cisco talos
TRANSCRIPT
PowerPoint Presentation
Jaeson SchultzTechnical Leader
1
Insights On Emerging Threats
Who Am I?Jaeson Schultz [email protected] @jaesonschultz (Twitter)
Over 20 years specializing in thwarting abuse of security protocols like SMTP, HTTP/S, and DNS
Former manager of the SpamCop DNSBL An IP address-based blacklist which has taking the fight to the spammers for over a decade
Assisted in design and development of the Cisco IronPort Anti-Spam content scanner and Ive also developed some of the architecture & content detection for Ciscos Web Security Appliance, Cloud Web Security, and Next Generation Firewall products.
Most recently as Technical Leader for Talos, I perform Security Research, Author Blog/Whitepaper Publications, Speak at Conferences, and evangelize Cisco Security.
Little Lebowski Urban Achiever
3
3
THREAT LANDSCAPEThe number of CVE Entries in 2016 so far is 239
6453790318%
Decrease inCVE Entries from2014 to 20152011 2012 2013 2014 2015
In the history of the mitre CVE project - last 15 years - there are only 75,544 CVEs as of this morning WE detect 1.1m PER day increasing daily
This is a setup slide. Its to set the basic tone, that there are a lot of threats out there, that people have to keep track of. While this is probably common knowledge to any security educated crowd, there are numerous customers who just expect us to do our mission in slide 2. This outlines what type of things we have to pay attention to, to execute on that mission.
Its not meant to be inclusive, its just a sampling of stats that outline the security problem.
4
THREAT LANDSCAPE
1.5 Million
In the history of the mitre CVE project - last 15 years - there are only 75,544 CVEs as of this morning WE detect 1.5m PER day increasing daily
5
THREAT LANDSCAPE
THREAT LANDSCAPE
2,557,767 blocks/sec counting spam
Notes on new numbers:19.6 Billion Threats blocked per day = Web Blocks + Spam w/ Malicious attachment
2.5 Million Threats blocked per second = The 19.6 Billion blocks + all Spam messages with attachments or not
7
THREAT LANDSCAPE
19.7 Billion
THREATS DONT GO AWAY,HOW DO WE ADDRESS IT?
Cloud to Core Coverage
web requests a day
16 BILLION
email messages a day
500 BILLION
AMP queries a day
18.5 BILLION
Amp avg was 13b 18.5 is max for nov/1510
MULTI-TIERED DEFENSE
Cloud to Core CoverageWEB: Reputation, URL Filtering, AVCEND POINT: Software ClamAV, Razorback, MoflowCLOUD: FireAMP & ClamAV detection contentEMAIL: Reputation, AntiSpam, Outbreak FiltersNETWORK: Snort Subscription Rule Set, VDB FireSIGHT Updates & Content, SEU/SRU Product Detection & Prevention ContentGlobal Threat Intelligence Updates
MULTI-TIERED DEFENSE
Talos is divided into 5 departments
Intelligence Powers everything, from the previous slide we pull in tons of data, Intel helps consolidate and make sense of that data.
Detection research then utilizes that data to fuel all the Security products they support. They have reverse engineers, malware analysts, domain reputation, and spam experts. That take that distilled data and turn it into something actionable.Development works on engines, that help deliver our intelligence to all the platforms. Either APIs, backend engines that detect known and unknown threats, or actual infield detection engines that are deployed on platforms. They are fueled by the intelligence and the under fire experience of the response team.Vulnerability Development. These guys are the zero day hunters, they help us find new threats before the bad guys do, make sure our response teams know about them so they are covered in the products so our customers are protected, and work on new and innovated ways to help protect our customers through the development of mitigations for classes of vulnerabilities.12
Open Source
Public Facing ToolsThreat detection and prevention: Snort, ClamAV, Razorback, & DaemonloggerVulnerability detection and mitigation: Moflow, FreeSentry
At a glance, we help build, support, and create these public facing tools that are used everyday.
We also have release tools that help detect and mitigate vulnerabilities, such as FreeSentry, which was released and is designed to detect use-after-free vulnerabilities in code
13
Open Intelligence
14
Online Advertising
Exploits in the cloud! 15
ONLINE ADVERTISING
A big, fat, opportunity
Ad InjectionRewrite web pages with extra adsPUAsAdware downloadsClickfraudHidden frames, with random clicking that generate hits.MalvertisingA favorite of kits such as Angler; use the ad platform to direct browsers to a compromised server.
Advertising is big business.
Total annual Internet advertising revenue from 2013 was over US $117bn, and will approach US $200bn by the year 2018.In 2015 the Assn of National Advertisers expect $6.3bn to be lost to ad fraud. [1]Malicious actors take advantage of the advertising space though click-fraud, as well as it excellent delivery network. When malware is delivered through advertising networks we note this as malvertising.
{{need more stats here}}
Malware rewriting HTML for additional advertisements. More ads means more revenueClickfraud the malware may generate clicks as well. Attack against the advertisers, using your browser as the launching point.Malware redirecting users to malicious downloads sites for further exploitation.
Income assessment (clickfraud and malvertising)
Market size adware, clickfraud is a $6.3bln dollar business. With an underlying economy growing rapidly (117bn almost doubling to 200bn).[1] http://adage.com/article/digital/inside-google-s-secret-war-ad-fraud/298652/
16
A major news site 26 Domains 39 Hosts171 Objects557 Connections
17
Exploit Kits
Angler Exposed
Exploits in the cloud! 19
OverviewDeep Data Analytics July 2015Telemetry from compromised users~1000 Sandbox RunsJuly 2015Angler Underwent several URL ChangesMultiple Hacking Team 0-Days addedEnded with tons of data
Detection ChallengesHashesFound 3,000+ Unique Hashes6% in VTMost detection 25% was also a bit of a surprise.53
SSHPSYCHOSIf it doesnt work youre just not using enoughBRUTEFORCE
54
SSH Psychos Update
SSHPsychosBrute Force SSH Attacks until password guess300K Unique PasswordsLogin from different address spaceDrop DDoS Rootkit on serverAccounted for 1/3 of all SSH Traffic ON THE INTERNET
SSH Brute Force Attempts
Identified SSH Brute Force Group from honeypot network/23 of address space generating huge amounts of SSH trafficAt points more than 1/3 of all SSH traffic on the InternetBasic attack vector was to brute force using 300K unique passwordsOnce password was guessed brute force stopped, new IP logged in and downloaded a DDoS Agent Rootkit
55
SSH Psychos Update
SSHPsycho
After observing the behavior for several months Cisco Talos decided we need to take action.We engaged Level 3 CommunicationsLevel 3 verified the behavior that we observedWorked to coordinate Null Route of TrafficGroup suddenly pivoted to new address spaceWorked as a team to remove both address spaces as much as possible
56
VICTORY!!!
Engaged Level 3 and another major ISPSudden PivotNull RoutedCall to ActionEffectively limitedDownload blocked by standard technology
After observing the behavior for several months Cisco Talos decided we need to take action.We engaged Level 3 CommunicationsLevel 3 verified the behavior that we observedWorked to coordinate Null Route of TrafficGroup suddenly pivoted to new address spaceWorked as a team to remove both address spaces as much as possible57
INTELLIGENCE COMMUNITIES
Talos works to promote collaborative and thorough understanding of network security threats through a number of community programs.
Project Aspis collaboration between Talos and host providers Talos provides expertise and resources to identify major threat actors Providers potentially save significant costs in fraudulent charges Talos gains real world insight into threats on a global scale, helping us improve detection and prevention, making the internet safer for everyone
CRETE collaboration between Talos and participating customers Talos provides a FirePower NGIPS sensor to deploy inside the customer network Talos gathers data about real world network threats and security issues Customers receive leading-edge intel to protect their network
AEGIS information exchange between Talos and participating members of the security industry Open to partners, customers, and members of the security industry Collaborative nexus of intelligence sharing in order to provide better detection and insight into worldwide threats
talosintel.com@talossecurity@jaesonschultz