More Related Content
Similar to Cisco Connect Toronto 2017 - Anatomy-of-attack
Similar to Cisco Connect Toronto 2017 - Anatomy-of-attack (20)
More from Cisco Canada (20)
Cisco Connect Toronto 2017 - Anatomy-of-attack
- 1. © 2016 Cisco and/or its affiliates. All rights reserved. 1
Cisco
Connect
Anatomy of an Attack
Chris Parker-James
Consulting Systems Engineer, Cloud Security
October 12th, 2017
- 2. © 2016 Cisco and/or its affiliates. All rights reserved. 2
Agenda
Anatomy of an Attack
What’s Changed? Cisco’s Solution
Cisco Umbrella
Cisco Cloudlock
Why Cisco?
- 3. © 2016 Cisco and/or its affiliates. All rights reserved. 3
Anatomy of a cyber attack
Reconnaissance and
infrastructure setup
Domain registration, IP,
ASN Intel
Monitor adaption
based on results
Target expansion
Wide-scale expansion
Defense signatures built
Patient zero hit
- 4. © 2016 Cisco and/or its affiliates. All rights reserved. 4© 2016 Cisco and/or its affiliates. All rights reserved. 4
Locky/Wannacry
Ransomware
- 5. © 2016 Cisco and/or its affiliates. All rights reserved. 5
Mapping attacker infrastructure
SEP 12-26 DAYS
Umbrella
AUG 17
LOCKY
*.7asel7[.]top
?
Domain → IP
Association
?
IP → Sample
Association
?
IP → Network
Association
?
IP → Domain
Association
?
WHOIS
Association
?
Network → IP
Association
- 6. © 2016 Cisco and/or its affiliates. All rights reserved. 6
91.223.89.201185.101.218.206
600+
Threat Grid files
SHA256:0c9c328eb66672e
f1b84475258b4999d6df008
*.7asel7[.]top LOCKY
Domain → IP
Association
AS 197569IP → Network
Association
1,000+
DGA domains
ccerberhhyed5frqa[.]8211fr[.]top
IP → Domain
Association
IP → Sample
Association
CERBER
Mapping attacker infrastructure
- 7. © 2016 Cisco and/or its affiliates. All rights reserved. 7
-26 DAYS AUG 21
Umbrella
JUL 18
JUL 21
Umbrella
JUL 14 -7 DAYS
jbrktqnxklmuf[.]info
mhrbuvcvhjakbisd[.]xyz
LOCKY
LOCKY
DGA
Network → Domain
Association
DGA
Threat detected same day
domain was registered.
Threat detected before
domain was registered.
DOMAIN
REGISTERED
JUL 22-4 DAYS
Mapping attacker infrastructure
- 8. © 2016 Cisco and/or its affiliates. All rights reserved. 8© 2016 Cisco and/or its affiliates. All rights reserved. 8
Google OAuth attack
- 9. © 2016 Cisco and/or its affiliates. All rights reserved. 9
Sequence of events (1 of 2)
Attacker
sets up infrastructure
and fake app; sends
phishing email
Victim
opens email
and clicks link
1 2
!
Victim is sent to Google’s OAuth page for
authentication and to grant permissions.
Then the user will be redirected to an
attacker-controlled website
- 10. © 2016 Cisco and/or its affiliates. All rights reserved. 10
Sequence of events (2 of 2)
On the backend…
If allowed, Google provisions an
OAuth token, appends it to
redirect_uri, and instructs victim’s
browser to redirect to attacker’s
domain
Attacker
gains access to OAuth
token once the user is
redirected to one of the
attacker-controlled
domains
Note: users were redirected to
these domains whether they
clicked Deny or Allow
4 5
g-cloud[.]win
Attacker
uses the granted
privileges (email
contacts, delete emails,
etc.)
6
Victim
prompted to
allow/deny
access
3
Uses access to send emails
from victim’s account and
propagate the worm
- 11. © 2016 Cisco and/or its affiliates. All rights reserved. 11
How Cisco Security can help
Victim
redirected to
attacker’s
domain
Attacker
gains access to
OAuth token
Attacker
Has persistent
access to the
victims’ account
Victim
opens email
and clicks link
Victim
grants access to
their account
If attack is successful,
Cloudlock
revokes OAuth token
Umbrella
blocks user redirect to
malicious domain.
Attacker never
receives OAuth token
if blocked here.
Umbrella Investigate
used to research attacker’s
infrastructure
Email
Security
blocks
malicious
emails
- 12. © 2016 Cisco and/or its affiliates. All rights reserved. 12© 2016 Cisco and/or its affiliates. All rights reserved. 12
The way we work
has changed.
- 13. © 2016 Cisco and/or its affiliates. All rights reserved. 13
Branch office
What’s changed
Apps, data, and identities
move to the cloud
Business drives use of cloud
apps and collaboration is easier
No longer need VPN to get
work done
Branch offices have direct
internet access
HQ Roaming
- 14. © 2016 Cisco and/or its affiliates. All rights reserved. 14
Branch office
How risk is different today
Users not protected by
traditional security stack
Gaps in visibility and coverage
Expose sensitive info
(inadvertently or maliciously)
Users can install and use
risky apps on their own
HQ Roaming
- 15. © 2016 Cisco and/or its affiliates. All rights reserved. 15
Branch office
Our solution
Umbrella
Secure access to the internet
Cloudlock
Secure usage of cloud apps
HQ Roaming
- 16. © 2016 Cisco and/or its affiliates. All rights reserved. 16
Cisco cloud security
Shared focus, complementary use cases
Visibility and control
Threat protection
Forensics
Data protection
Malware / ransomware
Cloudlock
For Shadow IT and connected cloud
apps (OAuth)
Protect cloud accounts from
compromise and malicious insiders
Analyze audit cloud logs
Assess cloud data risk
and ensure compliance
Prevent cloud-native
(OAuth) attacks
Umbrella
For all internet activity
Stop connections to
malicious internet destinations
Investigate attacks with
internet-wide visibility
Block C2 callbacks and
prevent data exfiltration
Prevent initial infection
and C2 callbacks
- 17. © 2016 Cisco and/or its affiliates. All rights reserved. 17
Cisco Umbrella
Secure access to the internet
- 18. © 2016 Cisco and/or its affiliates. All rights reserved. 18
First line of defense against internet threats
Umbrella
See
Visibility to protect
access everywhere
Learn
Intelligence to see attacks
before they launch
Block
Stop threats before
connections are made
- 19. © 2016 Cisco and/or its affiliates. All rights reserved. 19
Umbrella
Start blocking in minutes
Easiest security product
you’ll ever deploy
Signup1
2 Point your DNS
3 Done
- 20. © 2016 Cisco and/or its affiliates. All rights reserved. 20
How fast do we resolve DNS requests?
Measured in milliseconds
Source: MSFT Office 365 Researcher,
ThousandEyes Blog Post, May 2017
157
130
119
92
78
75
74
50
45
33
SafeDNS
FreeDNS
DNS.WATCH
Comodo
Level3
OpenNIC
Verisign
Dyn
Umbrella
Google
Overall
75
132
106
39
17
38
43
12
17
25
North
America
135
41
34
44
32
52
43
31
31
29
Europe/
EMEA
197
275
268
198
167
119
112
80
59
39
Asia/
APC
184
225
218
119
110
108
140
73
99
42
Latin
America
322
195
169
164
171
81
176
165
23
38
Africa
- 21. © 2016 Cisco and/or its affiliates. All rights reserved. 21
Enterprise-wide
deployment
in minutes
DEPLOYMENT
Cisco endpoint
No additional agents to
deploy with AnyConnect
Or Umbrella roaming client
works alongside other VPNs
for DNS and IP redirection
AnyConnect WLAN
controller
ISR 4K
Cisco networking
Out-of-the-box integration
Use of tags for granular
filtering and reporting
Policies per VLAN/SSID
Other network devices
DNS/DHCP servers
Wireless APs
Simple configuration change
to redirect DNS
Policies for corporate
and guests
- 22. © 2016 Cisco and/or its affiliates. All rights reserved. 22
Where does Umbrella fit?
Malware
C2 Callbacks
Phishing
HQ
Sandbox
NGFW
Proxy
Netflow
AV AV
BRANCH
Router/UTM
AV AV
ROAMING
AV
First line It all starts with DNS
Precedes file execution
and IP connection
Used by all devices
Port agnostic
- 23. © 2016 Cisco and/or its affiliates. All rights reserved. 23
Built into foundation of the internet
Umbrella provides:
Connection for safe requests
Prevention for user and malware-
initiated connections
Proxy inspection for risky URLs
Safe
request
Blocked
request
- 24. © 2016 Cisco and/or its affiliates. All rights reserved. 24
Cisco Talos feeds
Cisco WBRS
Partner feeds
Custom URL block list
Requests for “risky” domainsIntelligent proxy
URL inspection
File inspection
AV Engines
Cisco AMP
ENFORCEMENT
- 25. © 2016 Cisco and/or its affiliates. All rights reserved. 25
Prevents connections before and during the attack
Command and control callback
Malicious payload drop
Encryption keys
Updated instructions
Web and email-based infection
Malvertising / exploit kit
Phishing / web link
Watering hole compromise
Stop data exfiltration and ransomware encryption
ENFORCEMENT
- 26. © 2016 Cisco and/or its affiliates. All rights reserved. 26
Our view of the internet
100Brequests
per day
12Kenterprise
customers
85Mdaily active
users
160+countries
worldwide
INTELLIGENCE
- 27. © 2016 Cisco and/or its affiliates. All rights reserved. 27
Intelligence to see attacks before launched
Data
Cisco Talos feed of malicious
domains, IPs, and URLs
Umbrella DNS data —
100B requests per day
Security researchers
Industry renown researchers
Build models that can automatically
classify and score domains and IPs
Models
Dozens of models continuously
analyze millions of live events
per second
Automatically uncover malware,
ransomware, and other threats
INTELLIGENCE
- 28. © 2016 Cisco and/or its affiliates. All rights reserved. 28
Statistical models
Guilt by inference
Co-occurrence model
Geolocation Model
Secure rank model
Guilt by association
Predictive IP Space Modeling
Passive DNS and WHOIS Correlation
Patterns of guilt
Spike rank model
Natural Language
Processing rank model
Live DGA prediction
INTELLIGENCE
2M+ live events per second
11B+ historical events
- 29. © 2016 Cisco and/or its affiliates. All rights reserved. 29
Co-occurrence model
Domains guilty by inference
a.com b.com c.com x.com d.com e.com f.com
time - time +
Co-occurrence of domains means that a statistically significant number of identities
have requested both domains consecutively in a short timeframe
Possible malicious domain Possible malicious domain
Known malicious domain
INTELLIGENCE
- 30. © 2016 Cisco and/or its affiliates. All rights reserved. 30
Spike rank model
Patterns of guilt
y.com
DAYS
DNSREQUESTS
Massive amount
of DNS request
volume data is
gathered and
analyzed
DNS request volume matches known
exploit kit pattern and predicts future attack
DGA MALWARE EXPLOIT KIT PHISHING
y.com is blocked before
it can launch full attack
INTELLIGENCE
- 31. © 2016 Cisco and/or its affiliates. All rights reserved. 31
Predictive IP Space Monitoring
Guilt by association
Pinpoint suspicious domains and
observe their IP’s fingerprint
Identify other IPs – hosted on the
same server – that share the
same fingerprint
Block those suspicious IPs and
any related domains
DOMAIN
209.67.132.476
209.67.132.477
209.67.132.478
209.67.132.479
INTELLIGENCE
- 32. © 2016 Cisco and/or its affiliates. All rights reserved. 32
‘Sender Rank’ model: predict domains related to spammers
Identify queries to spam
reputation services
Our 85M+ users leverage email
reputation services check for
spam; we see requests made to
check domains found in emails
MAIL SERVERS
REPUTATION SERVICES
a.spam.ru. checkspam.com
b.spam.ru. checkspam.com
Domain of
service
Domain of
sender
Model aggregates hourly
graphs per domain
Short bursts of 1000s of
“Hailstorm” spam uses many
FQDNs, e.g. subdomains, to
hide from reputation services
a.spam.ru
…
b.spam.ru
z.spam.ru
spam.ru
suspect
domain
identified
Model identifies owners
of “Hailstorm” domains
After confirmation, query
WHOIS records to get
registrant of sender domain
?
?
?
Type of domain
Domain popularity
Historical activity
Confirm “Hailstorm”
domain
check
behavior
patterns
Block 10,000s of domains
before new attacks happen
Attackers often register more
domains to embed links in phishing
or C2 callbacks in malware
badguy
Model automatically places
registrants on a watch list
New domains registered
at a future time
Model automatically
verifies new domains
New malicious domain blocked
by Umbrella
INTELLIGENCE
- 33. © 2016 Cisco and/or its affiliates. All rights reserved. 33
1. Any user (free or paid) requests the domain1
2. Every minute, we sample from our streaming DNS logs.
3. Check if domain was seen before & if whitelisted2.
4. If not, add to category, and within minutes, DNS resolvers are updated globally.
Domains
used in
an attack.
Umbrella’s Auto-
WHOIS model
may predict as
malicious.
Attackers
register
domains.
Before expiration3,
if any user requests
this domain, it’s
logged or blocked
as newly seen.
Later, Umbrella
statistical models
or reputation
systems identify
as malicious.
‘Newly Seen Domains’ category reduces risk of the unknown
EVENTS
1. May have predictively blocked it already, and
likely the first requestor was a free user.
2. E.g. domain generated for CDN service.
3. Usually 24 hours, but modified for best results, as needed.
Reputation
systems
protected
Cisco
Umbrella
24 HOURS
protected
DAYS TO WEEKS
not yet a threat
not yet a threat
unprotected
potentially
unprotected
MINUTES
INTELLIGENCE
- 34. © 2016 Cisco and/or its affiliates. All rights reserved. 34
Our efficacy
3M+daily new
domain names
Discover
60K+daily malicious
destinations
Identify
7M+malicious destinations
while resolving DNS
Enforce
INTELLIGENCE
- 35. © 2016 Cisco and/or its affiliates. All rights reserved. 35
What sets Umbrella
apart from competitors
Easiest
connect-to-cloud
deployment
Fastest
and most reliable
cloud infrastructure
Broadest
coverage of malicious
destinations and files
Most open
platform for integration
Most predictive
intelligence to stop
threats earlier
- 36. © 2016 Cisco and/or its affiliates. All rights reserved. 36
Cisco Cloudlock
Secure usage of cloud apps
- 37. © 2016 Cisco and/or its affiliates. All rights reserved. 37
User
Cloudlock can provide visibility and control over global
cloud activities
- 38. © 2016 Cisco and/or its affiliates. All rights reserved. 38
Key questions organizations have
ApplicationsDataUsers/Accounts
Who is doing what in
my cloud applications?
How do I detect account
compromises?
Are malicious insiders
extracting information?
Do I have toxic and
regulated data in the cloud?
Do I have data that is being
shared inappropriately?
How do I detect policy
violations?
How can I monitor app usage
and risk?
Do I have any 3rd party
connected apps?
How do I revoke risky apps?
- 39. © 2016 Cisco and/or its affiliates. All rights reserved. 39
Cisco Cloudlock addresses customers’ most critical
cloud security use cases
Discover and Control
User and Entity
Behavior Analytics
Cloud Data Loss
Prevention (DLP)
Apps Firewall
Cloud Malware
Shadow IT/OAuth
Discovery and Control
Data Exposures
and Leakages
Privacy and
Compliance Violations
Compromised
Accounts
Insider Threats
- 40. © 2016 Cisco and/or its affiliates. All rights reserved. 40
Here’s an example of why you need cloud user security
North
America
9:00 AM ET
Login
Africa
10:00 AM ET
Data export Distance from the US
to the Central African
Republic: 7362 miles
At a speed of 800 mph,
it would take 9.2 hours
to travel between them
In one hour
- 41. © 2016 Cisco and/or its affiliates. All rights reserved. 41
Have you ever been to 68 countries in one week?
- 42. © 2016 Cisco and/or its affiliates. All rights reserved. 42
More than 24,000 files per organization publicly accessible
Data exposure per organization
Accessible by
external collaborators
Accessible publicly
Accessible
organization-wide
2%
10%
12%
24,000 files
publicly accessible per organization
of external sharing done with
non-corporate email addresses70%
Source: Cloudlock CyberLab
- 43. © 2016 Cisco and/or its affiliates. All rights reserved. 43
33 mins
22 mins
18mins 17mins
15mins
10mins
Consider “connected” cloud apps: Pokémon Go
Daily time spent in Pokémon Go by average iOS user
Pokémon Go breaks another record:
Higher daily average user time than
Facebook, Snapchat, and Instagram
Source: SensorTower
40
30
20
10
0
Pokémon Go
The picture can't be displayed.
Facebook Snapchat Twitter Instagram Slither
Time to reach 100 million users worldwide
An Unusual Start: Pokémon Go breaking
all mobile gaming records globally.
1 month (estimated)
4.5 yrs
7 yrs
16 yrs
75 yrs
YEAR OF
LAUNCH
1878
1879
1900
2004
2016
The picture can't be displayed.
- 44. © 2016 Cisco and/or its affiliates. All rights reserved. 44
Identities Data Apps
Cisco Cloudlock
Cloud Access Security Broker (CASB)
- 45. © 2016 Cisco and/or its affiliates. All rights reserved. 45
Public APIs
Cisco NGFW / Umbrella
Managed
Users
Managed
Devices
Managed
Network
Unmanaged
Users
Unmanaged
Devices
Unmanaged
Network
CASB – API Access (cloud to cloud)
- 46. © 2016 Cisco and/or its affiliates. All rights reserved. 46
Cloudlock has over 70 pre-defined policies
PII
SIN/ID
numbers
Driver license
numbers
Passport
numbers
Education
Inappropriate
content
Student loan
application
information
FERPA
compliance
General
Email address
IP address
Passwords/
login
information
PHI
HIPAA
Health
identification
numbers
(global)
Medical
prescriptions
PCI
Credit card
numbers
Bank account
numbers
SWIFT codes
- 47. © 2016 Cisco and/or its affiliates. All rights reserved. 47
Cloudlock provides automated response actions
Detect Alert
(Admin/Users)
Security
Workflows
Response
Actions
API
Integrations
- 48. © 2016 Cisco and/or its affiliates. All rights reserved. 48
Smartest Intelligence
CyberLab, crowd-sourced community
trust ratings
Proven Track Record
Deployed at over 700
organizations and supporting
deployments over 750,000
users
FedRAMP In Process
The only FedRAMP In
Process CASB working
towards an Authority to
Operate via Agency
Authorization
Cisco Ecosystem
Integrated, architectural
approach to security,
vendor viability
Cloud-Native
Full value instantly, no disruption
Differentiators
Cisco
Cloudlock
- 49. © 2016 Cisco and/or its affiliates. All rights reserved. 49© 20136 Cisco and/or its affiliates. All rights reserved. 49
Why Cisco Cloud Security?
- 50. © 2016 Cisco and/or its affiliates. All rights reserved. 50
Why customers love Cisco cloud security
Cisco cloud security
Most effective
protection
Simplest
to deploy
and manage
Most open
platform
Most
reliable
- 51. © 2016 Cisco and/or its affiliates. All rights reserved. 51
Real customer results
“Deployed to 30,000
employees in less
than 60 minutes”
“Reduced infections by
98%...saved 1.7 months
of user downtime per year”
“Cut incident response
time by 25-30%”
Umbrella
“Reduced public
exposure by 62%
in one day”
“Intelligently reduced
OAuth-connected apps
by 34% in one week”
“Deployed to 125,000
employees in less
than 5 minutes”
Cloudlock
- 52. © 2016 Cisco and/or its affiliates. All rights reserved. 52
Try Umbrella and
Cloudlock today.
Tackle ransomware
and other threats with:
Umbrella
Enable the secure use
of the cloud with:
Cloudlock