% 27.3% +2.9Listened to music on mobile phone 15.7% 17.9% +2.2 Source - comScore Reports March 2011
Social Engineering: 7 Human Weaknesses 1. Sex Appeal – its still the best seller 2. Greed - too good to be true? 3. Vanity - you are special right? 4. Trust – Implied or transient 5. Sloth – don’t check, its probably okay… Compassion – please…donations, lost, need help, any emergency, disaster…. 7. Urgency – ‘must act now’, ‘time is running out’…
Passwords: Access and Authentication • The problem of weak, guessable passwords is not a new one, but it isn’t • going away—in fact, it’s getting worse due to reuse • Secondary Authentication has its own weaknesses; and could open the user to get phished (email account as authentication factor, secret questions?) • Too many passwords, and using the same password on multiple web sites • Multi-Factor authentication using device or location, SMS one-time passwords…improving but heavily depends on implementation controls
Trust: Implied and Transient • Implied Trust: An individual, business or organizations that users are familiar with and implicitly trust: Email security updates form major vendors, their banks, government agencies, FedEx/UPS/DHL • Transient Trust: The six degrees of separation/Small World Experiment, chain of trust, friend of a friend, of a friend…inherently flawed trust model used on social networks
"Advanced Persistent Threats" • Advanced, persistent, and a threat • - This is not your script kiddies attack • - It is not you typical blended/combined attack • What is your risk? • - Are you really vulnerable? • - Is it a real threat? • - What is the real impact? • Throw “Black Swan” in there too? • APT’s will become more common, continue to evolve, increase in sophistication, automation and availability
Distributed Denial of Service Attacks • Sourced from Botnets and attack tools – think DDoS as a Service (DDaaS) • Diverse targets disrupting service to millions of customers • Cloud computing provider • Web hosting provider • Security provider • DNS registrar • Telecom provider • Targeting DNS to amplify attacks • Not extortion attempts • LOIC tool – Anonymous/LulzSec
Productivity Technologies • More types of new devices being added to networks • Diversity of OS’s and Apps • New network entryand exit points • More data in more places “…software glitches that need to be fixed—are part of the 'new reality' of making complex cell phones in large volumes.“ —Jim Balsillie, Co-CEO Research In Motion RIM CEO
Productivity Technologies Enable or Limit? • Corporate network has expanded and is key platform for growth • Also more permeable: • Remote access • Web-based tools • Mobile devices • Essential to today’s workforce • Dont be King Canute (Knud), you cant stop the rising tide
Distributed Workforce • Borderless networking is real and now, but… • True “federated” security systems are a ways off yet • Layers of defense and policy enforcement are critical • Drop bad traffic as close to the source as possible, but ensure you’ve got at least a couple of “last lines of defense” • Identity Based Networking can help • People and Processes Key to Mitigate Risk • User awareness and effective business processes are as important astechnology solutions
Things You Can Do - Corp • Stick to the Basics: Defense in Depth, Risk Management, Incident Response, Logging/Monitoring • Establish policy, procedures and processes and enforce them with active controls • Use yourexisting technology to its full capabilities • Protect in both direction: inbound and outbound • Educate your users and staff • Stay focused: Don’t be distracted by the threat du jour
Cyber Security Strategy • Strategy, Policy and Procedures • Security Architecture • Risk Management • Holistic Approach • (Your) Best Practices • Continuous Monitoring • Incident Response • Awareness and Training • Business Continuity\ Disaster Recovery
Physical & Environment Technical System/Platform Technical Network/Logical Technical Application/Service Administrative Human/Policy Defense in Depth Security ControlsSecurity is not binary, its percentages Data Systems Assets
Continuous Monitoring:FY 2011 Chief Information Officer Federal Information Security Management Act Reporting Metrics/SANS Control #6 IDS/IPS AV/Anti-‐Malware/Anti-‐Spyware System Logs Application logs Patch Status Vulnerability Scans DNS logging Configuration/Change Management system alerts Failed Logins for privileged accounts Physical security logs for access to restricted areas Data Loss Prevention data Remote Access logs Network device logs Account monitoring Locked out Disabled Terminated personnel Transferred personnel Dormant accounts Passwords that have reached the maximum password age Passwords that never expire Outbound traffic to include large transfers of data, unencrypted or encrypted. Port scans Network access control lists and firewall rule sets
Things You Can Do - Users Secure the browsers:www.us-cert.gov/reading_room/ securing_browser/ Manage Passwords Use the Available Tools Manage Your Mobile Devices and UsersPassword, Encryption, Remote Mgmt Establish Social Network Privacy Settings Avoid Free and Public Wi-Fi Connections