bloquer les attaques de nouvelle génération avec les solutions de sécurité web de cisco

1 C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Les techniques de Cybersécurité

Frédéric HER Christophe SARRAZIN

Consultant Sécurité, Europe du Sud

[email protected]

Consultant Sécurité, Europe du Sud

[email protected]

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

Le problème actuel

Nouveaux Usages Evolution constante

des menaces

Complexité &

Fragmentation

3

“On ne resout pas un probleme avec les modes de pensee

qui l’ont engendre ”


Le nouveau modèle de sécurité

BEFORE Discover

Enforce

Harden

AFTER Scope

Contain

Remediate

Attack Continuum

Network Endpoint Mobile Virtual Cloud

Detect

Block

Defend

DURING

Point in Time Continuous

5

L’évolution des menaces

Menaces

Réponse

Virus, vers

Spyware / Rootkits

APTs / Cyberware

Surface d’attaques

augmentée (Mobilité & Cloud)

INTELLIGENCE & ANALYSE

Aujourd’hui

REPUTATION & SANDBOXING

2010

SECURITE DU POSTE DE TRAVAIL (AV)

2000

PERIPHERIE RESEAU (IDS/IPS)

2005

6

Défendre avec intelligence : Cisco SIO

Connexion SMTP

légitime?

Contenu malicieux ou non désiré?

Zombies vers des serveurs

CNC?

Actions hostiles ou utilisateurs déviants ?

Contenus malicieux sur le poste de

travail ?

WWW

Reputation Signatures

Signatures

Recherche

sur les

menaces

Domain

Registration

Inspection des

Contenus

Spam Traps,

Honeypots,

Crawlers

Blocklists &

Réputation

Partenariats

Platform-specific Rules & Logic

Cisco Security Intelligence Operations

7

La couverture étendue de Cisco SIO

100TB Security

Intelligenc

e

1.6M Dispositifs

déployés

13B Requêtes

Web

150 000 Micro-

applications

1,000 Application

s

93B Messages

Email

35% Email des

Entreprise

s

5 500 Signatures

IPS

150M Endpoints

Déployés

3-5 min MAJ

5B Connexions

Emails

4.5B Bloquages

d’emails

8

La réputation en action New York Times: victime d’une attaque via une publicité

• Publicité apparemment légitime qui génère en réalité 3 redirections vers des liens web

• Destination finale: protection-check07.com

Faux Anti--Virus

Un pop-up apparaît qui simule un logiciel AV, qui demande à l’utilisateur d’acheter un logiciel pour nettoyer la machine.

Score de Réputation Web : -9.3

Action par défaut : BLOCK

Le site du NYT est bien autorisé

mais la redirection vers le lien

malicieux est bloquée

9

Consolidation des serveurs des pirates Il est très important de connaitre la réputation de ces serveurs

http://www.cisco.com/web/offers/lp/2014-annual-security-report/index.html









10

Outbreak Intelligence Des moteurs heuristiques s’ajoutant aux signatures et à la réputation

11

Header

Body of Objects

Cross-Ref Table

Trailer

L’Anti-Virus scanne le

fichier

Nous pensons connaitre la

structure d’un fichier PDF

et à quoi il devrait

ressembler

D’après les signatures,

c’est un fichier sain

12

%PDF-1.4 (version)

%Comments

1 0 obj << /Type /Page >> endobj 2 0 obj << /Type /Action /S /JS >> endobj

xref

trailer

Nous connaissons les choses

qui peuvent être exploitées,

donc les scanlets

décomposent le fichier,

l’analysent et les algorithmes

recherchent les exploitations

malicieuses potentielles

Après inspection nous

trouvons :

• Pas de mots anglais

• Headers incorrects

• Proportion élevée de

contenu Javascript

• Javascript spécifiques

• Fonctions “exploitables”

• Autres indicateurs

OI prend la décision que ce

fichier est potentiellement

dangereux


Outbreak Intelligence contre Signature Detection

13

• Ce graphique montre la part quotidienne de menaces bloquées par OI et par les signatures AV traditionnelles

• En 2013, 22% des malware provenant d’Internet ont été bloquées par Cisco Outbreak Intelligence avant que des signatures ne soient disponibles

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

01-janv.-13 01-févr.-13 01-mars-13 01-avr.-13 01-mai-13 01-juin-13 01-juil.-13 01-août-13 01-sept.-13 01-oct.-13 01-nov.-13 01-déc.-13

Bloquages quotidiens, 2013 (Source: Cisco Cloud Web Security)

Signature Outbreak Intelligence™

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14 14

Cisco AMP


1.6 million global sensors

100 TB of data received per day

150 million+ deployed endpoints

600+ engineers, technicians,

and researchers

35% worldwide email traffic

13 billion web requests

24x7x365 operations

40+ languages

Cisco SIO + Sourcefire VRT Collective security intelligence for the Broadest Visibility on the Internet

10I000 0II0 00 0III000 II1010011 101 1100001 110

110000III000III0 I00I II0I III0011 0110011 101000 0110 00

I00I III0I III00II 0II00II I0I000 0110 00

180,000+ File Samples per Day

FireAMP™ Community

Advanced Microsoft

and Industry Disclosures

Snort and ClamAV Open Source Communities

Honeypots

Sourcefire AEGIS™ Program

Private and Public Threat Feeds

Dynamic Analysis

101000 0II0 00 0III000 III0I00II II II0000I II0

1100001110001III0 I00I II0I III00II 0II00II 101000 0110 00

100I II0I III00II 0II00II I0I000 0II0 00 Cisco®

SIO

Sourcefire

VRT®

(Vulnerability

Research Team)

Cisco Collective

Security Intelligence

Email Endpoints Web Networks IPS Devices

WWW


Amp : Reputation Filtering and Behavioral Detection

(Sha-256) (Sanboxing) (Hash +

détails)

(Structural information

Referred DLLs

PE header)

(VRT

Correlation) (AV) (Network Monitoring)


Actual Disposition = Bad = Blocked

Antivirus

Sandboxing

Initial Disposition = Clean

Point-in-time Detection

Retrospective Detection,

Analysis Continues

Initial Disposition = Clean

Cisco- Sourcefire

Blind to scope of

compromise

Sleep Techniques

Unknown Protocols

Encryption

Polymorphism

Actual Disposition = Bad = Too Late!!

Turns back time

Visibility and

Control are Key

Not 100%

Analysis Stops

Beyond the Event Horizon


• Trajectory – Determine scope by tracking malware in

motion and activity

• File Trajectory – Visibility across organization, centering

on a given file

• Device Trajectory – Deep visibility into file activity on a

single system

Retrospective Security Always Watching… Never Forgets… Turns Back Time

• Continuous Analysis - Retrospective detection of malware beyond

event horizon


File Trajectory

• What systems were infected?

• Who was infected first (“patient 0”) and when did it happen?

• What was the entry point?

• When did it happen?

• What else did it bring in?

Looks ACROSS the organization and answers:

Quickly understand the scope of malware problem

Network

+

Endpoint


An unknown file is present

on IP: 10.4.10.183, having

been downloaded from

Firefox

At 10:57, the unknown file is

from IP 10.4.10.183 to IP:

10.5.11.8

Seven hours later the file is

then transferred to a third

device (10.3.4.51) using an

SMB application

The file is copied yet to a

fourth device (10.5.60.66)

through the same SMB

application a half hour later

The Cisco Collective Security

Intelligence Cloud has learned

this file is malicious and a

retrospective event is raised for

all four devices immediately.

At the same time, a device with

the FireAMP endpoint connector

reacts to the retrospective event

and immediately stops and

quarantines the newly detected

malware

8 hours after the first attack,

the Malware tries to re-enter

the system through the original

point of entry but is recognized

and blocked.

21

Device Trajectory

• How did the threat get onto the system?

• How bad is my infection on a given device?

• What communications were made?

• What don’t I know?

• What is the chain of events?

Looks DEEP into a device and helps answer:

Endpoint


AMP is context-aware

Data shows the bad and the good

Context helps you decide about the rest


The Power of Continuous Analysis

Point-in-time security sees a

lighter, bullet, cufflink, pen &

cigarette case…

Wouldn’t it be nice to know if

you’re dealing with something

more deadly?


• VRT powered insight into Advanced Malware behavior

• Original file, network capture and screen shots of malware execution

• Understand root cause and remediation

File Analysis

FireAMP & Clients Cisco-Sourcefire

VRT

Sandbox Analysis

Fast and Safe File Forensics

Infected

File

File 4E7E9331D22190F

D41CACFE2FC843

F

Infected

File


D41CACFE2FC843

F

Infected

File


D41CACFE2FC843

F

Advanced malware analysis without advanced investment


1) File Capture

File Extraction and Sandbox Execution

Malware Alert!

2) File Storage

4) Execution Report

Available In Firesight Management

Network Traffic

Collective Security Intelligence

Sandbox

3) Send to Sandbox


• Managed and Deployed from the Cloud

• File Activity (Created/Edit/Move/Execute)

•One-to-One/Spero/Ethos

•Simple and Advanced Custom Detections

• Retrospective Alerting and Quarantine

• Application Control

• Network Flow Correlation

•Black/White Lists

• Dynamic Analysis

AMP Cloud

FireAMP for Endpoints

Windows

Mac OSX Android

27

FireSIGHT

Management Console

ASA with

Sourcefire Sensor

FirePOWER Services on the ASA

File Submitted for

Dynamic Analysis

File Disposition queried

against AMP Cloud

(SHA256, Spero)

- AMP Cloud

- VRT Dynamic Analysis Cloud

Endpoint

Connectors

Windows Mac OSX Android

28

FireSIGHT Management

FireAMP FirePOWER

ASA (NGFW)

ESA

WSA

CWS

Dynamic Analysis

Dynamic Analysis FireAMP Private Cloud (Appliance)

Events /

Correlation

Cloud Connected

On-Premises

Endpoint Network Gateway Sandbox

Cisco has the most comprehensive strategy for Advanced Malware Protection.

AMP Everywhere

29

NSS Labs breach detection systems security value map (Avril 2014)

https://www.nsslabs.com/reports/breach-detection-systems-bds-comparative-analysis-report

30 30

Cisco Email Security

31 C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

L’évolution des menaces provenant de l’Email

Menaces

????

Demain

BAS VOLUMES HAUTE VALEUR $$

Aujourd’hui

VOLUMES ELEVES VALEUR $$ BASSE

Passé

Attaques ciblées

Targeted Phishing

Covert, Sponsored Targeted Attacks

Blended Threats

Advanced Persistent Threats

Phishing

Spam

Attachment-based

Slammer

Worms

Network Evasions Polymorphic Code

Code Red Image Spam

Alertes Virales

Custom URL

Botnets Conficker

Stuxnet


Il y a une grande volatilité Retour à plus de 85% de spams

http://www.senderbase.org/static/spam/#tab=1




33

Pourquoi la réputation est fondamentale Aggrégation et Corrélation de milliards de données dans un seul score


Management

L’architecture de Sécurité Email Cisco

Antivirus & Outbreak Filters

Défense face aux menaces

Antispam

Sécurité des Données

Chiffrement

Data Loss Prevention

Protection Flux Entrants Contrôle des Flux Sortants

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&docid=sOYtlybfBU6_4M&tbnid=47D4vJHleAPz6M:&ved=0CAUQjRw&url=http://aws.amazon.com/disaster-recovery/&ei=GYt0UbGFL43riQLahYHoAw&bvm=bv.45512109,d.cGE&psig=AFQjCNEUb0tSs-xKIJqrBkniEz0bwoJHdw&ust=1366678669217832


Défense anti-spam à deux niveaux

Bon score: les mails sont délivrés

Score intermédiaire: le

débit est limité et les

messages sont envoyés à

l’anti-spam

• Taux de bloquage : > 99%

• Faux positifs < 1 sur 1

million

Mauvais score: la

connexion TCP est

bloquée et les messages

ne sont pas reçus sur le

réseau

Mails entrants

Bons, mauvais

ou

inconnus/suspici

eux

What

Cisco

Anti-Spam,

IMS

When Who

How Where

Cisco® SIO


Défense anti-virus à deux niveaux

Virus Outbreak Filters Advantage

http://www.senderbase.org

• Temps moyen de protection additionnelle : + de 13h

• Total d’attaques bloquées : 291

• Protection totale incrémentale : + de 157 jours/360 Virus

Filter

Dynamic

Quarantine Cisco® SIO

Virus Outbreak Filters Moteurs Anti-Virus

Détection

Zero Hour

Choix de

moteurs



38

Sécurisation des URL dans les Emails avec Outbreak Filters

Information Update

Dear Mr. Paulo Roberto Borges,

We are contacting you in order to inform about a

mandatory update of your personal data, which is being

conducted after Bank A and Bank B merge. To begin the

update, please click on the link and download the

protection program.

Protection Module 3.0 (2011)

Best regards, Bank A

Bank A

[email protected]

Après

http://www.threatlink.com

Avant

http://secure-web.cisco.com/auth=X&URL=www.threatlink.com

39

Malware

bloqué

http://secure-web.cisco.com…

The requested web page has been blocked

http://www.threatlink.com

Cisco Email and web Security protects your organization’s network

from malicious software. Malware is designed to look like a legitimate

email or website which accesses your computer, hides itself in your

system, and damages files.

Cisco Security

Sécurisation des URL dans les Emails avec Outbreak Filters

40

Outbreak Filters stoppe les attaques Phishing et Mixtes

41

Advanced Malware Protection sur ESA

Cisco® SIO

SenderBase Reputation Filtering

Anti-Spam & Spoofing Prevention

AV Scanning & Advanced Malware Protection

Real-time URL Analysis

Deliver Quarantine Re-write URLs Drop

Drop

Drop/Quarantine

Drop/Quarantine

Quarantine/Re-write


3.5M d’emails bloqués chaque

jour

Emails delivered Emails / mo Emails / day Emails / employee / day %

Attempted 124 M 5.6 M 73

Blocked 77 M 3.5 M 46 63%

Delivered 37 M 1.7 M 22 30%

Delivered, marked

“Marketing”

9 M 0.4 M 5 7%

Email Security - Cisco sur Cisco

Malware

Spam

ESA Blocked Emails Emails* / mo Emails / day Emails / employee / day %

By reputation 73 M 3.3 M 43 94%

By spam content 4.3 M 0.2 M 3 5%

By invalid receipts 0.4 M 0.02 M 0.25 1%


Pourquoi Cisco Email Security ? Gartner Magic Quadrant, Email Security Gateways, 2013

The Magic Quadrant is copyrighted 2013 by Gartner, Inc. and

is reused with permission. The Magic Quadrant is a graphical

representation of a marketplace at and for a specific time

period. It depicts Gartner’s analysis of how certain vendors

measure against criteria for that marketplace, as defined by

Gartner. Gartner does not endorse any vendor product or

service depicted in the Magic Quadrant, and does not advise

technology users to select only those vendors placed in the

"Leaders” quadrant. The Magic Quadrant is intended solely

as a research tool, and is not meant to be a specific guide to

action. Gartner disclaims all warranties, express or implied,

with respect to this research, including any warranties of

merchantability or fitness for a particular purpose.

This Magic Quadrant graphic was published by Gartner, Inc.

as part of a larger research note and should be evaluated in

the context of the entire report. The Gartner report is available

upon request from Cisco.

44 44

Cisco Web Security

45

Cisco Security Intelligence Operations (SIO)

L’architecture de Sécurité Web Cisco

Filtrage URL Application Visibility and Control (AVC)

Data Loss

Prevention (DLP)*

Moniteur de Trafic de Niveau 4

(On-premise)

Défense Anti-Malware

PROTECTION CONTROLE

Management & Reporting Centralisés

WW

W

Autorise

WWW Accès limité

WWW Bloque

WWW

*Third-party DLP integration available on-premises

46

Moniteur de Traffic de Niveau 4 Détection des postes déjà infectés

Utilisateurs

Cisco WSA

Network Layer Analysis

Règles Anti-Malware automatiques

Bloque le trafic malicieux

• Scanne tous les ports et protocoles

• Détecte le malware qui bypasse le port 80

• Empêche les zombies de communiquer avec leur serveur de contrôle

• MAJ automatiques

• Listes de serveurs et adresses IP malicieuses en temps réel

Packet and Header

Inspection

Internet

Disponible sur WSA & et sur ASA en tant que “Botnet Traffic Filter”

47

Défense Anti-Malware à trois niveaux

Bon score: le site est affiché sans être scanné

Score

intermédiaire: les

sites sont scannés

par 1 ou plusieurs

moteurs

Mauvais score: le

site est bloqué

URL’s

demandées

Moteur Anti-

Malware Cisco® SIO Déchiffrement

SSL

basé sur la

catégorie ou

réputation

+ FILE REPUTATION (AMP)

BLOCKED

48

Scan Anti-Malware en temps réel Dynamic Vectoring & Streaming

ANALYSE HEURISTIQUE ET A BASE DE SIGNATURES

• Multi-scanning intelligent

• Bases de signatures multiples

• Déchiffre le trafic SSL si nécessaire

• Scanning en mode streaming pour éviter

les problèmes de latence

• MAJ automatiques

Détection Heuristique Identifie des comportements inhabituels

Anti-malware Scanning

Scans Parallèles, Scanning en mode streaming

Inspection à base de signatures Reconnait les menaces connues

Moteurs anti malware multiples

49

Advanced Malware Protection sur WSA

WWW

Time of Request

Time of Response

Cisco® SIO

URL Filtering

Reputation Filter

Dynamic Content Analysis (DCA)

Signature-based Anti-Malware Engines

Advanced Malware Protection

Block

WWW

Block

WWW

Block

WWW

Allow

WWW Warn

WWW WWW Partial

Block

Block

WWW

Block

WWW

Block

WWW


6.5M de sites malicieux bloqués chaque jour

Web Security Appliance – Cisco sur Cisco

Malware Blocked in One Day: • 441K – Trojan Horse

• 61K - Other Malware

• 29K - Encrypted Files (monitored)

• 16.4K - Adware Messages

• 1K – Trojan Downloaders

• 55 - Phishing URLs

• 22 - Commercial System Monitors

• 5 - Worms

• 3 - Dialers

Cisco Web Traffic Stats:

• 330-360M web visits/day

• 6-7M (2%) blocked

WSA Blocked Transactions:

• 93.5% - Web Reputation

• 4.5% - URL Category

• 2% - Anti-Malware

51

Pourquoi Cisco Web Security? Gartner Magic Quadrant, Web Security Gateways, 2013

The Magic Quadrant is copyrighted 2013 by Gartner, Inc. and

is reused with permission. The Magic Quadrant is a graphical

representation of a marketplace at and for a specific time

period. It depicts Gartner’s analysis of how certain vendors

measure against criteria for that marketplace, as defined by

Gartner. Gartner does not endorse any vendor product or

service depicted in the Magic Quadrant, and does not advise

technology users to select only those vendors placed in the

"Leaders” quadrant. The Magic Quadrant is intended solely

as a research tool, and is not meant to be a specific guide to

action. Gartner disclaims all warranties, express or implied,

with respect to this research, including any warranties of

merchantability or fitness for a particular purpose.

This Magic Quadrant graphic was published by Gartner, Inc.

as part of a larger research note and should be evaluated in

the context of the entire report. The Gartner report is available

upon request from Cisco.

bloquer les attaques de nouvelle génération avec les solutions de sécurité web de cisco

Technology

cisco andor

cisco amp

cisco confidential 1c97

languages cisco sio

rputation web

signatures ips

dfendre avec intelligence

b requtes web