Cisco Connect Halifax 2018 Anatomy of attack

Cisco Connect Halifax 2018 Anatomy of attack
© 2017 Cisco and/or its affiliates. All rights reserved. 1 Anatomy of Attack Chris Parker-James Consulting Systems Engineer – Cloud Security April 3rd 2018 Cisco Connect
© 2016 Cisco and/or its affiliates. All rights reserved. 2 Agenda Anatomy of an Attack What’s Changed? Cisco’s Solution Cisco Umbrella Cisco Cloudlock Why Cisco?
© 2016 Cisco and/or its affiliates. All rights reserved. 3 Anatomy of a cyber attack Reconnaissance and infrastructure setup Domain registration, IP, ASN Intel Monitor adaption based on results Target expansion Wide-scale expansion Defense signatures built Patient zero hit
© 2016 Cisco and/or its affiliates. All rights reserved. 4© 2016 Cisco and/or its affiliates. All rights reserved. 4 Locky/Wannacry Ransomware
© 2016 Cisco and/or its affiliates. All rights reserved. 5 Mapping attacker infrastructure SEP 12-26 DAYS Umbrella AUG 17 LOCKY *.7asel7[.]top ? Domain → IP Association ? IP → Sample Association ? IP → Network Association ? IP → Domain Association ? WHOIS Association ? Network → IP Association
© 2016 Cisco and/or its affiliates. All rights reserved. 6 91.223.89.201185.101.218.206 600+ Threat Grid files SHA256:0c9c328eb66672e f1b84475258b4999d6df008 *.7asel7[.]top LOCKY Domain → IP Association AS 197569IP → Network Association 1,000+ DGA domains ccerberhhyed5frqa[.]8211fr[.]top IP → Domain Association IP → Sample Association CERBER Mapping attacker infrastructure
© 2016 Cisco and/or its affiliates. All rights reserved. 7 -26 DAYS AUG 21 Umbrella JUL 18 JUL 21 Umbrella JUL 14 -7 DAYS jbrktqnxklmuf[.]info mhrbuvcvhjakbisd[.]xyz LOCKY LOCKY DGA Network → Domain Association DGA Threat detected same day domain was registered. Threat detected before domain was registered. DOMAIN REGISTERED JUL 22-4 DAYS Mapping attacker infrastructure
© 2016 Cisco and/or its affiliates. All rights reserved. 8© 2016 Cisco and/or its affiliates. All rights reserved. 8 Google OAuth attack
© 2016 Cisco and/or its affiliates. All rights reserved. 9 Sequence of events (1 of 2) Attacker sets up infrastructure and fake app; sends phishing email Victim opens email and clicks link 1 2 ! Victim is sent to Google’s OAuth page for authentication and to grant permissions. Then the user will be redirected to an attacker-controlled website Joe has invited you to view a document Open in Docs
© 2016 Cisco and/or its affiliates. All rights reserved. 10 Sequence of events (2 of 2) On the backend… If allowed, Google provisions an OAuth token, appends it to redirect_uri, and instructs victim’s browser to redirect to attacker’s domain Attacker gains access to OAuth token once the user is redirected to one of the attacker-controlled domains Note: users were redirected to these domains whether they clicked Deny or Allow 4 5 g-cloud[.]win Attacker uses the granted privileges (email contacts, delete emails, etc.) 6 Victim prompted to allow/deny access 3 Uses access to send emails from victim’s account and propagate the worm Google Docs would like to Read, send, delete, manage your email Manage your contacts AllowDeny
© 2016 Cisco and/or its affiliates. All rights reserved. 11 How Cisco Security can help Victim redirected to attacker’s domain Attacker gains access to OAuth token Attacker Has persistent access to the victims’ account Victim opens email and clicks link Victim grants access to their account If attack is successful, Cloudlock revokes OAuth token Umbrella blocks user redirect to malicious domain. Attacker never receives OAuth token if blocked here. Umbrella Investigate used to research attacker’s infrastructure Email Security blocks malicious emails Joe has invited you to view a document Open in Docs Google Docs would like to Read, send, delete, manage your email Manage your contacts AllowDeny
© 2016 Cisco and/or its affiliates. All rights reserved. 12© 2016 Cisco and/or its affiliates. All rights reserved. 12 The way we work has changed.
© 2016 Cisco and/or its affiliates. All rights reserved. 13 Branch office What’s changed Apps, data, and identities move to the cloud Business drives use of cloud apps and collaboration is easier No longer need VPN to get work done Branch offices have direct internet access HQ Roaming
© 2016 Cisco and/or its affiliates. All rights reserved. 14 Branch office How risk is different today Users not protected by traditional security stack Gaps in visibility and coverage Expose sensitive info (inadvertently or maliciously) Users can install and use risky apps on their own HQ Roaming
© 2016 Cisco and/or its affiliates. All rights reserved. 15 Branch office Our solution Umbrella Secure access to the internet Cloudlock Secure usage of cloud apps HQ Roaming
© 2016 Cisco and/or its affiliates. All rights reserved. 16 Cisco cloud security Shared focus, complementary use cases Visibility and control Threat protection Forensics Data protection Malware / ransomware Cloudlock For Shadow IT and connected cloud apps (OAuth) Protect cloud accounts from compromise and malicious insiders Analyze audit cloud logs Assess cloud data risk and ensure compliance Prevent cloud-native (OAuth) attacks Umbrella For all internet activity Stop connections to malicious internet destinations Investigate attacks with internet-wide visibility Block C2 callbacks and prevent data exfiltration Prevent initial infection and C2 callbacks
© 2016 Cisco and/or its affiliates. All rights reserved. 17 Cisco Umbrella Secure access to the internet
© 2016 Cisco and/or its affiliates. All rights reserved. 18 First line of defense against internet threats Umbrella See Visibility to protect access everywhere Learn Intelligence to see attacks before they launch Block Stop threats before connections are made
© 2016 Cisco and/or its affiliates. All rights reserved. 19 Umbrella Start blocking in minutes Easiest security product you’ll ever deploy Signup1 2 Point your DNS 3 Done
© 2016 Cisco and/or its affiliates. All rights reserved. 20 Enterprise-wide deployment in minutes DEPLOYMENT Cisco endpoint § No additional agents to deploy with AnyConnect § Or Umbrella roaming client works alongside other VPNs for DNS and IP redirection AnyConnect WLAN controller ISR 4K Cisco networking § Out-of-the-box integration § Use of tags for granular filtering and reporting § Policies per VLAN/SSID Other network devices DNS/DHCP servers Wireless APs § Simple configuration change to redirect DNS § Policies for corporate and guests
© 2016 Cisco and/or its affiliates. All rights reserved. 21 Visibility and protection for all activity, anywhere HQ Mobile Branch Roaming IoT ALL PORTS AND PROTOCOLS ON-NETWORK OFF-NETWORK Umbrella All office locations Any device on your network Roaming laptops Every port and protocol ENFORCEMENT
© 2016 Cisco and/or its affiliates. All rights reserved. 22 Where does Umbrella fit? Malware C2 Callbacks Phishing HQ Sandbox NGFW Proxy Netflow AV AV BRANCH Router/UTM AV AV ROAMING AV First line It all starts with DNS Precedes file execution and IP connection Used by all devices Port agnostic
© 2016 Cisco and/or its affiliates. All rights reserved. 23 Intelligent proxy Deeper inspection Built into foundation of the internet Safe Original destinations Security controls § DNS and IP enforcement § Risky domain inspection through proxy § SSL decryption available Blocked Modified destination Internet traffic On and off-network Destinations Original destination or block page ENFORCEMENT
© 2016 Cisco and/or its affiliates. All rights reserved. 24 Cisco Talos feeds Cisco WBRS Partner feeds Custom URL block list Requests for “risky” domainsIntelligent proxy URL inspection File inspection AV Engines Cisco AMP ENFORCEMENT
© 2016 Cisco and/or its affiliates. All rights reserved. 25 Prevents connections before and during the attack Command and control callback Malicious payload drop Encryption keys Updated instructions Web and email-based infection Malvertising / exploit kit Phishing / web link Watering hole compromise Stop data exfiltration and ransomware encryption ENFORCEMENT
© 2016 Cisco and/or its affiliates. All rights reserved. 26 Our view of the internet 125Brequests per day 15Kenterprise customers 90Mdaily active users 160+countries worldwide INTELLIGENCE
© 2016 Cisco and/or its affiliates. All rights reserved. 27 Intelligence to see attacks before launched Data § Cisco Talos feed of malicious domains, IPs, and URLs § Umbrella DNS data — 100B requests per day Security researchers § Industry renown researchers § Build models that can automatically classify and score domains and IPs Models § Dozens of models continuously analyze millions of live events per second § Automatically uncover malware, ransomware, and other threats INTELLIGENCE
© 2016 Cisco and/or its affiliates. All rights reserved. 28 Statistical models Guilt by inference § Co-occurrence model § Geolocation Model § Secure rank model Guilt by association § Predictive IP Space Modeling § Passive DNS and WHOIS Correlation Patterns of guilt § Spike rank model § Natural Language Processing rank model § Live DGA prediction INTELLIGENCE 2M+ live events per second 11B+ historical events
© 2016 Cisco and/or its affiliates. All rights reserved. 29 Co-occurrence model Domains guilty by inference a.com b.com c.com x.com d.com e.com f.com time - time + Co-occurrence of domains means that a statistically significant number of identities have requested both domains consecutively in a short timeframe Possible malicious domain Possible malicious domain Known malicious domain INTELLIGENCE
© 2016 Cisco and/or its affiliates. All rights reserved. 30 Spike rank model Patterns of guilt y.com DAYS DNSREQUESTS Massive amount of DNS request volume data is gathered and analyzed DNS request volume matches known exploit kit pattern and predicts future attack DGA MALWARE EXPLOIT KIT PHISHING y.com is blocked before it can launch full attack INTELLIGENCE
© 2016 Cisco and/or its affiliates. All rights reserved. 31 Predictive IP Space Monitoring Guilt by association Pinpoint suspicious domains and observe their IP’s fingerprint Identify other IPs – hosted on the same server – that share the same fingerprint Block those suspicious IPs and any related domains DOMAIN 209.67.132.476 209.67.132.477 209.67.132.478 209.67.132.479 INTELLIGENCE
© 2016 Cisco and/or its affiliates. All rights reserved. 32 Host Infrastructure Location of the server IP addresses mapped to domain Hosted across 28+ countries DNS Requesters Location of the network and off-network device IP addresses requesting the domain Only US-based customers requesting a .RU TLD IP geo-location analysis
© 2016 Cisco and/or its affiliates. All rights reserved. 33 ‘Live DGA Prediction’ Predict 100,000s of future domains Combine newly-identified configs with DGA to identity C2 domains continuously + DGA Configs b.com c.com, d.com, … Automate reverse engineering Combine C2 domain pairs and known DGA to identify unknown configs Configs a.com b.com DGA + Live DNS log stream Identify millions of domains, many used by DGAs and unregistered a1.com a2.com b1.com c2.com Automate blocking pool of C2 domains Used by thousands of malicious samples now and in the future fgpxmvlsxpsp.me[.]uk beuvgwyhityq[.]info gboondmihxgc.com pwbbjkwnkstp[.]com bggwbijqjckk[.]me yehjvoowwtdh.com ctwnyxmbreev[.]com upybsnuuvcye[.]net quymxcbsjbhh.info vgqoosgpmmur.it automated at an unparalleled scale INTELLIGENCE
© 2016 Cisco and/or its affiliates. All rights reserved. 34 ‘Sender Rank’ model: predict domains related to spammers Identify queries to spam reputation services Our 85M+ users leverage email reputation services check for spam; we see requests made to check domains found in emails MAIL SERVERS REPUTATION SERVICES a.spam.ru. checkspam.com b.spam.ru. checkspam.com Domain of service Domain of sender Model aggregates hourly graphs per domain Short bursts of 1000s of “Hailstorm” spam uses many FQDNs, e.g. subdomains, to hide from reputation services a.spam.ru … b.spam.ru z.spam.ru spam.ru suspect domain identified Model identifies owners of “Hailstorm” domains After confirmation, query WHOIS records to get registrant of sender domain ? ? ? Type of domain Domain popularity Historical activity Confirm “Hailstorm” domain check behavior patterns Block 10,000s of domains before new attacks happen Attackers often register more domains to embed links in phishing or C2 callbacks in malware badguy Model automatically places registrants on a watch list New domains registered at a future time Model automatically verifies new domains New malicious domain blocked by Umbrella INTELLIGENCE
© 2016 Cisco and/or its affiliates. All rights reserved. 35 1. Any user (free or paid) requests the domain1 2. Every minute, we sample from our streaming DNS logs. 3. Check if domain was seen before & if whitelisted2. 4. If not, add to category, and within minutes, DNS resolvers are updated globally. Domains used in an attack. Umbrella’s Auto- WHOIS model may predict as malicious. Attackers register domains. Before expiration3, if any user requests this domain, it’s logged or blocked as newly seen. Later, Umbrella statistical models or reputation systems identify as malicious. ‘Newly Seen Domains’ category reduces risk of the unknown EVENTS 1. May have predictively blocked it already, and likely the first requestor was a free user. 2. E.g. domain generated for CDN service. 3. Usually 24 hours, but modified for best results, as needed. Reputation systems protected Cisco Umbrella 24 HOURS protected DAYS TO WEEKS not yet a threat not yet a threat unprotected potentially unprotected MINUTES INTELLIGENCE
© 2016 Cisco and/or its affiliates. All rights reserved. 36 New analysis and categories to combat DNS tunneling INTELLIGENCE Malware (e.g. PisLoader) Hidden whitelist (e.g. AV updates) DNS Tunneling VPN* *NEW CATEGORIES: These are allowed by default, but can be blocked. And domains in these categories may have already been categorized as Malware or Botnet (a.k.a. C2 callbacks) by many other Umbrella statistical models. Potentially Harmful Domains* Undetermined100B+ DNS requests daily Machine learning detects domains with excessive # of subdomains or characters and invalid characters or encoded data. Plus, detects clients requesting excessive # of subdomains over a time period. Manually identify commercial services (e.g. YourFreedom) or benign uses every hour Streaming signature-based jobs Automatically identify malicious or potential data exfiltration or open-source tools (e.g. DNS2TCP) Batch behavior-based jobs plus researcher inspection
© 2016 Cisco and/or its affiliates. All rights reserved. 37 Umbrella statistical models are 5X more relevant than external intelligence RELEVANCY measures the extent that each threat source provides intelligence that is blocking active threats recently seen across our customer base. Higher relevancy = better coverage against active threats Umbrella statistical models have high relevancy because models quickly adapt to evolving threat landscape. 58% 11% Umbrella Statistical Models 3rd party feeds 5X
© 2016 Cisco and/or its affiliates. All rights reserved. 38 Our efficacy 3M+daily new domain names Discover 60K+daily malicious destinations Identify 7M+malicious destinations while resolving DNS Enforce INTELLIGENCE
© 2016 Cisco and/or its affiliates. All rights reserved. 39 What sets Umbrella apart from competitors Easiest connect-to-cloud deployment Fastest and most reliable cloud infrastructure Broadest coverage of malicious destinations and files Most open platform for integration Most predictive intelligence to stop threats earlier
© 2016 Cisco and/or its affiliates. All rights reserved. 40 Cisco Cloudlock Secure usage of cloud apps
© 2016 Cisco and/or its affiliates. All rights reserved. 41 User Cloudlock can provide visibility and control over global cloud activities
© 2016 Cisco and/or its affiliates. All rights reserved. 42 Key questions organizations have ApplicationsDataUsers/Accounts § Who is doing what in my cloud applications? § How do I detect account compromises? § Are malicious insiders extracting information? § Do I have toxic and regulated data in the cloud? § Do I have data that is being shared inappropriately? § How do I detect policy violations? § How can I monitor app usage and risk? § Do I have any 3rd party connected apps? § How do I revoke risky apps?
© 2016 Cisco and/or its affiliates. All rights reserved. 43 Cisco Cloudlock addresses customers’ most critical cloud security use cases Discover and Control User and Entity Behavior Analytics Cloud Data Loss Prevention (DLP) Apps Firewall Cloud Malware Shadow IT/OAuth Discovery and Control Data Exposures and Leakages Privacy and Compliance Violations Compromised Accounts Insider Threats
© 2016 Cisco and/or its affiliates. All rights reserved. 44 Here’s an example of why you need cloud user security North America 9:00 AM ET Login Africa 10:00 AM ET Data export§ Distance from the US to the Central African Republic: 7362 miles § At a speed of 800 mph, it would take 9.2 hours to travel between them In one hour
© 2016 Cisco and/or its affiliates. All rights reserved. 45 Have you ever been to 68 countries in one week?
© 2016 Cisco and/or its affiliates. All rights reserved. 46 More than 24,000 files per organization publicly accessible Data exposure per organization Accessible by external collaborators Accessible publicly Accessible organization-wide 2% 10% 12% 24,000 files publicly accessible per organization of external sharing done with non-corporate email addresses70% Source: Cloudlock CyberLab
© 2016 Cisco and/or its affiliates. All rights reserved. 47 33 mins 22 mins 18mins 17mins 15mins 10mins Consider “connected” cloud apps: Pokémon Go Daily time spent in Pokémon Go by average iOS user Pokémon Go breaks another record: Higher daily average user time than Facebook, Snapchat, and Instagram Source: SensorTower 40 30 20 10 0 Pokémon Go The pictur e can't be displa yed. Facebook Snapchat Twitter Instagram Slither Time to reach 100 million users worldwide An Unusual Start: Pokémon Go breaking all mobile gaming records globally. 1 month (estimated) 4.5 yrs 7 yrs 16 yrs 75 yrs YEAR OF LAUNCH 1878 1879 1900 2004 2016 The pictur e can't be displa yed.
© 2016 Cisco and/or its affiliates. All rights reserved. 48 Identities Data Apps Cisco Cloudlock Cloud Access Security Broker (CASB)
© 2016 Cisco and/or its affiliates. All rights reserved. 49 Public APIs Cisco NGFW / Umbrella Managed Users Managed Devices Managed Network Unmanaged Users Unmanaged Devices Unmanaged Network CASB – API Access (cloud to cloud)
© 2016 Cisco and/or its affiliates. All rights reserved. 50 Cloudlock has over 70 pre-defined policies PII § SSN/ID numbers § Driver license numbers § Passport numbers Education § Inappropriate content § Student loan application information § FERPA compliance General § Email address § IP address § Passwords/ login information PHI § HIPAA § Health identification numbers (global) § Medical prescriptions PCI § Credit card numbers § Bank account numbers § SWIFT codes
© 2016 Cisco and/or its affiliates. All rights reserved. 51 Cloudlock provides automated response actions Detect Alert (Admin/Users) Security Workflows Response Actions API Integrations
© 2016 Cisco and/or its affiliates. All rights reserved. 52 Smartest Intelligence CyberLab, crowd-sourced community trust ratings Proven Track Record Deployed at over 700 organizations and supporting deployments over 750,000 users FedRAMP In Process The only FedRAMP In Process CASB working towards an Authority to Operate via Agency Authorization Cisco Ecosystem Integrated, architectural approach to security, vendor viability Cloud-Native Full value instantly, no disruption Differentiators Cisco Cloudlock
© 2016 Cisco and/or its affiliates. All rights reserved. 53© 20136 Cisco and/or its affiliates. All rights reserved. 53 Why Cisco Cloud Security?
© 2016 Cisco and/or its affiliates. All rights reserved. 54 Why customers love Cisco cloud security Cisco cloud security Most effective protection Simplest to deploy and manage Most open platform Most reliable
© 2016 Cisco and/or its affiliates. All rights reserved. 55 Real customer results “Deployed to 30,000 employees in less than 60 minutes” “Reduced infections by 98%...saved 1.7 months of user downtime per year” “Cut incident response time by 25-30%” Umbrella “Reduced public exposure by 62% in one day” “Intelligently reduced OAuth-connected apps by 34% in one week” “Deployed to 125,000 employees in less than 5 minutes” Cloudlock
Thank you.

Check these out next

Cisco Connect Halifax 2018 Anatomy of attack

Recomendados

Más contenido relacionado

Presentaciones para ti(20)

Similar a Cisco Connect Halifax 2018 Anatomy of attack(20)

Más de Cisco Canada(20)

Último(20)

Cisco Connect Halifax 2018 Anatomy of attack