Cisco Customer EducationMalware, Malware Everywhere - Battle 21st Century Security Threats with Cisco
This session was recorded via Cisco WebEx! You can watch the live session recording via the following URL:
https://acecloud.webex.com/acecloud/lsr.php?RCID=2a9e13dcb37a4721b5c9fc97052488bb
Thanks for your interest and participation!
This session was recorded via Cisco WebEx! You can watch the live session recording via the following URL:
https://acecloud.webex.com/acecloud/lsr.php?RCID=9179b646be6a4f03a3480b1a1db8d72b
Cisco Customer EducationMalware, Malware Everywhere - Battle 21st Century Security Threats with Cisco
This session was recorded via Cisco WebEx! You can watch the live session recording via the following URL:
https://acecloud.webex.com/acecloud/lsr.php?RCID=2a9e13dcb37a4721b5c9fc97052488bb
Thanks for your interest and participation!
This session was recorded via Cisco WebEx! You can watch the live session recording via the following URL:
https://acecloud.webex.com/acecloud/lsr.php?RCID=a95525d3a4d94e6887d6edc67ddd0e24
Connect using the audio conference box or you can call into the meeting:1. Toll-Free: (866) 432-99032. Enter Meeting ID: 201 146 961 3. Press “1” to join the conference.
Presentation Agenda
► Welcome from Cisco
► Security in the 21st Century
► Mid-Year Security Report
► Talos and Advanced Malware Protection
► Next Generation Threat Protection
► Conclusion
Priors:Cisco Sales and Channels (11 yrs)President and CEO (6 yrs) - Cisco Premier Partner Director of Sales (2 yrs) - Cisco Silver PartnerFinancial Analyst (7 yrs) - Sprint Corporation
About Your HostBrian AveryTerritory Business ManagerCisco Systems, [email protected]
► Conclusion
Who Is Cisco?
Cisco Confidential 5
Computer scientists, Len Bosack and Sandy Lerner found Cisco Systems
Bosack and Lerner run network cables between two different buildings on the Stanford University campus
A technology has to be invented to deal with disparate local area protocols; the multi-protocol router is born
1984
WellFleet
SynOptics
3Com
ACC
DEC
Proteon
IBM
Bay Networks
Newbridge
Cabletron
Ascend
Fore
Xylan
3ComNortel
Ericsson
Alcatel
JuniperLucent
Siemens
NECFoundry
Redback
Riverstone
Extreme AristaHP
Avaya
Juniper
Huawei
Aruba
Brocade
Checkpoint
Fortinet
ShoreTel
Polycom
Microsoft
F5
Riverbed
Dell
Internet of Everything
1990 –1995 1996 – 2000 2001 – 2007 2008 – Today
The Landscape is Constantly
Changing
Leading for Nearly 30 Years
2016
Cisco Confidential 7
Who Is Cisco?
Chuck Robbins,CEO, Cisco
• Dow Jones Industrial AverageFortune 100 Company (AAPL, CSCO, INTC, MSFT)
• $117B Market Capitalization
• $49.6B in Revenue
• $10B in Annual Net Profits
• $34B More Cash than Debt
• $6.3B in Research and Development
http://finance.yahoo.com/q/ks?s=CSCO+Key+Statistics
No. 1Voice
41%
No. 1TelePresence
50%
No. 1Web
Conferencing43%
No. 1Wireless LAN
50%
No. 2x86 Blade Servers
29%
No. 1RoutingEdge/Core/
Access
47%
No. 1Security
31%
No. 1SwitchingModular/Fixed
65%
No. 1Storage Area
Networks47%
Market Leadership Matters
CCE is an educational session for current and prospective Cisco customers
Designed to help you understand the capabilities and business benefits of Cisco technologies
Allow you to interact directly with Cisco subject matter experts and ask questions
Offer assistance if you need/want more information, demonstrations, etc.
What Is the Cisco Customer Education Series?
Security in the 21st Century
Cisco Confidential 11© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Remember This Movie?
http://www.imdb.com/title/tt0086567/
Global Cybercrime Market $450B‒$1T
It’s All About The MoneyIndustrial Hackers Are Making Big Money with Innovative Tactics
1990 1995 2000 2005 2010 2015 2020
Viruses1990–2000
Worms2000–2005
Spyware and Rootkits2005–Today
APTs CyberwareToday +
Phishing, Low Sophistication Hacking Becomes
an Industry Sophisticated Attacks, Complex Landscape
of large companies targeted by malicious traffic95% of organizations interacted
with websites hosting malware100% 1. Cybercrime is lucrative, barrier to entry is low2. Hackers are smarter and have the resources to compromise your organization3. Malware is extremely sophisticated and complex4. Cybercrime is now a formal, for-profit industry
Source: 2014 Cisco Annual Security Report
Cisco Confidential 13© 2013-2014 Cisco and/or its affiliates. All rights reserved.
High Profile Breaches
As of 12/31/2014 http://www.idtheftcenter.org/images/breach/DataBreachReports_2014.pdf
1,000,000
70,000,000
56,000,0002,600,000
1,100,000
And Yet…Organizations of every size are targets
60% of UK small businesses were compromised in 2014 (2014 Information Security Breaches Survey)
100% of corporate networks examined had malicious traffic(Cisco 2014 Annual Security Report)
41% of targeted attacks are against organizations with fewer than 500 employees (July 2014 The National Cyber Security Alliance (NCSA)
41% of targeted attacks are against organizations with fewer than 500 employees (July 2014 The National Cyber Security Alliance (NCSA)
Today’s cyber-threat reality
If you know you are going to be compromised, how should you do security
differently?
Why? Because you’ll never be able to prevent 100% of
attacks.
Your environmentwill get breached –it’s not an “IF” it’s a
“WHEN”
The Attack Surface
Attack surface – web browsers
More than
85% of the companies studied were affected each month by malicious browser extensions
Users becoming complicit enablers of attacksUntrustworthy sources
Clickfraud and Adware
Outdated browsers 10% 64%IE requests running latest version
Chrome requests running latest version
vs
Attack surface – user error on web
Attackers:Shifts in the attack vectors
Java
Silverlight
Flash
Java drop 34%
Silverlight rise 228%
PDF and Flash steady
Log Volume
2015 Cisco Annual Security Report
Attack surface – web applications
Attackers:
Malvertising is on the rise: low-limit exfiltration makes infection hard to detect
In October 2014, there is a spike of
250%
Compromising without clicking
Ransomware and Exploit Kits, e.g. Cryptowallversion 4
Encryption technique allows per-target customization
Marking systems and files have already been encrypted
Using Bitcoin for anonymous payment
Dual deadlines for:1.Cost increase2.Deleting data
Phishing and Social Engineering
Attackers:
A growing appetite to leverage targeted phishing campaigns
Example: Snowshoe SPAM attack
SPAM up
250%
Attack surface - email
Social EngineeringWaiting for his plane
Meet Brian, an employee at Sysco (not Cisco).
He is catching up on life using the public Wi-Fi at Starbucks prior to a meeting.
Brian decides to check on Facebook where his Mom had posted pictures of her vacation.
Social EngineeringChecks his email
Brian then gets an email from his mom.
The email says she’s having a great vacation and took a video she wants him to see. In the email is a link to what looks to be a normal video link.
Your Tropical Getaway
Joe,
Thank you for choosing us. We look forward to seeing you.
Before your arrival, please verify your information here: www.vacationresort.com
Best,Resort Team
No problem, right? Everything looks normal. After all, his mom IS on vacation.
And the video site has an https: so it looks trustworthy, so he clicks the link.
Social EngineeringJoe is now infected
Brian opens the link and a video of the resort plays.
Although he doesn’t know it, Brian’s device has been compromised by a Silverlight based video exploit.
The malware now starts to harvest Brian’s confidential information:
• Passwords
• Credentials
• Company access authorizations
Why did the cybercriminal target Brian?
Cisco Security Overview
Too Many Disparate Security Products Mean Gaps in Protection
Fragmented offerings across multiple vendors
Cost
Higher total cost to build and run
Overall performance
Less communication between components
Time to detection
More lag in finding threats
Too Many Disparate Security Products Mean Gaps in Protection
vs
Fragmented offerings across multiple vendors
Streamlined advanced security solution
Cost
Lower opex and easier to manage
Higher total cost to build and run
Overall performance
Less communication between components
Better communication and integration
Time to detection
Faster time to detection
More lag in finding threats
Antivirus
Legacy IPSInitial Disposition = Clean Actual Disposition = Bad
Too Late!!
Analysis Stops
Even
t Hor
izon Sleep Techniques
Unknown ProtocolsEncryptionPolymorphism
Blind to scope of compromise
Point-in-Time Detection Tools Alone Are Insufficient and Provide Limited or No Visibility Into Threats Once They Get in
Not 100%
I'm going for fearsome here, but I just don't feel it!
I'm think I'm just coming off as annoying.
Competitors
What’s Needed to Protect Against Advanced Threats That Manage to Slip by YourFront-Line Defenses?
Deep Visibility
Control
+
Defending Against These Advanced Threats Requires Greater Visibility and Control Across the Full Attack Continuum
BeforeDiscover EnforceHarden
DuringDetect Block
Defend
AfterScope
ContainRemediate
Attack Continuum
Data Center/Servers EndpointsEmail and Web Network Mobile
Threat intelligence and analytics
Point-in-Time detection
Retrospective security and continuous analysis
Defending Against These Advanced Threats Requires Greater Visibility and Control Across the Full Attack Continuum
BeforeDiscover EnforceHarden
DuringDetect Block
Defend
AfterScope
ContainRemediate
FireSIGHT and pxGrid
ASA VPN
OpenDNS Meraki
Advanced Malware Protection
Network as Enforcer
NGIPS
ESA/WSA
CWSSecure Access + Identity Services ThreatGRID
Attack Continuum
Cisco Advanced Malware Protection
AMP
Cisco Advanced Malware Protection
Software-as-a-ServiceCloud Managed
Subscription Based
THREAT LANDSCAPE
1.5 Million
THREAT LANDSCAPE
THREAT LANDSCAPE
Cisco Secur i ty Decreases Time to Detect ion
42
Current Industry Average (TTD)
100 days- Source: 2016 Cisco Annual Security Report
Cisco Secur i ty Decreases Time to Detect ion
43
100 days to 13.8 hours- Source: 2016 Cisco Annual Security Report
Point in Time Protection
Point-in-Time DetectionAMP Delivers the First Line of Defense, Blocking Known and Emerging Threats with Point-in-Time Defenses
One-to-one signature
Fuzzy finger-printing
Machine learning
Advanced analytics
Static and dynamic analysis (sandboxing)
Offer better accuracy and dispositioning
Block known and emerging threats
Protect your business with no lag
Automatically stop as many threats as possible, known and unknown
Dynamic Analysis
Machine Learning
Fuzzy ger-printing
Advanced Analytics
Indications of Compromise
Device Flow Correlation
Behavioral Detection: ExamplePoint-in-Time Detection Retrospective Security
Cisco Collective Security Intelligence
Collective Security Intelligence Cloud
File of unknown disposition is encountered1
File replicates itself and this information is communicated to the cloud
2
File communicates with malicious IP addresses or starts downloading files with known malware disposition
3
Combination of activities indicates a compromise and the behavior is reported to the cloud and AMP client
4
These indications are prioritized and reported to security team as possible compromise
5
namic alysis
Advanced Analytics
Device Flow Correlation
Behavioral Detection: ExamplePoint-in-Time Detection Retrospective Security
Cisco Collective Security Intelligence
Collective Security Intelligence Cloud
IP: 64.233.160.0
Device Flow Correlation monitors communications of a host on the network
1
Two unknown files are seen communicating with a particular IP address
2
One is sending information to the IP address, the other is receiving commands from the IP address
3
Collective Security Intelligence Cloud recognizes the external IP as a confirmed, malicious site
4
Unknown files are identified as malware because of the association
5
TrajectoryBehavioralIndications
of Compromise
BreachHunting
nuous ysis
Attack Chain Weaving
Behavioral Indications of Compromise: Example
Point-in-Time Detection Retrospective Security
Cisco Collective Security Intelligence
Behavioral Indications of Compromise uses continuous analysis and retrospection to monitor systems for suspicious and unexplained activity… not just signatures!
Using the power of Attack Chain Weaving, Cisco® AMP is able to recognize patterns and activities of a given file, and identify an action to look for across your environment rather than a file fingerprint or signature
An unknown file is admitted into the network
1The unknown file copies itself to multiple machines
2Duplicates content from the hard drive
3Sends duplicate content to anunknown IP address
4
How Malware Gets In to Your Network
Breach Prevention Rapid Breach Detection, Response, Remediation Threat Intelligence
But Point-in-Time Detection Alone Will Never Be100% Effective
Continuous Analysis and Retrospective SecurityOnly AMP Continuously Monitors and Analyzes All File Activity, Regardless of Disposition
Across all control points
To answer the questions that matter…
Take advantage of key capabilities
Web
WWW
EndpointsEmail Network
Mobile
Track it’s rate of progression and how it spread
See what it is doingIdentify a threat’s point of origin
See where it's been Surgically targetand remediate
Continuous Analysis and Retrospective Security
0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110
1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
Web
WWW
Endpoints NetworkEmail DevicesIPS
File Fingerprint and Metadata
Process Information
Continuous feed
Continuous analysis
File and Network I/O
Breadth and Control points:
Telemetry Stream
Talos + Threat Grid Intelligence
TrajectoryBehavioralIndications
of Compromise
Threat Hunting
Retrospective Detection
If Something Gets in, Retrospective Security Helps You Find Answers to the Most PressingSecurity Questions
What happened?Where did the malware come from?Where has the malware been?What is it doing?How do we stop it?
See AMP in Action!
See Where It Entered the System
What happened?
Track threat’s origin and progression: • How did it get into the system• What is the point of origin• What was the attack vector
Where has the malware been?What is it doing?How do we stop it?
Where did the malware come from?
See AMP in Action!
See Everywhere That It Has Been
What happened?Where did the malware come from?Where has the malware been?
What is it doing?How do we stop it?
Track infected areas in the system: • Where is the attack now• What other endpoints have seen it• Where should I focus my response• Where is still safe
See AMP in Action!
Determine What the Malware Is Doing
What happened?Where did the malware come from?Where has the malware been?What is it doing?
How do we stop it?
Understand the details of how themalware works: • What is it trying to do, in plain English• How does the malware behave• Get detailed information vital for
incident response
See AMP in Action!
Stop It with a Few Clicks
Where did the malware come from?Where has the malware been?What is it doing?
Knowing the details above,surgically remediate: • Stop it at the source and all infected areas• Simply right click, add to a blocklist, and
remediate the malware from theentire system
What happened?
How do we stop it?
See AMP in Action!
The Leader in Security Effectiveness
99.2% Security Effectiveness rating in BDS testing, the highest of all vendors tested.
Only vendor to block 100% of evasion techniquesduring testing.
Excellent performance with minimal impact on network, endpoint, or application latency.
Download the flysheet and full report here.
Cisco AMP offers superior security effectiveness, excellent performance, and provides security across more attack vectors than any other vendor
Next-Generation Security
The AMP Everywhere ArchitectureAMP Protection Across the Extended Network for an Integrated Threat Defense
AMPThreat Intelligence
Cloud
Windows OS Android Mobile Virtual MAC OSCentOS, Red Hat Linux for servers and datacenters
AMP on Web and Email Security Appliances
AMP on Cisco® ASA Firewall with Firepower Services
AMP Private Cloud Virtual Appliance
AMP on Firepower NGIPS Appliance
(AMP for Networks)
AMP on Cloud Web Security and Hosted Email
CWS/CTA
Threat GridMalware Analysis + Threat
Intelligence Engine
AMP on ISR with Firepower Services
AMP for Endpoints
AMP for Endpoints
Remote Endpoints
AMP for Endpoints can be launched from AnyConnect
AMP on MerakiMX Appliances
Cisco Confidential 61© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Introducing Cisco Adaptive Security Appliances
Industry’s First Threat-Focused NGFW
• Integrating defense layers helps organizations get the best visibility
• Enable dynamic controls to automatically adapt
• Protect against advanced threats across the entire attack continuum
Proven Cisco ASA firewalling
Industry leading NGIPS and AMP
Cisco ASA with FirePOWERServices Next-Generation
Firewall (NGFW)
Cisco ASA with FirePOWER Services
Cisco Confidential 62© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Superior Integrated & Multilayered Protection
Cisco ASA
URL Filtering(Subscription)FireSIGHT
Analytics & Automation
Advanced Malware
Protection(Subscription)
Application Visibility & ControlNetwork Firewall
Routing | Switching
Clustering & High Availability
WWW
Cisco Collective Security Intelligence Enabled
Built-in Network Profiling
Intrusion Prevention
(Subscription)
World’s most widely deployed, enterprise-class ASA stateful firewall
Granular Cisco® Application Visibility and Control (AVC)
Industry-leading FirePOWERnext-generation IPS (NGIPS)
Reputation- and category-based URL filtering
Advanced malware protection
Identity-Policy Control & VPN
Cisco Confidential 63© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Malware
Client applications
Operating systems
Mobile Devices
VOIP phones
Routers & switches
Printers
C & C Servers
Network Servers
Users
File transfers
Web applications
Applicationprotocols
Threats
No other NGFW offers this level of visibility• The more infrastructure you see, the better protection you get
Typical IPS
Typical NGFW
Cisco ASA with FirePOWER Services
Cisco Confidential 64© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Meraki MR Wireless LAN
Meraki MX Security
Appliances
Meraki MS Ethernet Switches
Cisco Meraki - Cloud Managed Networking
Meraki SMEEnterprise Mobility
ManagementMC
Communications
Application ControlTraffic Shaping, Content Filtering, Web Caching
SecurityNG Firewall, Client VPN, Site to Site VPN, IDS/IPS
NetworkingNAT/DHCP, 3G/4G Cellular, Static Routing, Link Balancing
Best IPS SOURCEfire IDS / IPS, updated every day
Anti-MalwareAdvanced Malware Protection powered by Cisco Sourcefire and Talos
Content Filtering 4+ billions URLS, updated in real-time
Geo-basedsecurity Block attackers from rogue countries
AV / anti-phishing Kaspersky AV, updated every hour
PCI compliance PCI L1 certified cloud-based management
Enterprise License Advanced Security License
Stateful firewall
Site to site VPN
Branch routing
Internet load-balancing (over dual WAN)
Application control
Web caching
Intelligent WAN (IWAN)
Client VPN
`
All enterprise features, plus
Content filtering (with Google SafeSearch)
Kaspersky Anti-Virus and Anti-Phishing
SourceFire IPS / IDS
Geo-based firewall rules
Advanced Malware Protection (AMP)
Cisco Email Security
Cisco Confidential 69© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco SensorBase: Email Reputation Database
Complaint Reports IP Blacklists and Whitelists
Domain Blacklist and Safelists
Compromised Host Lists
Website Composition Data
Other DataGlobal Volume Data
Message Composition Data
Spam Traps
+100-10
IP Reputation Score
Breadth and quality of data make the difference
Cisco Confidential 70© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Email Security Architecture
Threat Defense
Antispam
Antivirus and Virus Outbreak Filter
Data Security
Data Loss Prevention
Encryption
Management
Cisco Email Security
ReportingMessage Track
Management
Allow Warn
AdminHQ
Anti-Spam and
Anti-Virus
Mail Flow Policies Data Loss
Protection Encryption
Before DuringX XXX
Inbound Email
Outbound Email
CiscoAppliance Virtual
Talos
Block Partial Block
Outbound Liability
BeforeAfterDuring
Tracking User click Activity
(Anti-Phish)
File Sandboxing & Retrospection
X X XXX
Cloud
ContentControls
X
EmailReputation
AcceptanceControls File
ReputationAnti-SpamAnti-Virus Outbreak
Filters
X
Mail FlowPolicies Graymail
ManagementSafe Unsubscribe
X
Anti-PhishThreatGrid URL Rep & Cat
Cisco Security and OpenDNS
A system for relating names and numbers
Domain = IP Address Amazon.com =
205.251.242.103 Like a library of phone books
What is DNS?Domain Name System
AUTHORITATIVE DNSOwns and publishes the “phone books”
DOMAIN REGISTRAR Maps and records names to #s in “phone books”
RECURSIVE DNSLooks up & remembers
the #s for each name
Types of DNS
Malware validated as “known bad” –91% of all malware - use the Domain Name Service in one of these three ways:
• To gain command and control • To exfiltrate data • To redirect traffic
Few companies are monitoring DNS for security purposes (or monitoring DNS at all).
91%
DNS and Malware
76 CONFIDENTIAL
INTERNET
MALWAREBOTNETS/C2PHISHING
SANDBOXPROXY
NGFWNETFLOW
AV AV
AV AV
AV
AV
AV AV
ROUTER/UTM
AV AV
ROUTER/UTM
HERE?
& HERE?
& HERE?
& HERE?
& HERE?
OR HERE?
Where Do You Enforce Security?
CHALLENGES
Too Many Alerts via Appliances & AV
Wait Until Payloads Reaches Target
Every Payload Scan Slows Things Down
Too Much Time to Deploy Everywhere
BENEFITS
Alerts Reduced 2x; Improves Your SIEM
Traffic & Payloads Never Reach Target
Internet Access Is Faster; Not Slower
Provision Globally in UNDER 30 MINUTES
HQ
Branch Branch
Mobile
Mobile
OpenDNS Works With Everything You Use
FUTURE-PROOF EXTENSIBILITY
ANY NETWORK
Routers, Wi-Fi, SDN
ANY ENDPOINTVPN, IoE ANY
TECHNOLOGYFirewalls, Gateways
SECURE APIs OPEN TO EVERYONE
SECURITY PROVIDERS
FireEye, Cisco, Check
Point
NETWORK PROVIDERS
Meraki, Aruba,Aerohive
CUSTOMERSIn-houseSecurity Systems
Where Does Umbrella Fit?
INTERNET
ON NETWORK
ALLOTHER
TRAFFICWEB
TRAFFICEMAIL
TRAFFIC
INTERNETALL
OTHERTRAFFIC
WEBTRAFFIC
EMAILTRAFFIC
OFF NETWORK
ASAblocks inline by IP, URLor packet
ESA/CESblocks by sender
or content
WSA/CWSblocks by URL or content via proxy
ESA/CESblocks by sender
or content
CWSblocks by URL or content via proxy
Umbrellablocks by domainas well as IP or URL
Umbrellablocks by domainas well as IP or URL
Network As A SensorNework As An Enforcer
Insider Threats
With lateral movement of advanced persistent threats,even external attacks eventually become internal threats
95% of all cybercrimeis user-triggered by
disguisedmalicious links
One out of four breaches are caused by malicious insiders
Two out of three breaches exploit weak
or stolen passwords
Cisco Stealthwatch: Ubiquitous visibility via flow telemetry
81
… your infrastructure is the source:
InternetAmador
Delta
Solano
Border
DMZ
Virtual Hosts
PerimeterDatacenter
WAN Hub
WAN
Access
IDFDatacenter
WAN
DMZ
Access
FlowFlow
Flow
Flow
Flow
Flow
Flow
Flow
Flow
Flow
Flow
Flow
Flow
Flow
FlowFlow
81
enterprise network
Attacker
Perimeter(Inbound)
Perimeter(Outbound)
Infiltration and Backdoor establishment
1
C2 Server
Admin Node
Reconnaissance and Network Traversal
2
Exploitation and Privilege Elevation
3
Staging and Persistence (Repeat 2,3,4)
4
Data Exfiltration
5
Anatomy of a Data Breach
July 2016
Cisco 2016Midyear Cybersecurity ReportHighlights
Asymmetric battles are greater than our ability to respond
Persistent Attacks
Overwhelmed Defenders
Innovative Methods
Fragile Infrastructure
Shifting Tactics
Rising Vulnerabilities
Encryption Dilemma
Global Operations
Security practitioners need to identify and constrain the operational space of the adversaries
Current Threat Landscape
• Evolution of Ransomware• Advances in Malicious
Tradecraft• Questionable Network Hygiene
Encryption technique allows per-target customization
Marking systems and files have already been encrypted
Using Bitcoin for anonymous payment
Dual deadlines for:1.Cost increase2.Deleting data
Ransomware
Self-propagating• Utilization of a vulnerability in a widely deployed product • Replication to all available drives• File infections • Limited brute-force activity • Resilient command and control • Use of other backdoors
Ransomware 2.0
Modular• Autorun.Inf/USB Mass Storage Propagation• Authentication Infrastructure Exploits• Command and Control/Reporting Infections• Rate Limiter• RFC 1918 Target Address Limiter
Attack Vectors: Servers on the HorizonAdversaries expand focus from client-side attacks to server-side attack
In April, Cisco estimated that 10% of all Jboss servers worldwide were compromised.
Adobe Flash vulnerabilities continue to be leveraged by exploit kits.
Lower volume malware for dropping payloadsWormTrojanTrojan-FlashTrojan-RansomwareTrojan-DropperAndroid-Trojan
Attack Methods: A Spectrum of Opportunity
Higher volume malware for gaining accessWindows BinariesFacebook ScamsRedirectorsPacked BinariesAndroid AdwareTrojans
Exploit Kit Activity: Adobe Flash and MalvertisingAdobe Flash and Microsoft Silverlight vulnerabilities are leveraged by most exploit kits
Nuclear Magnitude Angler Neutrino RIGFlash
CVE-2015-7645
CVE-2015-8446
CVE-2015-8651
CVE-2016-1019
CVE-2016-1001
CVE-2016-4117
Silverlight
CVE-2016-0034
Vuln
erab
ilitie
s
Malware Use of HTTPS:HTTPS increased 300% for ad-injectors in the last 4 months.
Ad injection is the biggest contributor. Adversaries are using HTTPS traffic to expand time to operate.
300%Increased
in 4 months
2016 Midyear Cybersecurity Report
www.cisco.com/go/mcr2016
Conclusion
Cisco Provides Threat Intelligence,Point-in-Time Detection, and Continuous Analysis of Files to Defeat Advanced Threats
Attack Continuum
Data Center/Servers EndpointsEmail and Web Network Mobile
Before During AfterBefore
Discover EnforceHarden
DuringDetect Block
Defend
AfterScope
ContainRemediate
Threat intelligence and analytics
Point-in-Time detection
Retrospective security and continuous analysis
Thank You and Next Steps
Brian [email protected]
www.
Learn more about Cisco Security:www.cisco.com/go/security/
Contact Your Cisco Partnerhttps://tools.cisco.com/WWChannels/LOCATR/performBasicSearch.do
• CCE sessions are held weekly on a variety of topics• CCE sessions can help you understand the
capabilities and business benefits of Cisco technologies
• Watch replays of past events and register for upcoming events!
Visit http://cs.co/cisco101 for details
Join us again for a future Cisco Customer Education Event
Thank you.