PowerPoint Presentation

Jaeson SchultzTechnical Leader

1

Insights On Emerging Threats

Who Am I?Jaeson Schultz jaeson@cisco.com @jaesonschultz (Twitter)

Over 20 years specializing in thwarting abuse of security protocols like SMTP, HTTP/S, and DNS

Former manager of the SpamCop DNSBL An IP address-based blacklist which has taking the fight to the spammers for over a decade

Assisted in design and development of the Cisco IronPort Anti-Spam content scanner and Ive also developed some of the architecture & content detection for Ciscos Web Security Appliance, Cloud Web Security, and Next Generation Firewall products.

Most recently as Technical Leader for Talos, I perform Security Research, Author Blog/Whitepaper Publications, Speak at Conferences, and evangelize Cisco Security.

Little Lebowski Urban Achiever

3

3

THREAT LANDSCAPEThe number of CVE Entries in 2016 so far is 239

6453790318%

Decrease inCVE Entries from2014 to 20152011 2012 2013 2014 2015

In the history of the mitre CVE project - last 15 years - there are only 75,544 CVEs as of this morning WE detect 1.1m PER day increasing daily

This is a setup slide. Its to set the basic tone, that there are a lot of threats out there, that people have to keep track of. While this is probably common knowledge to any security educated crowd, there are numerous customers who just expect us to do our mission in slide 2. This outlines what type of things we have to pay attention to, to execute on that mission.

Its not meant to be inclusive, its just a sampling of stats that outline the security problem.

4

THREAT LANDSCAPE

1.5 Million

In the history of the mitre CVE project - last 15 years - there are only 75,544 CVEs as of this morning WE detect 1.5m PER day increasing daily

5

THREAT LANDSCAPE

THREAT LANDSCAPE

2,557,767 blocks/sec counting spam

Notes on new numbers:19.6 Billion Threats blocked per day = Web Blocks + Spam w/ Malicious attachment

2.5 Million Threats blocked per second = The 19.6 Billion blocks + all Spam messages with attachments or not

7

THREAT LANDSCAPE

19.7 Billion

THREATS DONT GO AWAY,HOW DO WE ADDRESS IT?

Cloud to Core Coverage

web requests a day

16 BILLION

email messages a day

500 BILLION

AMP queries a day

18.5 BILLION

Amp avg was 13b 18.5 is max for nov/1510

MULTI-TIERED DEFENSE

Cloud to Core CoverageWEB: Reputation, URL Filtering, AVCEND POINT: Software ClamAV, Razorback, MoflowCLOUD: FireAMP & ClamAV detection contentEMAIL: Reputation, AntiSpam, Outbreak FiltersNETWORK: Snort Subscription Rule Set, VDB FireSIGHT Updates & Content, SEU/SRU Product Detection & Prevention ContentGlobal Threat Intelligence Updates

MULTI-TIERED DEFENSE

Talos is divided into 5 departments

Intelligence Powers everything, from the previous slide we pull in tons of data, Intel helps consolidate and make sense of that data.

Detection research then utilizes that data to fuel all the Security products they support. They have reverse engineers, malware analysts, domain reputation, and spam experts. That take that distilled data and turn it into something actionable.Development works on engines, that help deliver our intelligence to all the platforms. Either APIs, backend engines that detect known and unknown threats, or actual infield detection engines that are deployed on platforms. They are fueled by the intelligence and the under fire experience of the response team.Vulnerability Development. These guys are the zero day hunters, they help us find new threats before the bad guys do, make sure our response teams know about them so they are covered in the products so our customers are protected, and work on new and innovated ways to help protect our customers through the development of mitigations for classes of vulnerabilities.12

Open Source

Public Facing ToolsThreat detection and prevention: Snort, ClamAV, Razorback, & DaemonloggerVulnerability detection and mitigation: Moflow, FreeSentry

At a glance, we help build, support, and create these public facing tools that are used everyday.

We also have release tools that help detect and mitigate vulnerabilities, such as FreeSentry, which was released and is designed to detect use-after-free vulnerabilities in code

13

Open Intelligence

14

Online Advertising

Exploits in the cloud! 15

ONLINE ADVERTISING

A big, fat, opportunity

Ad InjectionRewrite web pages with extra adsPUAsAdware downloadsClickfraudHidden frames, with random clicking that generate hits.MalvertisingA favorite of kits such as Angler; use the ad platform to direct browsers to a compromised server.

Advertising is big business.

Total annual Internet advertising revenue from 2013 was over US $117bn, and will approach US $200bn by the year 2018.In 2015 the Assn of National Advertisers expect $6.3bn to be lost to ad fraud. [1]Malicious actors take advantage of the advertising space though click-fraud, as well as it excellent delivery network. When malware is delivered through advertising networks we note this as malvertising.

{{need more stats here}}

Malware rewriting HTML for additional advertisements. More ads means more revenueClickfraud the malware may generate clicks as well. Attack against the advertisers, using your browser as the launching point.Malware redirecting users to malicious downloads sites for further exploitation.

Income assessment (clickfraud and malvertising)

Market size adware, clickfraud is a $6.3bln dollar business. With an underlying economy growing rapidly (117bn almost doubling to 200bn).[1] http://adage.com/article/digital/inside-google-s-secret-war-ad-fraud/298652/

16

A major news site 26 Domains 39 Hosts171 Objects557 Connections

17

Exploit Kits

Angler Exposed

Exploits in the cloud! 19

OverviewDeep Data Analytics July 2015Telemetry from compromised users~1000 Sandbox RunsJuly 2015Angler Underwent several URL ChangesMultiple Hacking Team 0-Days addedEnded with tons of data

Detection ChallengesHashesFound 3,000+ Unique Hashes6% in VTMost detection 25% was also a bit of a surprise.53

SSHPSYCHOSIf it doesnt work youre just not using enoughBRUTEFORCE

54

SSH Psychos Update

SSHPsychosBrute Force SSH Attacks until password guess300K Unique PasswordsLogin from different address spaceDrop DDoS Rootkit on serverAccounted for 1/3 of all SSH Traffic ON THE INTERNET

SSH Brute Force Attempts

Identified SSH Brute Force Group from honeypot network/23 of address space generating huge amounts of SSH trafficAt points more than 1/3 of all SSH traffic on the InternetBasic attack vector was to brute force using 300K unique passwordsOnce password was guessed brute force stopped, new IP logged in and downloaded a DDoS Agent Rootkit

55

SSH Psychos Update

SSHPsycho

After observing the behavior for several months Cisco Talos decided we need to take action.We engaged Level 3 CommunicationsLevel 3 verified the behavior that we observedWorked to coordinate Null Route of TrafficGroup suddenly pivoted to new address spaceWorked as a team to remove both address spaces as much as possible

56

VICTORY!!!

Engaged Level 3 and another major ISPSudden PivotNull RoutedCall to ActionEffectively limitedDownload blocked by standard technology

After observing the behavior for several months Cisco Talos decided we need to take action.We engaged Level 3 CommunicationsLevel 3 verified the behavior that we observedWorked to coordinate Null Route of TrafficGroup suddenly pivoted to new address spaceWorked as a team to remove both address spaces as much as possible57

INTELLIGENCE COMMUNITIES

Talos works to promote collaborative and thorough understanding of network security threats through a number of community programs.

Project Aspis collaboration between Talos and host providers Talos provides expertise and resources to identify major threat actors Providers potentially save significant costs in fraudulent charges Talos gains real world insight into threats on a global scale, helping us improve detection and prevention, making the internet safer for everyone

CRETE collaboration between Talos and participating customers Talos provides a FirePower NGIPS sensor to deploy inside the customer network Talos gathers data about real world network threats and security issues Customers receive leading-edge intel to protect their network

AEGIS information exchange between Talos and participating members of the security industry Open to partners, customers, and members of the security industry Collaborative nexus of intelligence sharing in order to provide better detection and insight into worldwide threats

talosintel.com@talossecurity@jaesonschultz