brksec-2001
TRANSCRIPT
© 2008, Cisco Systems, Inc. All rights reserved.14330_04_2008_c1.scr
1
© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-200114330_04_2008_c1 2
Emerging Threats
BRKSEC-2001
© 2008, Cisco Systems, Inc. All rights reserved.14330_04_2008_c1.scr
2
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 3BRKSEC-200114330_04_2008_c1
Agenda
What? Where? Why?
Trends
Year in Review
Case Studies
Threats on the Horizon
Threat Containment
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 4BRKSEC-200114330_04_2008_c1
What?Where?Why?
© 2008, Cisco Systems, Inc. All rights reserved.14330_04_2008_c1.scr
3
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 5BRKSEC-200114330_04_2008_c1
What? Where? Why?
What is a Threat?A warning sign of possible trouble
Where are Threats?Everywhere you can, and more importantly cannot, think of
Why are there Threats?The almighty dollar (or euro, etc.), the underground cyber crimeindustry is growing with each year
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 6BRKSEC-200114330_04_2008_c1
Examples of Attacks
Targeted Hacking
Malware Outbreaks
Economic Espionage
Intellectual Property Theft or Loss
Network Access Abuse
Theft of IT Resources
© 2008, Cisco Systems, Inc. All rights reserved.14330_04_2008_c1.scr
4
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 7BRKSEC-200114330_04_2008_c1
Where Can I Get Attacked?
Users
Applications
Network Services
Operating System
Attack
Anywhere Everywhere
Attack
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 8BRKSEC-200114330_04_2008_c1
Operational Evolution of Threats
Automated Response
Human “In the Loop”Manual Process
No End-User Knowledge
“Help-Desk” Aware—Know Enough to Call
End-User Increasingly Self-Reliant
Mitigation Technology
Evolution
Policy and Process
Definition
End-User Awareness
Formalized Process
Socialized ProcessReactive Process
Sup
port
Bur
den
Ope
ratio
nal
Bur
den
Rea
ctio
n
Threat Evolution Emerging ThreatUnresolved Threat Nuisance Threat
© 2008, Cisco Systems, Inc. All rights reserved.14330_04_2008_c1.scr
5
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 9BRKSEC-200114330_04_2008_c1
Operational Evolution of Threats
Automated Response
Human “In the Loop”Manual Process
No End-User Knowledge
“Help-Desk” Aware—Know Enough to Call
End-User Increasingly Self-Reliant
Mitigation Technology
Evolution
Policy and Process
Definition
End-User Awareness
Formalized Process
Socialized ProcessReactive Process
Sup
port
Bur
den
Ope
ratio
nal
Bur
den
Rea
ctio
n
Threat Evolution Emerging ThreatUnresolved Threat Nuisance Threat
Largest Volume of ProblemsFocus of Most of Day to Day
Security Operations
“New”, Unknown, orProblems We Haven’t
Solved Yet
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 10BRKSEC-200114330_04_2008_c1
Why?
FameNot so much anymore (more on this with Trends)
MoneyThe root of all evil…(more on this with the Year in Review)
WarA battlefront just as real as the air, land, and sea
© 2008, Cisco Systems, Inc. All rights reserved.14330_04_2008_c1.scr
6
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 11BRKSEC-200114330_04_2008_c1
Trends
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 12BRKSEC-200114330_04_2008_c1
Trends
Evolution of Hacker Motivation
No longer the Lone Hacker
The Cybercrime Industry
Hosting Services
Designer Malcode
BotNets
Spyware
Phishing
Fast Flux
© 2008, Cisco Systems, Inc. All rights reserved.14330_04_2008_c1.scr
7
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 13BRKSEC-200114330_04_2008_c1
20052002 2003 2004 2006 2007
Fame
Money
Business
Netsky, Bagle,
MyDoom
SQL Slammer
Zotob
= Major Media Event
Evolution of Motivation2008
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 14BRKSEC-200114330_04_2008_c1
Evolution of Motivation
Fame is not all it’s cracked up to beTo make money effectively and without detection you need to be unknown
People are prepared for what they know
© 2008, Cisco Systems, Inc. All rights reserved.14330_04_2008_c1.scr
8
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 15BRKSEC-200114330_04_2008_c1
Operational Evolution of Threats
Automated Response
Human “In the Loop”Manual Process
No End-User Knowledge
“Help-Desk” Aware—Know Enough to Call
End-User Increasingly Self-Reliant
Mitigation Technology
Evolution
Policy and Process
Definition
End-User Awareness
Formalized Process
Socialized ProcessReactive Process
Sup
port
Bur
den
Ope
ratio
nal
Bur
den
Rea
ctio
n
Threat Evolution Emerging ThreatUnresolved Threat Nuisance Threat
Largest Volume of ProblemsFocus of Most of Day to Day
Security Operations
“New”, Unknown, orProblems We Haven’t
Solved Yet
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 16BRKSEC-200114330_04_2008_c1
No Longer the Lone Hacker
Hackers are forming development teams to work on creating malicious code
Highly intelligent individuals are collaborating to create new viruses and other malicious code
Software development tools for handling large projects are being used
Development is not unlike normal software development in the IT industry
The shared information and talents of many very skilled hackers when working together can be worse than any one working alone
© 2008, Cisco Systems, Inc. All rights reserved.14330_04_2008_c1.scr
9
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 17BRKSEC-200114330_04_2008_c1
The Cybercrime Industry
Group develops custom malcode
Custom malcode is made available for purchase
ISP administrators are paid to host malicious code on sites that they control
Malcode collects usernames and passwords as well as credit card numbers
Credit card numbers and usernames and passwords are for sale
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 18BRKSEC-200114330_04_2008_c1
Cybercrime Industry: In the Past
End Value
Espionage(Corporate/
Government)
Fame
Theft
Writers Asset
Worms
Tool and Toolkit Writers
Viruses
Trojans
Malware Writers
Compromise Individual Host or Application
Compromise Environment
© 2008, Cisco Systems, Inc. All rights reserved.14330_04_2008_c1.scr
10
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 19BRKSEC-200114330_04_2008_c1
Cybercrime Industry: Today
Writers Middle MenSecond Stage
Abusers
Bot-Net Management:
For Rent, for Lease, for Sale
Bot-Net Creation
Personal Information
Electronic IP Leakage
$$$ Flow of Money $$$
Worms
Spyware
Tool and Toolkit Writers
Viruses
Trojans
Malware Writers
First Stage Abusers
Machine Harvesting
Information Harvesting
Hacker/Direct Attack
Internal Theft: Abuse of Privilege
Information Brokerage
Spammer
Phisher
Extortionist/ DDoS-for-Hire
Pharmer/DNS Poisoning
Identity Theft
Compromised Host and
Application
End Value
Financial Fraud
Commercial Sales
Fraudulent Sales
Click-Through Revenue
Espionage(Corporate/
Government)
Fame
Extorted Pay-Offs
Theft
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 20BRKSEC-200114330_04_2008_c1
Cybercrime Industry: Hosting Services
Hosting services are for sale as part of the total package
Hosting sites can hold a database of collected information
Hosting sites can serve as a sales portal for individuals wishing to purchase stolen information
Standard rates for data sales are being established
© 2008, Cisco Systems, Inc. All rights reserved.14330_04_2008_c1.scr
11
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 21BRKSEC-200114330_04_2008_c1
Designer Malcode
Malcode that is designed to bypass virus scanners is made for sale
Malcode is designed to collect information and upload it to a database
Backup malcode is also available to replace the active malcode once it begins to be detected by virus scanners
Malcode is designed to be very difficult to reverse engineer, or determine its functionality making it harder to detect and harder to trace where the data is being sent
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 22BRKSEC-200114330_04_2008_c1
“Noise” Level
Time
Public Awareness
Large Scale Worms
Targeted Attacks
2000 2008
© 2008, Cisco Systems, Inc. All rights reserved.14330_04_2008_c1.scr
12
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 23BRKSEC-200114330_04_2008_c1
Cyber Crime Profit Level
Illicit Dollars Gained
Large Scale Worms
Targeted Attacks
2000 2008Time
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 24BRKSEC-200114330_04_2008_c1
Botnets
Botnet: A collection of compromised machines running programs under a common command and control infrastructure
Building the Botnet: Viruses, worms; infected spam; drive-by downloads; etc.
Controlling the Botnet:Covert-channel of some form; typically IRC or custom IRC-like channel
Historically have used free DNS hosting services to point bots to the IRC server
Recent attempts to sever the command infrastructure of botnets has resulted in more sophisticated control systems
Control services increasingly placed on compromised high-speed machines (e.g. in academic institutions)
Redundant systems and blind connects are implemented for resiliency
Further Example as a Case Study
Source: www.wikipedia.com
© 2008, Cisco Systems, Inc. All rights reserved.14330_04_2008_c1.scr
13
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 25BRKSEC-200114330_04_2008_c1
Using a Botnet to Spend Spam1. A botnet operator propagates
by viruses, worms, spam, and malicious websites
2. The PCs log into an IRC server or other communications medium
3. A spammer purchases access to the botnet from the operator
4. The spammer sends instructions via the IRC server to the infected PCs—
5. …causing them to send out spam messages to mail servers
Source: www.wikipedia.com
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 26BRKSEC-200114330_04_2008_c1
What about Spyware?
Still a major threatDrive-by downloads still a major source of infestation
ActiveX vulnerabilities in particular enable this
However, confusing or misleading EULAs still a problem
A Trojan by any other name—Spyware is increasingly indistinguishable from other forms of malware
Nasty race condition: sheer number of variants makes it very difficult for technology solutions to hit 100% accuracy at a given moment
Rise of intelligent spywareDirected advertising is more valuable than undirected
More sophisticated spyware matches user-gathered data with directed advertising
Bot-based spyware is also more valuable, as it can be updated over time
© 2008, Cisco Systems, Inc. All rights reserved.14330_04_2008_c1.scr
14
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 27BRKSEC-200114330_04_2008_c1
Phishing, Pharming, and Identity Theft
MUNDO-BANK.COM
Hosts File:mundo-bank.com = 172.168.254.254
172.168.1.1
Come see us at www.mundo-bank.com
<172.168.254.254>
MUNDO-BANK.COM
Unsolicited
MUNDO-BANK.COM
172.168.1.1
Regular Online
Banking
Phishing Pharming
MUNDO-BANK.COM
172.168.254.254
DNS
Poisoning
MUNDO-BANK.COM
172.168.254.254
Identity theft continues to be a problem
Phishing scams growing in sophistication every day
Protecting your users: implement some technology, but don’t forget user education!!
If you’re a target:
Consider “personalization” technologies (e.g. user-chosen images on a webpage)
Support identified mail initiatives, like DKIM
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 28BRKSEC-200114330_04_2008_c1
Fast Flux
Malicious IP addresses are changing quickly
Botnets are the new DNS Servers
Very low time to live (TTL) in A Record
Infected hosts acting as DNS servers
Traditional DNS-based security measure not longer effective
© 2008, Cisco Systems, Inc. All rights reserved.14330_04_2008_c1.scr
15
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 29BRKSEC-200114330_04_2008_c1
What Does this Mean?
People utilizing the emerging threats of today want them to stay unknown
What you don’t hear about is what you should be concerned about
Intelligence is important
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 30BRKSEC-200114330_04_2008_c1
Operational Evolution of Threats
Automated Response
Human “In the Loop”Manual Process
No End-User Knowledge
“Help-Desk” Aware—Know Enough to Call
End-User Increasingly Self-Reliant
Mitigation Technology
Evolution
Policy and Process
Definition
End-User Awareness
Formalized Process
Socialized ProcessReactive Process
Sup
port
Bur
den
Ope
ratio
nal
Bur
den
Rea
ctio
n
Threat Evolution Emerging ThreatUnresolved Threat Nuisance Threat
Largest Volume of ProblemsFocus of Most of Day to Day
Security Operations
“New”, Unknown, orProblems We Haven’t
Solved Yet
© 2008, Cisco Systems, Inc. All rights reserved.14330_04_2008_c1.scr
16
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 31BRKSEC-200114330_04_2008_c1
Year in Review
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 32BRKSEC-200114330_04_2008_c1
2007 as a Year
Security fad: Month of BugsFuzzers offer tremendous way to find vulnerabilities
Application vulnerabilities up 17% from 2006According to the Cisco IntelliShield
Botnets control channels up 57% from 2006According to ShadowServer.Org
1,200 new websites per day hosting malwareAccording to MessageLabs
© 2008, Cisco Systems, Inc. All rights reserved.14330_04_2008_c1.scr
17
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 33BRKSEC-200114330_04_2008_c1
2007 as a Year
Global spam up 50% from 2006, considerable up tick in types of spam attachment
According to IronPort
One unique phishing scam every 2 minutes in 2007According to the PhishTank
Over 10 targeted malcode attacks per day, up from 1 per day in 2006
According to MessageLabs
163 million records with personal data compromised in 2007—up from 48 million in 2006
According to Attrition.Org
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 34BRKSEC-200114330_04_2008_c1
Fuzzers in Action—Month of Bugs
Trend started in Mid 2006 with Month of Browser Bugs
Jan ’07—Month of Apple Bugs (MoAB)
Mar ’07—Month of PHP Bugs (MoPB)
April ’07—Month of MySpace Bugs (MoMYB)
May ’07—Month of ActiveX Bugs (MoAXB)
June ’07—Month of Search Engine Bugs (MoSEB)
© 2008, Cisco Systems, Inc. All rights reserved.14330_04_2008_c1.scr
18
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 35BRKSEC-200114330_04_2008_c1
Stock Advice from Spam
Canadian company Diamant Art’s stock price tripled in one day from .08 cents to .25 cents
No positive news released from the company
Spam touting the stock solely responsible for raise in stock price
Most spam stock only increases stock price ~2%, which is quickly lost
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 36BRKSEC-200114330_04_2008_c1
Stop Trading Spam Stocks
March 2007 US Securities and Exchange Commission announced that 25 stocks were going to be suspended from trading for 10 days
Not viewed as an effective way to stop stock spam
It is a start, government bodies are starting to wake up
© 2008, Cisco Systems, Inc. All rights reserved.14330_04_2008_c1.scr
19
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 37BRKSEC-200114330_04_2008_c1
F.B.I. Nabs BotHerders
June 2007, the US F.B.I. announced the arrest of 3 different BotHerders who were responsible for over 1 million infected machines
Step in the right direction, even if it was relatively small group
The real news: If the F.B.I. is on your trail then your technology has matured
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 38BRKSEC-200114330_04_2008_c1
iPhone Releases, Gets Hacked
July 2007, less than one month after the US release of Apple’s highly anticipated iPhone a major vulnerability was discovered enabling a complete compromise
New vector, new attack
As other vendors scramble to match the iPhone in functionality similar attacks are likely
© 2008, Cisco Systems, Inc. All rights reserved.14330_04_2008_c1.scr
20
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 39BRKSEC-200114330_04_2008_c1
Google Ads Link to Malicious Sites
December 2007, a security researcher discovers that several sites using Google ads were linking to malicious websites
Google swiftly reacted by shutting down the ad providers
No way to know for certain how many users were infected nor who was at fault
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 40BRKSEC-200114330_04_2008_c1
Radio Frequency ID (RFID) Cloning
Last 12 months has seen several different demonstrations highlighting technology to clone RFID tags
Legal methods used to suppress demonstrations
Current demonstrations are more theoretical and not likely to be easily carried out RFID is an automatic
identification method, relying on storing and remotely
retrieving data using devices called RFID tags
- Wikipedia
© 2008, Cisco Systems, Inc. All rights reserved.14330_04_2008_c1.scr
21
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 41BRKSEC-200114330_04_2008_c1
Pretexting Makes Headlines
Hewlett Packard admits using pretexting to investigate internal officers
Xbox Live accounts suffer from pretexting attacks
Group calling itself Clan Infamous claimed to steal 10 accounts a day
Pretexting is the act of creating and using an invented scenario (the pretext) to persuade a
target to release information or perform
an action and is usually done over the telephone
- Wikipedia
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 42BRKSEC-200114330_04_2008_c1
P2P Networks Used for DoS Attacks
Flaw in open source peer-to-peer hub software DC++
Allowed attacker to direct clients to any site resulting in a DoS
Large amount of blackmail money demanded to prevent attack
© 2008, Cisco Systems, Inc. All rights reserved.14330_04_2008_c1.scr
22
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 43BRKSEC-200114330_04_2008_c1
Conclusions from 2007
Botnets have come into their own
Targeted attacks are increasingly the norm
Cybercrime industry pushing “innovation” in malware
Focus on applications
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 44BRKSEC-200114330_04_2008_c1
Case Studies
© 2008, Cisco Systems, Inc. All rights reserved.14330_04_2008_c1.scr
23
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 45BRKSEC-200114330_04_2008_c1
Case Studies
Corporate LiabilityTJX Company’s customer database compromised
Malware in ActionStorm worm analyzed
Malware IndustryGozi worm’s cybercrime links
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 46BRKSEC-200114330_04_2008_c1
Corporate Liability—About the Company
TJX is the parent company for a family of discount retailers
United StatesMarshalls
TJ-Maxx
HomeGoods
CanadaWinners
HomeSense
UK, Ireland, GermanyTK-Maxx
© 2008, Cisco Systems, Inc. All rights reserved.14330_04_2008_c1.scr
24
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 47BRKSEC-200114330_04_2008_c1
Corporate Liability—How it Happened
Attack originated at a Marshalls store in St. Paul, Minnesota
Attackers used telescope-shaped antenna to read WiFi signals
WiFi enabled price scanners targeted to get network access info
Once on the network, database was targeted
Data harvesting started mid 2005 and carried through end of 2006
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 48BRKSEC-200114330_04_2008_c1
Corporate Liability—What was Affected
Initially thought to be 45.6M credit card numbers compromised, later updated to 90M
Included “Track 2 Data”
Biggest credit card number heist in history
Over 80 GB of network traffic send to outside server
90,000,000
© 2008, Cisco Systems, Inc. All rights reserved.14330_04_2008_c1.scr
25
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 49BRKSEC-200114330_04_2008_c1
Corporate Liability—Example of Use
Nov. ’06 Florida law enforcement claims at least 10 thieves used credit card data in a gift card scheme
Over $8M in gift cards purchased
6 people tied to gift card scheme were arrested
Gift card scheme was carried out months before TJX discovered the compromise
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 50BRKSEC-200114330_04_2008_c1
Corporate Liability—Aftermath
Believed to be responsible for between $68M and $83M fraud in over 13 countries
Class-action consumer lawsuit settled$20 store voucher
3 years credit monitoring
$20,000 ID Theft Coverage
Banks and financial institutions suedYet to be determined
Estimated costs to TJX are over $150M
© 2008, Cisco Systems, Inc. All rights reserved.14330_04_2008_c1.scr
26
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 51BRKSEC-200114330_04_2008_c1
Corporate Liability—Conclusions
Every company needs to be concerned
Does not have to be credit cards
Governments creating laws requiring disclosure
One incident can cost much more than years of a quality security infrastructure
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 52BRKSEC-200114330_04_2008_c1
Malware in Action—Storm Worm
Started as PDF spam in early 2007
Evolved to use e-card and YouTube invites
Uses spam with links to malicious sites as main vector of propagation
Utilizes social engineering techniques to trick users to malicious sites
© 2008, Cisco Systems, Inc. All rights reserved.14330_04_2008_c1.scr
27
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 53BRKSEC-200114330_04_2008_c1
Malware in Action—Storm Worm
Email spam example:To: Tony HallFrom: Dale HammondSubject: Dear Friend
Hi. Nice to meet u and my friend operates a company .i have got something from him and i must say that the quality is so good .SO i tell u the truth and hope u can connect him and welocme to his website www.ouregoods.com. If u have any questions u can add [email protected] we are pleasure to help ,good luck to u!
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 54BRKSEC-200114330_04_2008_c1
Malware in Action—Storm Worm
BotHerder
Infected
1
1. BotHerder updates malcode on webtrap
2. Initiate new spam pointing to webtrap
3. User reads the spam and clicks link
4. User machine infected
2
3
4
Infected Webserver
© 2008, Cisco Systems, Inc. All rights reserved.14330_04_2008_c1.scr
28
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 55BRKSEC-200114330_04_2008_c1
Malware in Action—Storm Worm
game0.exe—Backdoor/downloadergame1.exe—SMTP relaygame2.exe—Email address stealergame3.exe—Email virus spreadergame4.exe—DDoS attack tool game5.exe—Updated copy of Storm Worm dropper
Source: www.secureworks.com
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 56BRKSEC-200114330_04_2008_c1
Malware in Action—Storm Worm
403014 Copy(c:\game0.exe->C:\WINDOWS\disnisa.exe)
77e6bc59 WriteFile(h=7a0)
403038 RegOpenKeyExA (HKCU\Software\Microsoft\Windows\CurrentVersion\Run)
40305f RegSetValueExA (disnisa)
Copies itself to C:\Windows\disnisa.exe
Set registry to run on startup
© 2008, Cisco Systems, Inc. All rights reserved.14330_04_2008_c1.scr
29
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 57BRKSEC-200114330_04_2008_c1
Malware in Action—Storm Worm
402ba0 WinExec(w32tm/config/syncfromflags:manual /manualpeerlist:time.windows.com,time.nist.gov,100)
77e7d0b7 WaitForSingleObject(788,64)
40309b CreateProcessA(C:\WINDOWS\disnisa.exe,(null),0,(null))
4030df WinExec(netsh firewall set allowedprogram "C:\WINDOWS\disnisa.exe" enable,100)
Sync with Microsoft Time Server
Start process
Edit firewall rules to allow network access
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 58BRKSEC-200114330_04_2008_c1
Malware in Action—Storm Worm
77e7ac53 CreateRemoteThread(h=ffffffff, start=404b05)
40da1b bind(b8, port=7018)
40d9c7 listen(h=b8 )
40a262 WaitForSingleObject(d4,2710)
Connect with remote machine
Wait for a command
© 2008, Cisco Systems, Inc. All rights reserved.14330_04_2008_c1.scr
30
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 59BRKSEC-200114330_04_2008_c1
Hub and Spoke Topology
Controller communicates directly with bots
Simplest but limited ability to scale
Single points of failureBotHerder
DNS record to BotHerder
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 60BRKSEC-200114330_04_2008_c1
Peer To Peer (P2P) Topology
All bots perform distribution
Multiple paths from controller to bots
Scales well, very resilient
No single point of failure
© 2008, Cisco Systems, Inc. All rights reserved.14330_04_2008_c1.scr
31
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 61BRKSEC-200114330_04_2008_c1
Storm Worm Conclusions
Very sophisticated
“Victim of its own success”, yet still difficult to shut down
Just one example, there are others we don’t know about
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 62BRKSEC-200114330_04_2008_c1
The Industry in Action: GOZI
GOZI was a custom made application designed to harvest data
Went undetected for over 50 days
Collected at least 10,000 records belonging to over 5,000 home users
© 2008, Cisco Systems, Inc. All rights reserved.14330_04_2008_c1.scr
32
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 63BRKSEC-200114330_04_2008_c1
GOZI: The Discovery
Originally discovered because a user reported that an account he accessed at work was compromised
Work computer was searched, suspicious malware discovered
Not one of the 30 leading anti-virus companies detected Gozi at the time
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 64BRKSEC-200114330_04_2008_c1
GOZI: The Highlights
Targeted SSL dataModularized code (Professional grade) Spread through iFrame IE browser vulnerability No detection in anti-virus produces for weeks, monthsCustomized to target specific sensitive data Posted on-line for “customer” purchases of stolen data Home PCs largely infectedAccounts at top financial, retail, health care, and government services affected Estimated black market value of at least $2 million
Source: www.secureworks.com
© 2008, Cisco Systems, Inc. All rights reserved.14330_04_2008_c1.scr
33
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 65BRKSEC-200114330_04_2008_c1
GOZI: The Investigation
Organization ready to code new undetectable malware
Willing to offer tech support
Others willing to help with infection
Gozi main server located in Russia
Source: www.secureworks.com
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 66BRKSEC-200114330_04_2008_c1
GOZI: Conclusions
Truly a new industry
Pushing the envelop, trying to stay undetected
Operating in countries where it is difficult to get shut down
© 2008, Cisco Systems, Inc. All rights reserved.14330_04_2008_c1.scr
34
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 67BRKSEC-200114330_04_2008_c1
Threats on the Horizon
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 68BRKSEC-200114330_04_2008_c1
Threats on the Horizon
Automated social engineering
Web 2.0
Voice over IP threats
Video files format vulnerabilities
Mobile devices
Data leakage
Outsourcing
Distributed workforce
© 2008, Cisco Systems, Inc. All rights reserved.14330_04_2008_c1.scr
35
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 69BRKSEC-200114330_04_2008_c1
Automated Social Engineering
In an effort to convince users to “click here”, malware will use collected data to enhance the veracity of targeted spam
Malcode can scan previous emails in a person’s inbox and send a “reply”
Simply adding:Hey,Forgot to tell you to check out this site:http://bad.site.com
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 70BRKSEC-200114330_04_2008_c1
Web 2.0
Hugely popular social sites (MySpace, Facebook) offer many potential victims for attackers
Data easy to gather to assist in targeted attacks
Very dynamic, big potential for buggy software to be present
Attracts users who are not necessarily computer proficient
© 2008, Cisco Systems, Inc. All rights reserved.14330_04_2008_c1.scr
36
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 71BRKSEC-200114330_04_2008_c1
Voice over IP Threats
“Vishing”—voice way to attempt a phishing scheme
Well understood business risk is promoting integration of security technologies in voice deployments
Limited pool of technical experts on voice within attacker community
Follow the money: No well-established business model driving financial incentives to attack
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 72BRKSEC-200114330_04_2008_c1
Voice Security Opportunities
Eavesdropping: Earliest attacks focused on this (VOMIT); however, effective deployment of secure voice makes this very difficult (easier to use other means to access info)
SPIT: SPAM over internet telephonyPotential to be a serious annoyance, but significant barriers tothis being an effective source of profit (Vishing)
Some are technical, but most involve our current use patterns for telephony (used on a per-phone basis, not in a “list” format)
Denial of serviceDisgruntled employees or extortionists may target the voice infrastructure by a variety of mechanisms
© 2008, Cisco Systems, Inc. All rights reserved.14330_04_2008_c1.scr
37
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 73BRKSEC-200114330_04_2008_c1
Video File Format Vulnerabilities
Researchers in 2007 continued to uncovered many important to critical video file format vulnerabilities in:
QuickTime
Real Player
Windows Media Player
Flash
Documented examples of video file attacks in 2007, not yet mainstream
With rise of video it is only a matter of time
The next “hot” YouTube video just might be dangerous…
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 74BRKSEC-200114330_04_2008_c1
New Opportunity: Proliferation of Devices
• New types of devices are joining the network:
Hand-helds, smart phones, cameras, tools, physical security systems, etc.
• Diversity of OSs:More devices means more operating systems and custom applications
• Embedded OSsProcess controllers, kiosks, ATMs, lab tools, etc.IT department often not involved in procurement—little attention paid to securityFor example, one environment got hacked from an oscilloscope
• Attacks on the back-endAll of these systems provides an ingress point into some form of back-end systemBoth the method of communication and the device itself are targets
• Attacks on the deviceProliferation leaves many opportunities for taking control of a system
• Attacks on dataSensitive data is becoming increasingly distributed and uncontrolled
Opportunities for AttackThe Challenge
© 2008, Cisco Systems, Inc. All rights reserved.14330_04_2008_c1.scr
38
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 75BRKSEC-200114330_04_2008_c1
Attacks on Data: Data Leakage
Still a hot topic this year
Broad term encompassing multiple different challenges:
Security of Data at rest
Security of Data in motion
Identity-based access control
Both malicious and inadvertent disclosures
Issue has become topical typically for “Compliance” reasons
However, broader topic involves business risk managementHow do I avoid inadvertent disclosures?
How do I protect my information assets from flowing to my competitors?
How do I avoid ending up in the news?
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 76BRKSEC-200114330_04_2008_c1
Architectural View of Data Leakage: New Challenges
Internal Consumers
External Consumers Decentralized Data Stores
Transit Enforcement Points
Endpoint Enforcement PointsCentralized Data
Stores: Structured and Unstructured
App
licat
ion
Fron
t End
Endpoint Enforcement Points
Server/Application Systems
Network Transit End Users Endpoint Systems
What’s Changed? Enforcement points and data consumers are roughly the same; however, a new actor introduced: “Data”Quantization Problem: How to group data elements into units of information relevant to the business?
Technical Translation Problem: How to reliably test a given data set for membership in a “unit of information” (e.g. how to verifiably determine if a given mass of bits is “source code”)Policy Construction Problem: How to scalable build policy for data flows across a large environment?
© 2008, Cisco Systems, Inc. All rights reserved.14330_04_2008_c1.scr
39
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 77BRKSEC-200114330_04_2008_c1
Mobile Data Continues: PC on a Stick
New “smart drives” and other similar technology extending the existing threats to data posed by portable storage devicesDevices carry a virtual computing environment in a secure storage, typically plugged in via USB to any open computerAll workspace, preference, and data information is kept within the device, but computing resources of the host machine are used for manipulation and processing
Challenges:Analogous to SSL VPN security challenges, only now you can lose the device in a cabUnknown endpoint environment challenges: keyboard loggers and splicers, monitor taps, webcamsMalicious software embedded in data or documents
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 78BRKSEC-200114330_04_2008_c1
Trend: Outsourcing
Motivations: Outsourcers have all the potential to be disgruntled employees in search of revenge, only more so—outsourcers typically feel less loyalty to the outsourcing organizationOpportunity: In many organizations, outsourcers are given full intranet accessConsiderations:
How do you balance the need to access required applications while providing necessary controls to mitigate risk?When negotiating contracts, are there any provisions for data security and integrity? Are there any provisions to audit the security posture?What legal recourses does the organization have in the event of compromise? Jurisdictional issues, liability and responsibility, etc.
© 2008, Cisco Systems, Inc. All rights reserved.14330_04_2008_c1.scr
40
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 79BRKSEC-200114330_04_2008_c1
Trend: Distributed Workforce
De-perimeterization is realTrue “federated” security systems are a long ways off yet
Layers of defense and policy enforcement are criticalDrop bad traffic as close to the source as possible, but ensure you’ve got at least a couple of “last lines of defense”
Costs and risks to data integrity should be a part of any calculation to adopt new business practices
There may be hidden costs that are not well understood
People and Processes Key to Mitigate RiskUser awareness and effective business processes are as important to technology solutions
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 80BRKSEC-200114330_04_2008_c1
Coping with Threats
Conclusion and Recommendations
© 2008, Cisco Systems, Inc. All rights reserved.14330_04_2008_c1.scr
41
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 81BRKSEC-200114330_04_2008_c1
What’s My Exposure?Appropriate Risk Mitigation
Risk is at the core of all security policy decisions
With emerging threats, there’s always something out there that can affect your business
Effective understanding of business risk is critical to determining priorities in your response plan
The Challenge: Every application is business critical to someone
Level of Risk Aversion
Leve
l of M
itiga
tion
Risk Tolerant
Risk Averse
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 82BRKSEC-200114330_04_2008_c1
Example: Network-Based Structured Data Controls
Patient ID134-AR-627
Credit CardXXXX-XXXX-XXXX-3456
Social SecurityXXX-XX-XXXX
Driver’s LicenseA123456
Employee IDXXXXMask
Mask
Mask
Block
BlockPatient ID134-AR-627
Credit Card1234-5678-9012-3456
Social Security123-45-6789
Driver’s LicenseA123456
Employee IDS-924600
Request
Response
Cisco AVS 3100
© 2008, Cisco Systems, Inc. All rights reserved.14330_04_2008_c1.scr
42
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 83BRKSEC-200114330_04_2008_c1
Extranet Connections
Corporate NetworkInternet
Remote Access Systems
Remote/Branch OfficeData Center
Management Network
Tackling Malware: Solutions Across the Network
Corporate LAN
Internet Connections
BusinessPartnerAccess
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 84BRKSEC-200114330_04_2008_c1
BusinessPartnerAccess
Extranet Connections
Corporate NetworkInternet
Remote Access Systems
Remote/Branch OfficeData Center
Management Network
Tackling Malware: Solutions Across the Network
Corporate LAN
Internet Connections
STOP
GO
STOPGO
GO
STOP
GO
Network-Based Content Control
Multi-function security devicesFirewallsIntrusion prevention systemsProxies
Network Admission Control
Ensure endpoint policy compliance
Endpoint ProtectionInfection prevention: Cisco Security AgentInfection remediation: desktop anti-virus; Microsoft and other anti-spyware SW
© 2008, Cisco Systems, Inc. All rights reserved.14330_04_2008_c1.scr
43
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 85BRKSEC-200114330_04_2008_c1
Mitigating Risk of Data Leakage: Basic Steps
1. Protect Non-managed Machines: Remote access (employee, partner, and vendor) from non-managed machines pose a serious risk. Deploy protection technology in your remote access systems such as Cisco Secure Desktop in the Cisco ASA 5500
2. Deploy Network-based Structured Data Controls: Data elements such as Credit Card numbers or SSNs can be monitored and controlled in return traffic using application firewalls (such as AVS 3100)
3. Lockdown Managed Endpoints: Lock down removable media systems, such as USB ports and CD burners, using Cisco Security Agent
4. Application Access Control: Enforce “need to know” access control policies in the network at transit control points (e.g. in firewalls)
5. Content Inspection Services: Build out a network-wide sensor grid for visibility and audit. Primary focus areas: email; instant messaging
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 86BRKSEC-200114330_04_2008_c1
Incident Response Basics
Most important step: Step 1
Second most important step: Step 5
Most commonly skipped step: Step 1
Second most commonly skipped step: Step 5
Incident Response Life Cycle
Pre-Incident Planning
Detection and Analysis
Containment and ControlRecovery
Post-Incident Policy and
Process Analysis
1
2
34
5
Adapted from reports at www.gartner.com and www.securityfocus.com
© 2008, Cisco Systems, Inc. All rights reserved.14330_04_2008_c1.scr
44
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 87BRKSEC-200114330_04_2008_c1
What Should I Do?
Process, process, process: Implement strong processes up front, document them, and use them
User education campaigns: Ensure there is an end-user education component of your broader information security strategy
Make effective use of technology:Technology exists to mitigate much of your risk of exposure to new threats—make sure you’re using what’s available
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 88BRKSEC-200114330_04_2008_c1
Technology Recommendations
Stay informed: Subscribe to a threat information service
A cost effective way to stay on top of things
Stay informed: Actually read the information coming from your threat information service
Summaries are quick
Utilize your infrastructureUse tools that you already have available
© 2008, Cisco Systems, Inc. All rights reserved.14330_04_2008_c1.scr
45
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 89BRKSEC-200114330_04_2008_c1
Technology Recommendations
Change the game: Deploy NACRaise the bar on the level of protection at the internal edge
Develop and implement a complete “incident response system”
Include technologies like IPS that enable visibility and protection; ensure you’ve got the tools to help (like MARS)
Get tested! Engage a reputable penetration testing firm
Deploy anomaly technologiesAnomaly detection technologies can catch some emerging threats before they’re well known
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 90BRKSEC-200114330_04_2008_c1
Intelligence Service Example
Tactical, operational and strategic intelligenceVendor neutralLife cycle reportingVulnerability workflow management systemComprehensive searchable alert database
Threat and Vulnerability Intelligence Alerting ServiceReceive Vital Intelligence that Is Relevant and Targeted to Your Environment
Cisco IntelliShield Alert Manager
© 2008, Cisco Systems, Inc. All rights reserved.14330_04_2008_c1.scr
46
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 91BRKSEC-200114330_04_2008_c1
Intelligence Summary Example
Addresses seven major risk management categories: vulnerability, physical, legal, trust, identity, human, and geopolitical. The PSARs are a result of collaborative efforts, information sharing, and collective security expertise of senior analysts from Cisco security services that include the IntelliShield team
Cisco IntelliShield Cyber Risk Reports
A Strategic Intelligence Report that Highlights Current Security Activity and Mid-to Long-range Perspectives
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 92BRKSEC-200114330_04_2008_c1
Utilize Your Infrastructure
Vulnerability CharacteristicsMitigation Technique OverviewRisk ManagementDevice-Specific Mitigation and Identification
Cisco IOS® Routers and SwitchesCisco IOS NetFlowCisco ASA, PIX®, and FWSM FirewallsCisco Intrusion Prevention SystemCisco Security Monitoring, Analysis, and Response System
Cisco Applied Intelligence Responses
Actionable Intelligence that Can Be Used on Existing Cisco Infrastructure
© 2008, Cisco Systems, Inc. All rights reserved.14330_04_2008_c1.scr
47
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 93BRKSEC-200114330_04_2008_c1
Incident Response and Threat Prevention Systems
Monitoring Console: A strong monitoring console is essential—without that, you’re blind
Breadth of Network Control Points:Have IPS technology ready in as many locations as possible, even if you’re not using it—it’ll be there when you need it
Fine-grained Endpoint Control:Ensure your endpoint security software provides granular use control, in addition to protective services
Server Protection
Security Management
Monitoring, Correlation, and
Response
Cisco Security Agent (CSA)
CSA
CSMCisco Catalyst®
ServiceModules
Cisco ISR Routers
Internet
Cisco ASA 5500 Adaptive Security
Appliance
CS-MARS
Intranet
Day Zero Endpoint
Protection
Branch Protection
Converged Perimeter Protection
Integrated Data Center
Protection
Considerations for Building a System
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 94BRKSEC-200114330_04_2008_c1
Some Closing Thoughts
Do not get overwhelmedSmall steps can make a big differenceRemember, to survive a bear attack, you don’t have to be fastest person…you just need to be faster than the next guyDo not be the least prepared
© 2008, Cisco Systems, Inc. All rights reserved.14330_04_2008_c1.scr
48
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 95BRKSEC-200114330_04_2008_c1
Q and A
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 96BRKSEC-200114330_04_2008_c1
Recommended Reading
Continue your Cisco Live learning experience with further reading from Cisco Press
Check the Recommended Reading flyer for suggested books
Available Onsite at the Cisco Company Store
© 2008, Cisco Systems, Inc. All rights reserved.14330_04_2008_c1.scr
49
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 97BRKSEC-200114330_04_2008_c1
Complete Your Online Session Evaluation
Give us your feedback and you could win fabulous prizes. Winners announced daily.
Receive 20 Passport points for each session evaluation you complete.
Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.
Don’t forget to activate your Cisco Live virtual account for access to all session material on-demand and return for our live virtual event in October 2008.
Go to the Collaboration Zone in World of Solutions or visit www.cisco-live.com.
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 98BRKSEC-200114330_04_2008_c1