Security Ut It Club v1

Cisco Confidential 1 2010 Cisco and/or its affiliates. All rights reserved.
Cyber Attacks How do they

do it

James Risler
Technology Education Specialist, MBA CISSP, CCIE# 15412
jarisler@cisco.com
2010 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
Overview of my Career
High-level Overview Cyber Attacks and Why
What are some of the latest Cyber attacks?
How do they get around a Firewall

Anatomy of the Target Cyber attack

Graduated 1990 University of South Florida B.A Economics
Started selling CompuAdd computers TEC was fired had to build PCs
Tech Data Tech Support Novell, Microsoft and Unix (First Certification)
Waldec Group Certified Novell Instructor (CNI) / MCT / Customer Consulting
Disney Novell 4.1 deployment DHCP/DNS deployment
Cisco training 1999 CCSI #21070
CCNP R&S
Degree 2003 Univ. of South Florida B.S General Business
Started multiple small businesses doing IT consulting
2005 Pass Cisco Certified Internetworking Expert (CCIE) Exam - #15412
2010 Start working for Cisco Systems Technical Education Specialist Security
MBA 2013 The University of Tampa Information Systems
Pass CISSP Exam
Enroll in USF MS Cybersecurity program
Focus career on Cybersecurity issues, management, threat defense, strategies

What are Cyber
Attacks?
The Why
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Target
Univ. of MD
Neiman
Marcus
TJ Maxx
Sony
Zappos
LinkedIn
Citigroup
Florida Courts

Where does it start!
To truly protect against all of these possible attacks,
defenders must understand the attackers, their
motivations and their methods before, during and
after an attack.

Increased
Attack
Surface
APTS
Cyberwar
Spyware
and
Rootkits
Worms
Antivirus
(Host-
Based)
IDS/IPS
(Network
Perimeter)
Reputation
(Global)
and
Sandboxing
Intelligence
and
Analytics
(Cloud)
Enterprise
Response
2010
2000
2005
Tomorrow
Threat Landscape is Evolving!
!"#"$%"& ($)*+,-.%/ 0,-"1233%
!"#$%&% 45667%8
!"#"$%"& 9$:-.%,;$ !":"<);$ = >-"?"$);$
()#*% 4@777%8
!"#"$%"& A"B.:2);$/ !C>/ (BBD*212-" 0,-"1233%
+),-&,% 432:" @777% :; <.--"$:8
E:-2:"FG& +,%,H,3,:G 2$I J;$:"K:
."#&/,&0 123/4% 5167%8
4:;I2G8
9:;!<=;>
?&@"%%3
1--3
A)$#-"4)B3
C"*03
DE: D@3**&#
F)-G/4&#
7&0#))
H$%,)/4
F)-G/4&#
1$#)#3
DI30J H3,
.$K$

Historical Perspective Threat Landscape is evolving
Cyber Attacks
Firewall
IPS
Web Sec
N-AV
Email Sec
Customized Threat
Bypasses Security
Gateways
Threat Spreads
Inside Perimeter
Perimeter security stops many threats but
sophisticated Cyber threats evade existing security constructs
Fingerprints of threats are often found in network fabric
Customized Threat
Enters from Inside
Threat Spreads
to Devices
Professional attackers have a tried-and-true
methodology.
At each step, attackers have specific concerns
and goals before they move on to the next step.
Some steps are optional, depending on the goals
and methods of the attack.
By understanding the steps of the process,
analysts can stop an attack in progress.
Clean Up
Accomplish Goal
Expand
Persist
Escalate
Gain Access
Scan
Gather info
Four South Korean Think Tanks Attacked
Phishing Attack Emails sent to people in organizations with
infected links from Bulgarian emails
Trojan dropper Dynamic Link Library (DLL)
Keystroke logging
Directory listing collection
HWP document theft only documents being worked on
Remote control download and execution
Remote control access
Not typical Command & Control used email servers
Disables machines firewall
Network
IPS
Host IPS
firewall Web Proxy
AntiVirus
Spam
Prevention
Prevent
Network IDS
Adv.
Malware
Behavioral
anomaly
Netflow
anomaly
Detect
NetFlow
Analyze
IP
Blackhole
Device
Monitoring
Performance
Monitoring
Traffic
Capture
Device
Config
NetFlow
Event
Logs
Proxy
Logs
Web
Firewall
Collect
Foundation
Malware
Analyze
SIEM
Analysis
Other
Tools
DNS
Poisoning
Adv.
ACLs
Analyze
Mitigate
Complex Threat Puzzle
Network switches as
enforcement points for
increased control
Use Netflow data to
extend visibility to the
Access Layer
Unite Flow data with identity,
reputation, application for
context
WHO
WHAT
WHERE
WHEN
HOW
Flow, Context
and Control
NETWORK
Reputation?
Device? Events?
65.32.7.45
User?
Posture?
Vulnerability
AV
Patch
15 2009 Cisco Systems, Inc. All rights reserved. Cisco Public
Hacked While Browsing
16
Cisco Confidential 19 2010 Cisco and/or its affiliates. All rights reserved.
19
Target Attack - Phases
1. Phish HVAC Vendor
Steal credentials Target hosted web server
2. Scan Network Determine HVAC vendor access
shared web server
3. Upload PHP Script to Web Server Vulnerability
in Application
4. Control of Webserver Scan for relevant targets
for propagation (MSSQLSvc/Billing)
5. Attack Microsoft AD Domain Steal access
tokens on Webserver (Pass-the-hash)
6. Create new Admin Account in MS AD Domain
7. Propagate to relevant computers (Angry IP
Scanner) by pass security solutions (Tunneling
with PsExecs)
8. Attack SQL Server Steal 70 Million PII records
(no credit cards because PCI compliant)
Osql.exe
Isql.exe
Bcp.exe
9. Download POS Malware and install on POS
(Kaptoxa Malware)
10. Send stolen Credit Card info to network share
(FTP transfer)
11. Upload Credit Card information to FTP site
Background
The Why and What
Cyber Attacks

Target Example
Questions/Discussion?

Thank You

Security Ut It Club v1

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Security Ut It Club v1

Hochgeladen von

Copyright:

Verfügbare Formate

Cisco Confidential 1 2010 Cisco and/or its affiliates. All rights reserved.

Cyber Attacks How do they

Das könnte Ihnen auch gefallen