Transcript Emerging Threats

Emerging Threats:
Cisco Security Intelligence Operations
Jeff Shipley
Cisco Security Research and Operations
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
1
Cisco Security Intelligence
Operations
Cyber Risk Highlights and
Emerging Threats for 2010-2011
Recommendations
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
2
Who Are We, What Do We Know, and
How Do We Know?
Cisco Security Intelligence Operations
Protect the Customer : Protect the Company
 Cisco Security Intelligence
Operations including:
Global Threat Operations Centers
IntelliShield Threat and
Vulnerability Analysis
Managed Services and IPS
SensorBase and SenderBase
Analysts
Corporate Security Programs
Office, Global Policy &
Government Affairs
 Global in scope
 Encompasses network, content,
physical & geopolitical security
Cisco Security Intelligence Operations
NIST
ISACs
CERTs
Cisco TOCs
Cisco ScanSafe
Cisco RMS
SANS
Incident
Response
Groups
Internal
Security
Operations
FIRST
Cisco CSPO
Cisco IronPort
Full Disclosure
BugTraq
External
Security
Research
Internal
Security
Research
Researchers
OSVDB
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Applied
Intelligence
Cisco PSIRT
Cisco IPS
Physical
Cisco Public
5
What We Watch:
Seven Categories of Cyber Risk
1. Cyber Vulnerabilities and Threat
2. Physical
3. Legal
4. Trust
5. Identity
6. Human
7. Geopolitical
Risk = Vulnerability x Threat x Impact
What and Where are the Current
Threats?
Our Top Ten
• Botnets (Toolkits)
• Web Exploits: SQL Injection / Cross-site Scripting
• Data and Intellectual Property Theft
• Malicious Business Documents (PDF, Office)
• Social Networks / Web 2.0
• Cloud and Virtualization
• Implied and Transient Trust (Social networks, Web)
• Open Wireless Networks
• Denial of Service Attacks (DoS / DDoS)
• IPv6/DNSSEC Deployments
Cybercrime Industry
Developers
Tool and
Toolkit
Writers
First Stage
Abusers
Hacker / Direct
Attack
Middle Men
Worms
Viruses
Bot-Net Management:
For Rent, for Lease,
for Sale
Trojans
Spyware
Bot-Net Creation
End Value
Fame
Compromised
Host and
Application
Malware
Writers
Machine
Harvesting
Second Stage
Abusers
Theft
Extortionist/
DDoS-forHire
Espionage
(Corporate/
Government)
Spammers/
Affiliates
Extorted Pay-Offs
Commercial Sales
Phishers
Information
Harvesting
Personal
Information
Fraudulent Sales
Pharmer/DNS
Poisoning
Information
Brokerage
Internal Theft:
Abuse of
Privilege
Identity Theft
Click-Through
Revenue
Financial Fraud
Electronic IP
Leakage
$$$ Flow of Money $$$
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
10
Public
Awareness
ILOVEYOU
CODE RED
SLAMMER
MY DOOM
STORM
ZeuS
Conficker
Rustock.C
Koobface
Stuxnet
SpyEye
2000
2011
Time
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
11
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
12
• Malware UP 272%
• SQL Attacks UP 350%
• DoS Attacks UP 43%
• Phishing UP ~30%
• Spam DOWN 20%
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
13
• Business and network expansion
• Risk to Privacy, Identity, Trust, IP
protection
• Small World Relationships
• The criminals are already there:
Koobface, false security
warnings, tinyurls, transient trust,
anonymized data reconstruction,
compromised accounts, ‘Like’
jacking
• Policy and User Awareness:
users are there, organizations
are still trying to catch up
• Who is the customer? (Schneier)
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
14
The fake “Robin Sage” Twitter account was intended to attract highly placed
officials within government and security. “App’s are the criminals eyes”
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
15
• Traditional phishing still
in use, but limited
• Spear-phishing:
- Targeted phishing
- IT Admins
- Specific job roles
- Specific companies
• Whaling
- Phishing attempts
specifically targeting a
high value target
- C level execs
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
16
 Mobile Devices:
Symbian attacks had limited success, smart phone attacks are more about
exploiting the apps and users, haven’t targeted OS vulnerabilities yet,
limited malware development (Zitmo – ZeuS in the Mobile)
 VoIP Abuse:
Brute force attacks on public PBX, intercepts and mailboxes, ‘vishing*’,
network access point to jump VLANs, insider fraud. DDoS of VoIP
services.
*vishing: social engineering using voice call phishing, usually for financial
gain, or sensitive information.
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
17
Scammers trick social network users into “liking” an intriguing
Facebook page, allowing the scammers to see user profiles.
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
18
App Stores and Download Security Models
Apple – tightly controlled
RIM – tightly controlled
Microsoft - proprietary controlled
Android – Wide open, few checks, open operating system
Third Party sites: no guarantees
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
19
 Advance Fee Fraud:
Nigerian 419, Black Money…any and every scam involving the advancing
of real money for promised returns
 Pharma Spam:
Very popular with spam Botnets; purchasing drugs at very low cost, illegal
in host country, snake oil
 Spyware/Scareware:
‘You are infected’, but ‘we can fix it.’ Fake AV was the 2009 and 2010 Top
Money Maker for criminals
 Click Redirect Fraud: ( and ‘Like’ jacking)
Web forms, account information, credit cards, personal information
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
20
 Web Exploits:
iFrame injection, compromised advertisement feeds, javascript, Search
Engine Optimization, toolkits making it easier to hide
 Data Theft Trojans:
Zeus/SpyEye is still the king, and improving toolkits. Code exposure
will likely spur even more activity
 Money Laundering:
The criminals weakest point, actively changing methods, cashing out
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
21
 Web
malware
encountered tripled in first
half of 2011
 Web searches resulted
in 9% of Web malware
encounters , with an
average of 33% resulting
from Google search
engine results pages
 Toolkits making it easier:
Blackhole, Neosploit,
Phoenix and Random JS
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
22
 Despite takedown and ‘vacations’, top Botnets
reinvent, reshape, and retool.
 Shifting Botnet Activity: In 2010, the Top 10 largest
botnets accounted for approximately 47% of all botnet
compromised victims – down from 81% of the 2009 Top
10. Smaller and more numerous in 2011 (Top 20, 50?)
 Damballa: Eight out of the Top 10 botnet operators
utilized popular “off-the-shelf” construction kits. Only
“TDL/TDSS Gang” and “Eleonore Downloader Gang” are
not known to be using DIY kits.
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
23
Vulnerability Trends
 The Apple Example: managing
open source software
 Few exploits are currently being
created for Apple specific
platforms, but exploits are for open
source vulnerabilities.
 This is a totally hidden area of
vulnerability for most organizations
 Vendor Security Improving:
SDLC, researchers and
vendors coordination, responsible
and coordinated disclosure
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
25
In 2010, Java exploits rose while PDF exploits fell.
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
26
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
27
• 72.5 million people in the U.S. used mobile devices (+15% Q\Q)
• Top Smartphone Platforms Ending MAR 2011:
Google
RIM
Apple
Microsoft
Palm
DEC 2010
28.7%
31.6%
25.0%
8.4%
3.7%
MAR 2011
34.7%
27.1%
25.5%
7.5%
2.8%
• What are they doing?
Sent text message to another phone
Used browser
Played games
Used Downloaded Apps
Accessed Social Networking Site or Blog
Listened to music on mobile phone
CHG
+6.0
-4.5
+0.5
-0.9
-0.9
DEC 2010
68.0%
36.4%
23.2%
34.4%
24.7%
15.7%
MAR 2011
68.6%
38.6%
25.7%
37.3%
27.3%
17.9%
CHG
+0.6
+2.2
+2.5
+2.9
+2.9
+2.2
Source - comScore Reports March 2011
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
28
1. Sex Appeal – its still the best seller
2. Greed - too good to be true?
3. Vanity - you are special right?
4. Trust – Implied or transient
5. Sloth – don’t check, its probably okay…
6. Compassion – please…donations, lost, need help, any
emergency, disaster….
7. Urgency – ‘must act now’, ‘time is running out’…
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
29
 The problem of weak, guessable passwords is not a new one, but it isn’t
going away—in fact, it’s getting worse due to reuse
 Secondary Authentication has its own weaknesses; and could open the
user to get phished (email account as authentication factor, secret
questions?)
 Too many passwords, and using the same password on multiple web
sites
 Multi-Factor authentication using device or location, SMS one-time
passwords…improving but heavily depends on implementation controls
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
30
 Implied Trust: An individual,
business or organizations that users
are familiar with and implicitly trust:
Email security updates form major
vendors, their banks, government
agencies, FedEx/UPS/DHL
Transient Trust: The six degrees
of separation/Small World
Experiment, chain of trust, friend of a
friend, of a friend…inherently flawed
trust model used on social networks
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
31
 Advanced, persistent, and a threat
- This is not your script kiddies attack
- It is not you typical blended/combined attack
 What is your risk?
- Are you really vulnerable?
- Is it a real threat?
- What is the real impact?
 Throw “Black Swan” in there too?
 APT’s will become more common, continue to evolve,
increase in sophistication, automation and availability
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
32
• Sourced from Botnets and attack tools – think DDoS as a Service
(DDaaS)
• Diverse targets disrupting service to millions of customers
– Cloud computing provider
– Web hosting provider
– Security provider
– DNS registrar
– Telecom provider
• Targeting DNS to amplify attacks
• Not extortion attempts
• LOIC tool – Anonymous/LulzSec
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
33
Threats on the Horizon
• More types of new
devices being added to
networks
• Diversity of OS’s and
Apps
• New network entry
and exit points
• More data in more
places
“…software glitches that need to be fixed—are part of the 'new reality'
of making complex cell phones in large volumes.“
© 2011 Cisco and/or its affiliates. All rights reserved.
RIM CEO
—Jim Balsillie, Co-CEO
Research In Motion
Cisco Public
35
Enable or Limit?
• Corporate network has
expanded and is key platform for
growth
• Also more permeable:
Remote access
Web-based tools
Mobile devices
• Essential to today’s workforce
• Dont be King Canute (Knud), you
cant stop the rising tide
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
36
• Borderless networking is real and now, but…
True “federated” security systems are a ways off yet
• Layers of defense and policy enforcement are critical
Drop bad traffic as close to the source as possible, but ensure you’ve got
at least a couple of “last lines of defense”
Identity Based Networking can help
• People and Processes Key to Mitigate Risk
User awareness and effective business processes are as important as
technology solutions
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
37
What to Do?
 Stick to the Basics: Defense in Depth, Risk
Management, Incident Response,
Logging/Monitoring
 Establish policy, procedures and processes
and enforce them with active controls
 Use your existing technology to its full
capabilities
 Protect in both direction: inbound and
outbound
 Educate your users and staff
 Stay focused: Don’t be distracted by the
threat du jour
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
39
• Strategy, Policy and
Procedures
• Security Architecture
• Risk Management
• Holistic Approach
• (Your) Best Practices
• Continuous Monitoring
• Incident Response
• Awareness and Training
• Business Continuity\
Disaster Recovery
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
40
Physical & Environment
Technical
System/Platform
Technical
Network/Logical
Data
Systems
Assets
Administrative
4
Human/Policy
© 2011 Cisco and/or its affiliates. All rights reserved.
Technical
Application/Service
Cisco Public
41
IDS/IPS
AV/Anti-‐Malware/Anti-‐Spyware
System Logs
Application logs
Patch Status
Vulnerability Scans
DNS logging
Configuration/Change Management system alerts
Failed Logins for privileged accounts
Physical security logs for access to restricted areas
Data Loss Prevention data
Remote Access logs
Network device logs
Account monitoring
Locked out
Disabled
Terminated personnel
Transferred personnel
Dormant accounts
Passwords that have reached the maximum password age
Passwords that never expire
Outbound traffic to include large transfers of data, unencrypted or encrypted.
Port scans
Network access control lists and firewall rule sets
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
42
• Secure the browsers:
www.us-cert.gov/reading_room/
securing_browser/
• Manage Passwords
Use the Available Tools
• Manage Your Mobile Devices and Users
Password, Encryption, Remote Mgmt
• Establish Social Network Privacy Settings
• Avoid Free and Public Wi-Fi Connections
© 2011 Cisco and/or its affiliates. All rights reserved.
Cisco Public
43
Thank You
visit us for more at
www.cisco.com/security