Download - Defense for Evolving Cyber Attacks - HKCERT
![Page 1: Defense for Evolving Cyber Attacks - HKCERT](https://reader033.vdocument.in/reader033/viewer/2022060415/629547183e84a373c03d92ca/html5/thumbnails/1.jpg)
Head of Systems EngineeringCisco Hong KongNov 2016
Defense for Evolving Cyber AttacksGarrick Ng
![Page 2: Defense for Evolving Cyber Attacks - HKCERT](https://reader033.vdocument.in/reader033/viewer/2022060415/629547183e84a373c03d92ca/html5/thumbnails/2.jpg)
Why Cisco for Security?
XML Firewall
Messaging and Web Security Appliance
Cloud Security Advanced Malware
Protection (AMP)
UTMSecurity Analytics
Dynamic Malware Analysis
Threat-Centric Security (NGIPS and AMP)
2007 2009 2011 2012 2013 2014 2015
Over the last three years we’ve invested more than US$3.8 billion in security. We are transforming to create the industry’s broadest security solution portfolio via continued security technology innovation… Committed to becoming the #1 security trusted advisor and partner to customers and partners
Security Consulting
Cloud-Delivered Security
SecurityConsulting
Network Behavior Analysis(NaaS)
![Page 3: Defense for Evolving Cyber Attacks - HKCERT](https://reader033.vdocument.in/reader033/viewer/2022060415/629547183e84a373c03d92ca/html5/thumbnails/3.jpg)
The Cybercrime Economy
Social Security$1
MedicalRecord>$50
DDOS as a Service
~$7/hour
CreditCard Data$0.25-$60
Bank Account Info>$1000
depending on account type and balance
Exploits$1000-$300K
Facebook Account$1 for an account with
15 friends
Spam$50/500K emails
Malware Development
$2500(commercial malware)
Global Cybercrime
Market: $450B-$1T
Mobile Malware$150
SSN
DDoS
![Page 4: Defense for Evolving Cyber Attacks - HKCERT](https://reader033.vdocument.in/reader033/viewer/2022060415/629547183e84a373c03d92ca/html5/thumbnails/4.jpg)
![Page 5: Defense for Evolving Cyber Attacks - HKCERT](https://reader033.vdocument.in/reader033/viewer/2022060415/629547183e84a373c03d92ca/html5/thumbnails/5.jpg)
![Page 6: Defense for Evolving Cyber Attacks - HKCERT](https://reader033.vdocument.in/reader033/viewer/2022060415/629547183e84a373c03d92ca/html5/thumbnails/6.jpg)
Security Everywhere: Multi-Layer Integrated Defense
![Page 7: Defense for Evolving Cyber Attacks - HKCERT](https://reader033.vdocument.in/reader033/viewer/2022060415/629547183e84a373c03d92ca/html5/thumbnails/7.jpg)
Security Everywhere: Multi-Layer Integrated Defense
![Page 8: Defense for Evolving Cyber Attacks - HKCERT](https://reader033.vdocument.in/reader033/viewer/2022060415/629547183e84a373c03d92ca/html5/thumbnails/8.jpg)
Security Everywhere: Multi-Layer Integrated Defense
Continuous Protection?Insider Threat?
Visibility & SD SegmentationBehavior Analysis
![Page 9: Defense for Evolving Cyber Attacks - HKCERT](https://reader033.vdocument.in/reader033/viewer/2022060415/629547183e84a373c03d92ca/html5/thumbnails/9.jpg)
Security Everywhere: Multi-Layer Integrated Defense
Continuous Protection?Insider Threat?
Visibility & SD SegmentationBehavior Analysis
![Page 10: Defense for Evolving Cyber Attacks - HKCERT](https://reader033.vdocument.in/reader033/viewer/2022060415/629547183e84a373c03d92ca/html5/thumbnails/10.jpg)
Security Everywhere: Multi-Layer Integrated Defense
Continuous Protection?Insider Threat?
Visibility & SD SegmentationBehavior Analysis
![Page 11: Defense for Evolving Cyber Attacks - HKCERT](https://reader033.vdocument.in/reader033/viewer/2022060415/629547183e84a373c03d92ca/html5/thumbnails/11.jpg)
Threat Centric model to cover the Entire Attack Continuum
Visibility, Context, Segmentation & Threat Intelligence
Firewall
NGFW
Secure Access + Identity Services
VPN
UTM
NGIPS
Email & Web Security
Cognitive Threat Analytics (CTA)
Network Behavior Analysis
DNS Layer Protection & CASB
Advanced Malware Protection (AMP) & Threat Grid (Sandbox)
DURINGDetect Block
Defend
AFTERScope
ContainRemediate
BEFOREDiscoverEnforceHarden
![Page 12: Defense for Evolving Cyber Attacks - HKCERT](https://reader033.vdocument.in/reader033/viewer/2022060415/629547183e84a373c03d92ca/html5/thumbnails/12.jpg)
Time to Detection TTD
13>100 VSHOURSDAYS
IndustryCisco
Cisco Minimizes the Time to Detect Breaches
When you missed detection, - Time between the first observation of an unknown file and detection of a threat
![Page 13: Defense for Evolving Cyber Attacks - HKCERT](https://reader033.vdocument.in/reader033/viewer/2022060415/629547183e84a373c03d92ca/html5/thumbnails/13.jpg)
Case Study 1: Ransomware- DNS Layer Domain level protection- Predictive Security
![Page 14: Defense for Evolving Cyber Attacks - HKCERT](https://reader033.vdocument.in/reader033/viewer/2022060415/629547183e84a373c03d92ca/html5/thumbnails/14.jpg)
• CryptoLocker• TeslaCrypt 3.0• Cryptowall 4.0• CTB-Locker• KeRanger• Locky, Zepto• SamSam• Cerber• Petya, Santana• Jigsaw• CryptXXX 3.0• Bart• CryptoHitman …
Ransomware
![Page 15: Defense for Evolving Cyber Attacks - HKCERT](https://reader033.vdocument.in/reader033/viewer/2022060415/629547183e84a373c03d92ca/html5/thumbnails/15.jpg)
![Page 16: Defense for Evolving Cyber Attacks - HKCERT](https://reader033.vdocument.in/reader033/viewer/2022060415/629547183e84a373c03d92ca/html5/thumbnails/16.jpg)
![Page 17: Defense for Evolving Cyber Attacks - HKCERT](https://reader033.vdocument.in/reader033/viewer/2022060415/629547183e84a373c03d92ca/html5/thumbnails/17.jpg)
![Page 18: Defense for Evolving Cyber Attacks - HKCERT](https://reader033.vdocument.in/reader033/viewer/2022060415/629547183e84a373c03d92ca/html5/thumbnails/18.jpg)
![Page 19: Defense for Evolving Cyber Attacks - HKCERT](https://reader033.vdocument.in/reader033/viewer/2022060415/629547183e84a373c03d92ca/html5/thumbnails/19.jpg)
Request of Ransom
Encryption of Files
C2 Comms & Asymmetric Key
Exchange
Typical Ransomware Infection
Infection Vector(Email
attachment, Clicks a link, Malvertising)
![Page 20: Defense for Evolving Cyber Attacks - HKCERT](https://reader033.vdocument.in/reader033/viewer/2022060415/629547183e84a373c03d92ca/html5/thumbnails/20.jpg)
OpenDNS Next-Gen Firewall AMP Stealthwatch
How Cisco Protects Customers
OpenDNS blocks the request
NGFW blocks the connection
Web Security w/AMP blocks the file
AMP for Endpoint blocks the file
OpenDNS blocks the request
NGFW blocks the connection
Stealthwatch detects the activity
OpenDNS blocks the request to Encryption
Key Infrastructure
AMP for Endpoint quarantine the ransomware
![Page 21: Defense for Evolving Cyber Attacks - HKCERT](https://reader033.vdocument.in/reader033/viewer/2022060415/629547183e84a373c03d92ca/html5/thumbnails/21.jpg)
DNS: a Security perspective
91.3% of malware uses DNS
68% of organizations don’t monitor it
A blind spot for attackers to gain command and control, exfiltrate data, and redirect traffic
Source: Cisco Annual Security Report, 2016
![Page 22: Defense for Evolving Cyber Attacks - HKCERT](https://reader033.vdocument.in/reader033/viewer/2022060415/629547183e84a373c03d92ca/html5/thumbnails/22.jpg)
INTERNET
MALWAREBOTNETS/C2PHISHING
FIRST LAYER
LANCOPEWSA (+ESA)
FIREPOWER
AMP AMP
AMP AMPAMP
AMP
AMP AMP
MERAKI
AMP AMP
ASA
HQ
Branch Branch
Mobile
MobileBENEFITSSimple!
Alerts Reduced 2-10x
Protects ON & OFF network
Threat prevention, not just detection
![Page 23: Defense for Evolving Cyber Attacks - HKCERT](https://reader033.vdocument.in/reader033/viewer/2022060415/629547183e84a373c03d92ca/html5/thumbnails/23.jpg)
Umbrella deployed for entire Olympics 2 days before opening ceremony, in 2hrs
Total of 7 networks configured in Rio and Sao Paulo
22M requests per day
Umbrella stopped 23,000 threats stopped each day
OpenDNS Umbrella @ Rio Olympics
![Page 24: Defense for Evolving Cyber Attacks - HKCERT](https://reader033.vdocument.in/reader033/viewer/2022060415/629547183e84a373c03d92ca/html5/thumbnails/24.jpg)
Reactive
![Page 25: Defense for Evolving Cyber Attacks - HKCERT](https://reader033.vdocument.in/reader033/viewer/2022060415/629547183e84a373c03d92ca/html5/thumbnails/25.jpg)
Predictive90B request/day, 65M active user, 160+ Countries
![Page 26: Defense for Evolving Cyber Attacks - HKCERT](https://reader033.vdocument.in/reader033/viewer/2022060415/629547183e84a373c03d92ca/html5/thumbnails/26.jpg)
https://youtu.be/TE9qsYBu8MM
![Page 27: Defense for Evolving Cyber Attacks - HKCERT](https://reader033.vdocument.in/reader033/viewer/2022060415/629547183e84a373c03d92ca/html5/thumbnails/27.jpg)
https://youtu.be/acwD_OA3QZ4
![Page 28: Defense for Evolving Cyber Attacks - HKCERT](https://reader033.vdocument.in/reader033/viewer/2022060415/629547183e84a373c03d92ca/html5/thumbnails/28.jpg)
Start a Free Trial - OpenDNS Umbrella• Worldwide Coverage, Fast, Simple
to deploy with 100% uptime — no hardware to install or software to maintain
• Free to use up to 14 days• Threat protection like no other -
blocks malware, botnets and phishing
• Predictive Intelligence - automates threat protection to detect attacks before they are launched
• Personal use: Free
![Page 29: Defense for Evolving Cyber Attacks - HKCERT](https://reader033.vdocument.in/reader033/viewer/2022060415/629547183e84a373c03d92ca/html5/thumbnails/29.jpg)
Cisco 2016 Annual Security ReportCisco 2016 Midyear Cybersecurity Report
http://www.cisco.com/c/en/us/products/security/annual_security_report.htmlhttp://blogs.cisco.com/author/talos
![Page 30: Defense for Evolving Cyber Attacks - HKCERT](https://reader033.vdocument.in/reader033/viewer/2022060415/629547183e84a373c03d92ca/html5/thumbnails/30.jpg)
Ransomware
http://info.opendns.com/rs/033-OMP-861/images/SB-OpenDNS-Combating-Ransomware.pdfhttp://www.talosintel.com/files/publications_and_presentations/papers/CryptoWall4_WhitePaper.042016.pdf
![Page 31: Defense for Evolving Cyber Attacks - HKCERT](https://reader033.vdocument.in/reader033/viewer/2022060415/629547183e84a373c03d92ca/html5/thumbnails/31.jpg)
Case Study 2: Dyn DDoS Attack
![Page 32: Defense for Evolving Cyber Attacks - HKCERT](https://reader033.vdocument.in/reader033/viewer/2022060415/629547183e84a373c03d92ca/html5/thumbnails/32.jpg)
• BBC, CNN, CNBC, Twitter, Netflix, Paypal, Amazon, NY Times, PlayStation, xBox, Wall Street Journal, …
• 1.2T DDos• By IoT Botnet Mirai• Lose: ~$110 Million
![Page 33: Defense for Evolving Cyber Attacks - HKCERT](https://reader033.vdocument.in/reader033/viewer/2022060415/629547183e84a373c03d92ca/html5/thumbnails/33.jpg)
DDoS Attacks Overview
ISP 2
ISP 1
ISP n
ISP
TargetApplications &
ServicesGood TrafficAttack Traffic
SATURATION
![Page 34: Defense for Evolving Cyber Attacks - HKCERT](https://reader033.vdocument.in/reader033/viewer/2022060415/629547183e84a373c03d92ca/html5/thumbnails/34.jpg)
![Page 35: Defense for Evolving Cyber Attacks - HKCERT](https://reader033.vdocument.in/reader033/viewer/2022060415/629547183e84a373c03d92ca/html5/thumbnails/35.jpg)
Dyn DDoS attack by Mirai Botnet
ISP 2
ISP 1
ISP n
ISP
TargetApplications &
ServicesGood TrafficAttack Traffic
SATURATION
![Page 36: Defense for Evolving Cyber Attacks - HKCERT](https://reader033.vdocument.in/reader033/viewer/2022060415/629547183e84a373c03d92ca/html5/thumbnails/36.jpg)
What Exactly Happened?
199.59.149.198
ISP / RecursiveDNS Service
Dyn DNS Servicewww.twitter.com www.twitter.com
199.59.149.198199.59.149.198
Authoritative DNS Server for twitter.com
Twitter Data Center
![Page 37: Defense for Evolving Cyber Attacks - HKCERT](https://reader033.vdocument.in/reader033/viewer/2022060415/629547183e84a373c03d92ca/html5/thumbnails/37.jpg)
What Exactly Happened?
199.59.149.198
ISP / RecursiveDNS Service
Dyn DNS Servicewww.twitter.com www.twitter.com
Authoritative DNS Server for twitter.com
Mirari Botnet(100K Bots)
DDoS ATTACK
TIMEOUTNO RESOLUTION
Twitter Data Center
![Page 38: Defense for Evolving Cyber Attacks - HKCERT](https://reader033.vdocument.in/reader033/viewer/2022060415/629547183e84a373c03d92ca/html5/thumbnails/38.jpg)
![Page 39: Defense for Evolving Cyber Attacks - HKCERT](https://reader033.vdocument.in/reader033/viewer/2022060415/629547183e84a373c03d92ca/html5/thumbnails/39.jpg)
Why Cisco Umbrella Customers Were Unaffected
Cisco Umbrella(OpenDNS)
Dyn DNS Servicewww.twitter.com www.twitter.com
199.59.149.198
Authoritative DNS Server for twitter.com
DDoS ATTACK
TIMEOUT
199.59.149.198Mirari Botnet(100K Bots)
(Smart Cache)
Twitter Data Center
![Page 40: Defense for Evolving Cyber Attacks - HKCERT](https://reader033.vdocument.in/reader033/viewer/2022060415/629547183e84a373c03d92ca/html5/thumbnails/40.jpg)
• Multi-layer defense to cover Attack Continuum (Before-During-After)• DNS, Email/Web gateway, NGFW/NGIPS/AMP, Endpoint AV/AMP protection
• Back up frequently (and keep away) !!!• Patch your operating systems and other software (eg. Flash) ASAP!• Keep your Anti-Virus/Anti-malware updated• Educate users on emails with links and attachments• Be careful of email attachment• Disable macros in office documents and Script in browser • Don’t stay logged in as administrator• End of Support hardware and software?
Best Practice
![Page 41: Defense for Evolving Cyber Attacks - HKCERT](https://reader033.vdocument.in/reader033/viewer/2022060415/629547183e84a373c03d92ca/html5/thumbnails/41.jpg)
![Page 42: Defense for Evolving Cyber Attacks - HKCERT](https://reader033.vdocument.in/reader033/viewer/2022060415/629547183e84a373c03d92ca/html5/thumbnails/42.jpg)
Shania Ting - Security Sales Manager: [email protected] Mak - Security Consultant : [email protected]
Garrick Ng - Head of SE: [email protected]
![Page 43: Defense for Evolving Cyber Attacks - HKCERT](https://reader033.vdocument.in/reader033/viewer/2022060415/629547183e84a373c03d92ca/html5/thumbnails/43.jpg)
![Page 44: Defense for Evolving Cyber Attacks - HKCERT](https://reader033.vdocument.in/reader033/viewer/2022060415/629547183e84a373c03d92ca/html5/thumbnails/44.jpg)
250+Full Time Threat Intel Researchers
MILLIONSOf Telemetry Agents
4Global Data Centers
1100Threat Traps
Over 100Threat Intelligence Partners
THREAT INTEL1.5 MILLIONDaily Malware Samples
600 BILLIONDaily Email Messages
16 BILLIONDaily Web Requests
Honeypots
Open Source Communities
Vulnerability Discovery (Internal)
Telemetry
Internet-Wide Scanning
INTEL SHARING
AspisCrete
AEGIS
3rd Party Programs (MAPP)
ISACs
TALOS INTEL BREAKDOWN