cyber security and cisco security update · •cisco −talos –threat research division ... cisco...

Cyber Security and Cisco Security Update

Kevin Switzer – Technology ConsultantIngram MicroBill O’Malley – Technical Solutions ArchitectCisco Systems

1405002 rev 6.27.14

Proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.2

Verizon Data Breach Report:

https://enterprise.verizon.com/resources/reports/dbir/

Cisco Cyber Security Report Series:

https://www.cisco.com/c/en/us/products/security/security-reports.html

Cisco Threat of The Month

https://www.cisco.com/c/en/us/products/security/threat-of-the-month.html

Brian Krebs always puts out great articles:

https://krebsonsecurity.com/

A variety of good resources available at TALOS intelligence:

https://talosintelligence.com

‘Beers with TALOS’

https://talosintelligence.com/podcasts

FBI Infraguard:

https://www.infragard.org/

Security Resources

MSSP Alert

https://www.msspalert.com

Naked Security

https://nakedsecurity.sophos.com

Cyberheist News

https://www.knowbe4.com/cyberheistnews

Wired

https://www.wired.com/category/security

CyberTalk.org

https://www.cybertalk.org/

https://enterprise.verizon.com/resources/reports/dbir/

https://www.cisco.com/c/en/us/products/security/security-reports.html

https://www.cisco.com/c/en/us/products/security/threat-of-the-month.html

https://krebsonsecurity.com/

https://talosintelligence.com/

https://talosintelligence.com/podcasts

https://www.infragard.org/

https://www.msspalert.com/

https://nakedsecurity.sophos.com/

https://www.knowbe4.com/cyberheistnews

https://www.wired.com/category/security

https://www.cybertalk.org/

1405002 rev 6.27.14


• Threat Update− DNS Hijacking * Email – Malware highway * Office365 Phishing

− Encrypted Traffic Threats

• Best Practice Security Strategies− Minimum requirements

− Advanced Kill Chain

• Cisco− TALOS – Threat Research Division

− CTR – Cisco Threat Response

− Threat Hunting Workshop

− Cisco SecureX

Agenda

1405002

Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission. 4

DNS Hijacking

o These DNS attacks do not go directly after the user

- They attack the ‘librarian’

o The attack comes down to altering the route to a legitimate website to lead to a malicious one

- You ask for the IP address of a particular website, but the DNS records have been changed

1405002


DNS Hijacking – How This Happens

o The DNS administrator targeted by phishing, giving up his or her credentials, and the attackers

log into the DNS interface and change the site’s IP address(s).

o The DNS hosting interface—where records are managed and updated— accessible by the

attacker allowing the them to change records for the domain.

o They build a fake site to mimic to the site they thought they were accessing

o Sea Turtle - 40 organizations in 13 countries affected in 2019

o You can’t typically blame the person that ‘clicked’

o To protect yourself:

- Implement DNS Security

- Require MFA for DNS record changes

- Tools such as BGPmon or Cross Network Insights to monitor for

DNS Hijacking attempts.

1405002


Email – ‘Malware Highway’

According to Verizon Data Breach Report

92% of Malware distribution

96% of Phishing

Binary files are just 2% of Malware attachments (.exe,

now also Java and Flash)

Users much more aware of these

Easier to detect

The most common attachment types are simply the

types that are sent around the office on a regular day—

two in every five malicious files are Microsoft Office

documents.

1405002


Office 365 Phishing

The email appears to come from Microsoft. It says that your Office

365 email address will be disconnected due to errors or policy

violations. The only way to prevent this from happening is by

verifying the address at the provided link.

This is an attempt to phish Office 365 credentials. The emails and

URLs used may even look like something you’d expect to find

surrounding Office 365.

Identity Theft (300% increase in Microsoft user accounts attacked)

1405002


Encrypted Traffic Is Increasing Rapidly

50%

75%

0%

10%

20%

30%

40%

50%

60%

70%

80%

Encrypted Web Traffic

2016

2019

Source: “TLS/SSL: Where Are We Today?”, NSS Labs, October 2018

• Enterprises a few years ago saw

40% – 50% of all web traffic as

encrypted

• That number increased to 75% by

end of 2019

• 97% of surveyed enterprises are

seeing an increase in encrypted

web traffic

• 30-40% of attacks are now

encrypted

• ENCRYPTED TRAFFIC

ANALYTICS

1405002


Threats in Encrypted Traffic

Technique used by attackers to avoid being detected by network monitoring tools

For example: Banking trojans encrypt the data they’re exfiltrating

Can be detected through a technique called traffic fingerprinting

Looks for know patterns known for malicious activity

However, good hackers will insert random dummy packets to bypass

Best Solution is Encrypted Traffic Analytics

Uses machine learning and behavioral modeling to detect

Does this without decryption (required by some regulations)

Cisco Stealthwatch Enterprise offers this feature, Steathwatch Cloud in future

63% of all threats incidents discovered by Stealthwatch were encrypted

Proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission. 11

Security Best Practices

1405002 rev 6.27.14


• Assumed several false identities including:

− airline pilot, physician, U.S. Bureau of Prisons agent, Lawyer

• Cashed $2.5 million worth of fraudulent checks

• Took more than 250 free flights

• Movie based on his cons – Catch me if you can

• TV Show – White Collar

• Has been working with the FBI for 43 years now

− First 20 years on forgery and bank fraud

− 20+ years in cyber security

“Hackers I have interviewed say 99% of networks are not hackable, due to good security in place.”

“They have to wait until someone makes a mistake. Until someone does something they should not have

done. Or, someone failed to do something they were supposed to do.”

“Hackers do not cause breaches do, people do.”

“Attackers will typically make at last two phone calls to their target”

Frank Abagnale – FBI Consulting Agent

1405002 rev 6.27.14


• NGFW− NGIPS

− Properly configured policies

• Signature based Anti Virus/Anti Malware

• Secure Email Solution− On Prem or Cloud

• Consider upgrading − Gen 1 Firewalls

− Legacy AV lacking AM capabilities

− CASB if using cloud services

Bare Minimum Requirements

1405002 rev 6.27.14


Cisco Defense against the “Kill Chain”

RECON STAGE

TARGET

CALLBACK PERSIST

BREACH

LAUNCH EXPLOIT INSTALL

COMPROMISE

End–to–EndInfrastructure

Defense

NGIPS

NGFW

Flow

Analytics

Network

Anti-

Malware

NGIPS

NGFW

Host

Anti-

Malware

DNSDNS

Security

Web

Security

Email

Security

NGIPS

DNSDNS

Security

Web

Security

NGIPS

Threat

Intelligence

TOO

MANY

OF

THESE

GUYSProprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.

16

NOT

ENOUGH

OF

THESE

GUYS



TOO MANY

NOISY ALERTS

1405002


A U.S. Natural Gas Operator Shuts Down for 2 Days After a Phishing Attack Infects it With Ransomware

• https://blog.knowbe4.com/cyberheistnews-vol-10-9-a-u.s.-natural-gas-operator-shuts-down-for-2-days-after-a-phishing-attack-infects-it-with-ransomware

• https://www.bbc.com/news/technology-51564905

“It was so severe in part because the organization was not prepared for such an attack.” - DHS statement

The DHS said the affected organization had not properly prepared for a cyber-attack of this kind -with its emergency plans being focused on all sorts of physical attacks instead.

"Consequently, emergency response exercises also failed to provide employees with decision-making experience in dealing with cyber-attacks,"

Feb 19, 2020

https://blog.knowbe4.com/cyberheistnews-vol-10-9-a-u.s.-natural-gas-operator-shuts-down-for-2-days-after-a-phishing-attack-infects-it-with-ransomware

https://www.bbc.com/news/technology-51564905


7BRecords $4M

Avg Cost of a Breach

14 Seconds

89% Breached by

2022

66 Days to

Contain

The Quantitative Impact of Data Breaches

YEAR IN MALWARE

2019


Challenge: Time“Give my team time back. And help us work together faster.”

Challenge: Expertise“My team can’t be experts on every threat. Give us answers at our fingertips.”

Challenge: Evidence“We can’t dig for answers. Give us one place to find answers across all our tools.”

Personal wins


Cisco Threat Response Is IncludedWith Select Cisco Security Product Licenses

Cisco Email Security

Cisco NGFW/NGIPS

Cisco AMP for Endpoints

Cisco Umbrella

Cisco Threat Grid

You’re Already Entitled to Threat Response If You Have...

Cisco Stealthwatch


Audience: Technical Presales/SEs, Architects

• Hosted on-site at your partner or Cisco office locations

• Learn concepts and techniques of threat hunting using a unified, cloud-hosted tools

• Labs provide an easy-to-follow, step-by-step guide to understanding today's threat landscape

Threat Hunting Workshops

Workshop Dates:

• April 27: Pewaukee, WI

• April 28: Appleton, WI


Stop by the Cisco Booth for a CTR Demo.Questions?

cyber security and cisco security update · •cisco −talos –threat research division ... cisco...

Documents