Cisco Confidential 1 2010 Cisco and/or its affiliates. All rights reserved.
Cyber Attacks How do they
do it
James Risler Technology Education Specialist, MBA CISSP, CCIE# 15412 jarisler@cisco.com 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 2 Overview of my Career High-level Overview Cyber Attacks and Why What are some of the latest Cyber attacks? How do they get around a Firewall
Anatomy of the Target Cyber attack
2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 3 Graduated 1990 University of South Florida B.A Economics Started selling CompuAdd computers TEC was fired had to build PCs Tech Data Tech Support Novell, Microsoft and Unix (First Certification) Waldec Group Certified Novell Instructor (CNI) / MCT / Customer Consulting Disney Novell 4.1 deployment DHCP/DNS deployment Cisco training 1999 CCSI #21070 CCNP R&S Degree 2003 Univ. of South Florida B.S General Business Started multiple small businesses doing IT consulting 2005 Pass Cisco Certified Internetworking Expert (CCIE) Exam - #15412 2010 Start working for Cisco Systems Technical Education Specialist Security MBA 2013 The University of Tampa Information Systems Pass CISSP Exam Enroll in USF MS Cybersecurity program Focus career on Cybersecurity issues, management, threat defense, strategies
2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 What are Cyber Attacks? 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 5 The Why http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ Target Univ. of MD Neiman Marcus TJ Maxx Sony Zappos LinkedIn Citigroup Florida Courts
2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 6 Where does it start! To truly protect against all of these possible attacks, defenders must understand the attackers, their motivations and their methods before, during and after an attack.
2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 7 Increased Attack Surface APTS Cyberwar Spyware and Rootkits Worms Antivirus (Host- Based) IDS/IPS (Network Perimeter) Reputation (Global) and Sandboxing Intelligence and Analytics (Cloud) Enterprise Response 2010 2000 2005 Tomorrow Threat Landscape is Evolving! 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 8 !"#"$%"& ($)*+,-.%/ 0,-"1233% !"#$%&% 45667%8 !"#"$%"& 9$:-.%,;$ !":"<);$ = >-"?"$);$ ()#*% 4@777%8 !"#"$%"& A"B.:2);$/ !C>/ (BBD*212-" 0,-"1233% +),-&,% 432:" @777% :; <.--"$:8 E:-2:"FG& +,%,H,3,:G 2$I J;$:"K: ."#&/,&0 123/4% 5167%8 4:;I2G8 9:;!<=;> ?&@"%%3 1--3 A)$#-"4)B3 C"*03 DE: D@3**&# F)-G/4&# 7&0#)) H$%,)/4 F)-G/4&# 1$#)#3 DI30J H3, .$K$
Historical Perspective Threat Landscape is evolving 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 9 Cyber Attacks 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 10 Firewall IPS Web Sec N-AV Email Sec Customized Threat Bypasses Security Gateways Threat Spreads Inside Perimeter Perimeter security stops many threats but sophisticated Cyber threats evade existing security constructs Fingerprints of threats are often found in network fabric Customized Threat Enters from Inside Threat Spreads to Devices 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 11 Professional attackers have a tried-and-true methodology. At each step, attackers have specific concerns and goals before they move on to the next step. Some steps are optional, depending on the goals and methods of the attack. By understanding the steps of the process, analysts can stop an attack in progress. Clean Up Accomplish Goal Expand Persist Escalate Gain Access Scan Gather info 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 12 Four South Korean Think Tanks Attacked Phishing Attack Emails sent to people in organizations with infected links from Bulgarian emails Trojan dropper Dynamic Link Library (DLL) Keystroke logging Directory listing collection HWP document theft only documents being worked on Remote control download and execution Remote control access Not typical Command & Control used email servers Disables machines firewall 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 13 Network IPS Host IPS firewall Web Proxy AntiVirus Spam Prevention Prevent Network IDS Adv. Malware Behavioral anomaly Netflow anomaly Detect NetFlow Analyze IP Blackhole Device Monitoring Performance Monitoring Traffic Capture Device Config NetFlow Event Logs Proxy Logs Web Firewall Collect Foundation Malware Analyze SIEM Analysis Other Tools DNS Poisoning Adv. ACLs Analyze Mitigate 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 14 Complex Threat Puzzle Network switches as enforcement points for increased control Use Netflow data to extend visibility to the Access Layer Unite Flow data with identity, reputation, application for context WHO WHAT WHERE WHEN HOW Flow, Context and Control NETWORK Reputation? Device? Events? 65.32.7.45 User? Posture? Vulnerability AV Patch 15 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Hacked While Browsing 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 16 16 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 17 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 18 Cisco Confidential 19 2010 Cisco and/or its affiliates. All rights reserved. 19 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 20 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 21 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 22 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 23 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 24 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 25 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 26 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 27 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 28 Target Attack - Phases 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 29 1. Phish HVAC Vendor Steal credentials Target hosted web server 2. Scan Network Determine HVAC vendor access shared web server 3. Upload PHP Script to Web Server Vulnerability in Application 4. Control of Webserver Scan for relevant targets for propagation (MSSQLSvc/Billing) 5. Attack Microsoft AD Domain Steal access tokens on Webserver (Pass-the-hash) 6. Create new Admin Account in MS AD Domain 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 30 7. Propagate to relevant computers (Angry IP Scanner) by pass security solutions (Tunneling with PsExecs) 8. Attack SQL Server Steal 70 Million PII records (no credit cards because PCI compliant) Osql.exe Isql.exe Bcp.exe 9. Download POS Malware and install on POS (Kaptoxa Malware) 10. Send stolen Credit Card info to network share (FTP transfer) 11. Upload Credit Card information to FTP site 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 31 Background The Why and What Cyber Attacks