Module 5: Security Intelligence: Tracking a Global

Threat (45 min) - Rush Carskadden

Diversity of Attacks (0:15)
So again, starting off, just a little bit of background on Security Intelligence
Operations and how that works. What we're witnessing in the threat environment
over the past several years is that increasingly, threats are extremely diverse in
their approaches, and, in fact, what we're seeing with the most recent threats is
that not only do they have diverse implementations and vectors of attack. They
actually also will exhibit multiple vectors of attack at the same time.
So you'll have a single threat that represents multiple vectors of attack at-throughout its life cycle, and that's what we really refer to as a blended threat-- so
a blended threat that will attack via multiple vectors but also change over time.
So that's--that's the sort of polymorphic nature of the threats that we're seeing
now. In order to properly address those blended threats, we need to change the
approach to gathering intelligence on those threats. So while historically we've
looked at a threat as a single instantiation, a single element at a single point in
time, a blended threat requires us to gather much more context.
So while previously we were looking at the content of the threat, really kind of
looking at what is-- for instance, if it's malware, what is this file? What is the
content of the file? And then writing some sort of capability and algorithm that
allows us to identify that particular content. With the content changing and the
fact that all of these different threats, at any given point in the life cycle of the
threat, could possibly be unique, sort of the metaphor being unique like a
snowflake or unique as it evolves throughout its life cycle, that's where we're
starting to focus more on the context.

Comparing the Content and Context of a Threat (2:09)

And this is something that you hear a lot from Cisco, and hopefully, I think you're
hearing that from various companies throughout the security industry. There's
really now a greater focus on the context. So you want to know all of the aspects
of the threat above and beyond what that threat looks like as a particular piece
of, for instance, malware at rest. You want to understand the behaviors of the
threat. You also want to understand where it comes from, what it targets, and
what types of-- what types of behaviors it-- a--an infection might be used to
engage in.

Cisco SIO Overview (3:03):

So we'll talk a little bit about what that means, understanding that full context, but
in order for us to know that context-- and that really is the goal of contemporary
security and intelligence-- we have built this capability that we refer to as Cisco
Security Intelligence Operations, and really the function, the goal of Security
Intelligence Operations, is to understand the life cycle of all of the extant threats

2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public

Page 1 of 13

Module 5: Security Intelligence: Tracking a Global Threat

on public and private networks throughout their life cycle, to have that holistic
view of all of the potential sources of malicious activity, the different types of
malicious activities, and the different types of malicious content. So combining all
of that together is the goal of this Security Intelligence Operations, and it's really-SIO is divided into three major areas of focus.
There's SensorBase, which is the capability that enables us to gather information
from the threat environment. In other words, that's the capability that enables us
to gather information from deployment in all of the different global networks, but
then there's the Threat Operations Center.
That information by itself that we gather from SensorBase is not actionable in the
sense that it clearly illustrates the threats and all of the different parameters
associated with those threats. In order to pull out that information, we need to
process that data that we gather in SensorBase, and we do that in the Threat
Operations Center. This is where we turn all of that data into the intelligence that
enables us to equip our security technologies to address the threats but also
enables us to talk with you, as I am today, about the lessons that we have
learned from Security Intelligence Operations.
And then there are the Dynamic Updates. This is really kind of the area where we
take what we learn in the Threat Operations Center and provide it back to you
and provide it back to the security devices themselves. So whether it's a firewall
or IPS, a web or email security technology, those technologies need to learn from
the information that we gather, and that's what the Dynamic Updates are really
focused on doing.

Detailed Explanation of SensorBase (5:20)

So let's talk in a little bit more depth about each one of these categories. So
again, we can kind of connect the dots from the data that comes in to the Threat
Operation Centers every day all the way through to what it is that we have
learned based off of the threats that we're tracking right now. So SensorBase, as
I said before, is really kind of the open end of the funnel. SensorBase is where
we gather all of the raw data. Today, that's over 4 terabytes of data that we
receive every day, and that data, it comes in all different formats, and the reason
why it comes in such a wide variety of formats is that the primary source of that
information that we're gathering is Cisco security technologies. So what we have
done is, we've enabled all of the different Cisco security technologies to provide
information back to SIO.
So each individual implementation, each individual customer and operator has
the opportunity to opt in to sending information back to the global SIO network.
That's anonymized information that is really focused on the parameters of the
threats that those security technologies are witnessing. So we want to know who
the attackers are, what the attacks are, and what the ensuing behaviors after,
perhaps, a point of infection might be. So that information is really only collected
effectively from live security deployments. While we do have honeypots,

2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public

Page 2 of 13

Module 5: Security Intelligence: Tracking a Global Threat

honeynets, the wide variety of the threats that we see on a day-to-day basis
really demand that we have-- cast a wider net, and that's the goal of using live
deployments as the source of that information.
We look at over 30 billion web requests a day. So that's--we're analyzing more
web requests each day than Google, and the type of web requests that we look
at run the entire spectrum from just a basic search request all the way through to
all of the different content advertisements, files that are-- that are--compose-- that
compose a web visit for a particular web request. All of that information is
gathered and analyzed by us on a daily basis, and again, that's based off of live
deployments.
We have enormous visibility in the email messages with email security
technologies, and that, in turn, gives us visibility into a large percentage of the
worldwide traffic. While historically spam has represented a huge percentage of
worldwide traffic and, hence, email has represented the majority of worldwide
traffic, with recent advances in spam and the work that we have been doing to be
more effective in antispam, we've been able to sort of reduce the footprint of
spam in the global traffic. That's good for us, because it helps us more precisely
sort of zero in on that threat activity. But as important as the huge spectrum of
threat information that we collect is-- and, you know, it's said often that nearly
every packet that crosses the internet touches a piece of Cisco technology, and
we have enabled-- increasingly enabled those Cisco technologies to provide that
threat intelligence information-- it's important that we have the right type of
information as well.
You know, gathering intelligence from one type of security technology is not ever
going to make that security technology more effective. Said differently, if we were
just to take what an IPS knows is malicious activity up into the cloud, there's very
little learning that we can do based off of that information that will enable an IPS
to be more effective. This is really just sort of the circular nature of the data. You
can't improve-- you can't get an IPS to find new things necessary-- or it's very
difficult, I should say, to have an IPS find new things based off of data that is
what IPS already finds. Where we are very effective is in combining the different
types of security technologies together and using that to detect these new and
emerging threats.
So, for instance, if you have a threat where you are receiving email, a spam, let's
say, with a malicious attachment or a link to malicious content that would then
direct you to a website that distributes malware. That malware-distributing site
could then compromise an end point, and that end point would then turn around
and start directing attacks at other entities across the LAN. While--if we were to
look at this from the standpoint of any single security technology, we would see
three different threats. Really it's one threat that has three different faces or three
different points in its life cycle, but the threat itself is tied together.

2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public

Page 3 of 13

Module 5: Security Intelligence: Tracking a Global Threat

And so that's the goal of the intelligence that we gather, and the result of the-- the
result of the research that we do on that data is that we're able to piece together
the entire history of a threat from its point of origin through its propagation and all
of its different vectors of attack as well as what happens after a point of infection
and all of the resulting behaviors that are associated with that. That's important,
as you might imagine, with threats like, for instance, a botnet where an infection
is then used-- or a compromised host is then used for other tasks. So piecing that
all together is the vision here, and it's interesting, because that's where we have
learned the most.
Let me give you an example there. An often quoted statistic on the part of Cisco
is that, you know, 80% of the spam that is sent, it's sent by an infected host,
right? I was just talking about botnets. That's the source of the majority of the
spam that is sent today, the vast majority. But we're only able to identify that by
knowing that an infection has taken place, seeing the evidence of that
compromise, and also seeing that particular entity as an origin for spam. So
that's interesting, because that a host has sent spam before is a good indicator
that it will send spam again, but beyond that, it's also a good indicator that it will
engage in other infectious activities or other malware-propagating activities,
perhaps even Denial of Service.
Another example would be that we've found great coincidence between certain
types of web content or the categorization of a source of web content and its
propensity for distributing malware. So certain types of content providers that
have entities on the internet also have a high probability of hosting malware. An
example that we have seen there is that websites that host advertisements for
online gambling also frequently host malware or malicious content. Now, we can
have a lot of theories about why that might happen, and, in fact, that's a lot of
what-- the types of research that gets spun off of what we do in SIO, but the
reality is, it's not important that we understand the details of why there is that
coincidence. It's important that we monitor that coincidence itself.
So we need to monitor there both of those parameters, look for a pattern, and
then train our machine learning to then take advantage of that pattern for our
security purposes. It doesn't require us to always know the motivations, though
those motivations are interesting to us, but really, it's the pattern itself that drives
the effectiveness.

Threat Operations Center (14:02)

Moving on, collecting all of that data is really a pretty daunting task when you
think about the volume, but it's not the hard part, right? The challenge is actually
doing something with that data that results in actionable intelligence. This is
where we have placed an enormous investment in our research and
development over the past couple of years. You can see here, we spent over
$100 million in developing dynamic research and development capabilities within
the Threat Operations Center. That's the machine learning. That's the ability of
the systems themselves to identify those patterns and bring them to the forefront

2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public

Page 4 of 13

Module 5: Security Intelligence: Tracking a Global Threat

of all of the data that we collect. The nature of that research is, by necessity, 247-365 operations. This is around the clock.
We have all of these algorithms working to identify these patterns and then
establish whether or not-- whether or not they are conclusively malicious. So
that's a marriage of algorithms and expertise in a sense because those
algorithms do have to be developed by engineers, by experts in security
intelligence, and obviously, there's always a portion of the problem set that needs
to be addressed by human intelligence. This is the type of activity like reverse
engineering malware or infiltrating a botnet to understand its command-andcontrol communications. That's where the 500 engineers, technicians, and
researchers come in.
Our approach to the Threat Operation Centers is somewhat familiar to many of
Cisco's customers in a sense that if you're familiar with TAC and how we pursue
our TAC-- the TAC services that we provide, it's very similar. So Threat
Operation Centers are distributed around the globe, largely sort of time-divided
throughout the day, and you'll see there that there's that even distribution that's
similar to the "follow the sun" model, although, you know, the time frames that
are most interesting for us in Threat Operation Centers' activities aren't
necessarily the same as business hours, right?
So we've joked before that instead of it being like "follow the sun," it's more like
"follow the moon," but the important thing to note there is that those Threat
Operation Centers are geolocated around the globe on a time basis but also that
they're not necessarily geographically colocated with TAC. In fact, in no instance
is there sort of a free access between TAC and Threat Operation Centers, and
that's really driven by the privacy and security needs of the Threat Operations
Center research.

Dynamic Updates (17:05)

Lastly, we'll talk about the Dynamic Updates. This is not an area that I'm going to
go into a whole lot of depth, because we want to talk a lot about our lessons
learned, what all of this data amounts to for us in our research, but I do want to
touch on the idea that all of this research does result in intelligence rules and
updates that can be provided to the security technologies themselves. So any
Cisco security technology gets updates from SIO on an every three- to fiveminute basis, but, um--and that is the primary goal of security intelligence, right?
So our mission, our philosophy is such that understanding the threat environment
is just the first step in the battle. We haven't succeeded until we've been able to
take that intelligence and put it to good use. In other words, knowing that there is
a threat out there is not-- is not where we stop. We go beyond that to, "All right,
now how can we address that threat across all the security technologies?" And
do so in a very rapidly responsive manner. So that gives you a feel for Security
Intelligence Operations.

2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public

Page 5 of 13

Module 5: Security Intelligence: Tracking a Global Threat

As I described it before, this is a--this is-- if you sort of imagine as a huge funnel,
there's tons of data coming in one side, and there is a pretty precise signal and-from-- that is extracted from that noise that comes out the other, and that signal
is where we focus our efforts in understanding those threats. Let's talk a little bit
here about what we have learned recently about the threats that we're
witnessing. A couple of trends that are worth noting...

External Threat Trends (19:00)

One of the things that you'll hear from really any credible security vendor today is
that the cybercrime ecosystem is extremely sophisticated. It is well developed
from a-- both a technological and business perspective. This is really not
anything that's, I think, all that surprising or should be all that surprising for most
of the folks that are interested in this topic and engaged in security activities on a
regular basis. What's interesting, though, to us is how that cybercrime ecosystem
is changing the nature of the threats that we witness.
So the ready availability of malware that can be customized to your purposes is
changing those threats to be more customized as we see them going across the
wire, and that's kind of the impact that we've already talked about in the
beginning here of, you know, resulting in blended threats, resulting in
polymorphic threats, things that we see change very rapidly. The customization
aspect of it means that the content itself is widely varied. But also, it's interesting
in a sense that it has focused the security industry on those items that are
easiest to identify in terms of their homogenous nature. So when you have an
installs market of that nature, you're going to look for malware that all looks the
same-- if you're taking a content approach, you're gonna look for malware that all
looks the same without necessarily knowing where it comes from or where it
goes.
This is what leads us to focus, I think, probably a little too much on things like,
you know, large botnets. Large botnets are interesting, and we talk a lot about
them because security-- players in the security industry generally are able to
identify them. They're large, right? What we're looking at right now in SIO,
though, are the smaller and more impactful threats, and to give you an example,
if I can draw your attention to one of the things on this slide, it's actually a
condition of the transaction that you engage in.
You know, you can purchase custom malware, how to install-- you can purchase
installs. And really for about $1,000 U.S., you can have a pretty comprehensive
botnet at your disposal, but if you look at these conditions, the first line here says,
"We don't pay for Russian installs." That's pretty interesting, because while
recently-- or I would say in recent years, we have seen a huge, huge install base
of malware and compromised devices in sort of what we would consider to be
Russian or former Soviet territory geographically or geopolitically. What we're
seeing now is a pretty aggressive move away from that on the part of the people
that are engaging in the cybercrime ecosystem, and the reason for it is that it's
easy to find. Many security researchers have sort of developed a comprehensive

2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public

Page 6 of 13

Module 5: Security Intelligence: Tracking a Global Threat

understanding of where those areas of potential malware install are in those
regions, and they're not looking-- or, I'm sorry, rather, the criminals that are
engaging in this ecosystem are not looking for those installs because they're so
easy to identify.
They're also less reliable as a potential point of attack or spam or whatever type
of behavior they then want to engage in. So that's pretty interesting. And what
we're seeing as a replacement there is in-- perhaps very interesting for the
people on the phone today-- what we're seeing as a replacement is an increase
in the number of installs that we see in-- throughout Asia, right?
So Asia-- Asia, in the larger sense, has become the broader sort of playing field
for this type of install of malware, and the reason for that is, there are a large
number of people who are participating in the economy in that region, and I think
that this is something perhaps you've heard a little bit about. That's--that is a-been a population explosion in terms of people who are participating in this
ecosystem. New hackers, access to technology, real, real comprehensive
understanding of the necessary topics to be effective-- on either side of the
cybercrime or security coin, these things are leading to a lot of people who are
participating in this activity, but the other side of that is that there is a broad
spectrum of vulnerability within that region as well.

Vulnerability Context (24:18)

So if we were to associate where we see vulnerabilities geopolitically, there is an
explosion of unlicensed software or unupdatable software that occurs in specific
geopolitical locations, and it's probably not a huge assumption to then take a look
at where we see dark net activity or where we see compromise, and it maps
pretty clearly there to where those vulnerabilities exist.
So, you know, you can see a very obvious correlation between these two
diagrams that illustrates that where there are vast numbers throughout internet
space or where there are vast numbers of machines that cannot be updated or
have not been updated, for whatever reason, to minimize vulnerability, where
that attack surface exists, we're also seeing that there's compromise and then,
later, participation in the dark net. So there's a pretty clear indication there of
correlation.
Kind of another thing that I want to talk about, though, is, I'm talking a little bit
about how big, loud, dumb threats are what everyone's moving away from in that
cybercrime ecosystem, and I'm going to talk in some real specific detail here in
just a moment of where we're seeing that focus replaced, but I just want to call
out one other thing from the sort of terms and conditions that you see here for
one of these cybercrime providers. Where I pointed out at the top, "Don't pay for
Russian installs," skip down a little bit. What you'll see is, "You may install it by
any means except spam," and on the bottom line, you'll see, "All spam is
prohibited."

2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public

Page 7 of 13

Module 5: Security Intelligence: Tracking a Global Threat

The reason for that is because a large number of people who are researching in
the security industry are able to identify malware by combing through this
malicious spam, by looking at spam that links to websites and then hitting those
websites to look for malware, whether it's with a crawler or what have you, or if
it's just pulling out the files that are attachments. That has been an incredibly
effective way to identify or sort of source your understanding of what the malware
environment looks like.
That's something that Cisco pioneered, actually, in many ways, or rather, it was
the IronPort which then was acquired by Cisco and has become part of this
larger SensorBase effort on our part. We were, like, first to the market with that
approach to identifying the malware via mining the spam. Interestingly, it's been
effective enough that that's what everyone's moving away from now. In fact, it's
difficult for you to sell a malware install if you have in any way installed a--spam.
You might ask yourself, "How do people who participate in the cybercrime
ecosystem "know that it was-- the install was distributed via spam?" The same
way that security researchers do: the participants in the cybercrime ecosystem
use the same approaches, the same technologies to mine spam for malware,
and when they see it, they can identify whether that malware was distributed via
spam and reject those types of installs. So moving on from that, if the-- what I
described as the big, loud, dumb approach to distributing malware is on its way
out, what are we seeing now? What's replacing that?

Targeted Threat Vectors (28:00)

Well, what we're seeing are targeted threat vectors. Now, "targeted" is somewhat
of a loaded term, because, you know, you could say that "targeted" could be
something that's just casting a little bit more precise net than, say, broad-based
spam all the way down to "extremely targeted" could be like spear phishing.
All of that spectrum is where we're seeing the threats in today, although we'll
focus a little bit today on the areas where we're seeing targeted threats in sort of
what we'll call sort of small groups, right? And we refer to this as demographic
targeting, right? So this is targeting not just based off of, "For whom do I have an
email address?" But targeting more specifically on, "What do I know about the
potential-- "the potential for infection and then manipulation of that compromised
host?"
We want to know that, for instance, that's a machine that has a high likelihood of
an always-on internet connection, those types of things. So that demographic
aspect is increasingly what we're seeing. There are really four areas of targeted
threats that we want to talk about today. That's SEO poisoning, search engine
optimization poisoning. There's infected legitimate sites. There's targeted email,
and then there's social networking. Those are really kind of the big four, and then
we're gonna talk a little bit in more detail about a couple of these to give you a
feel for what we're seeing as far as those threats and how they're implemented
today.

2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public

Page 8 of 13

Module 5: Security Intelligence: Tracking a Global Threat

Search Engine Optimization (SEO) Poisoning (29:39)

So let's start with search engine optimization poisoning. You know, as I
mentioned earlier, I live in central Texas in the United States, and a popular food
in this area is fajitas. Interestingly, if you go to Google and you do-- I'm sorry. It
sounds like I might have my audio cut off. - We still hear you. - Oh, okay,
excellent. So if you go to Google and you do a search for a fajita recipe, you'll get
that first full page of results and all different types of recipes and all types of
different content that you can click on there to find out how to make fajitas.
Every single link on this first page of the Google search results will lead to
malware. So no matter which of these you click on, it's going to lead to malware,
and you can actually see that when you start to look here at the URLs, you know,
there's this first one. Oh, this is in a dot CC, but it's in English. Well, what's that
all about? That's actually just hosted malware out there, and it's--though it would
look like a fajita recipe if you click on it, its main purpose is to distribute that
malware, and it's repurposed content. In fact, if you look at a lot of these URLs,
you'll see that there's something a little bit suspicious about the vast majority of
them. Even the ones that look like legitimate URLs, I can tell you, are also links
to malware.
So what's happening here is that the malware distributors have engaged in
search engine optimization techniques to look for popularly searched terms that
are applicable in the-- in their target demographic, and then they've optimized so
that their malware comes up on top of those results. So that's-- that's one
interesting trend that we're seeing. So, you know, I'm talking about Google. You
know, you might follow on there and say, "Well, if it's all-- if this is something
"where search engine optimization is in play "and these are searchable, kind of
public resources, "can't we use some sort of crawler or something to identify,
though?" The answer is, that's one way that we can approach the problem, but
it's not a very effective way to approach the problem, and the reason is that
crawlers are easy to identify.

Intelligence Evasion (32:18)

For instance, if you use a Google crawler and you go to this site, the
zinesecurity.com site, this is actually what it looks like. That's what the content
looks like to that Google crawler. It's a blank page. You don't see anything, and
that's because the site has been designed such that it will not actually redirect
you to malicious content if you look like a Google crawler. In fact, it looks for a
series of behaviors, almost similar to how ClickFrog prevention works today, and
looks for a-- sort of a path of behaviors that indicate whether it's a actual live
browser or it's--it's a crawler or a bot of some sort.
Here's what this website looks like from just a regular browser, from someone
just browsing to the website. You can see here that this is a pretty familiar view of
a malware distribution kind of content, and you can see there that-- that it's, you
know, faking the Windows and providing you with a whole bunch of things to click
on, all of which are malware. So no matter what you click on here, you're going to

2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public

Page 9 of 13

Module 5: Security Intelligence: Tracking a Global Threat

get that malware. That's, again, that same site, but it's what it looks like when it's
a human browser as opposed to the Google crawler.
So intelligence evasion is a major advance in web-born malware that we're
seeing right now. Almost everything out there that is recent or contemporary, let's
say, would be something that, you know, would engage in several evasion
techniques.

Infected Legitimate Sites (33:54)

And again, that evasion is not-- the evasion is not just for a security technology
but for security research as well. Another area where we're seeing more targeted
or demographic targeting of malware and compromise is infected legitimate sites.
So this-- in this example here, this is actually the website of a Canadian-- the
Canadian government function that protects privacy and security. So that's the
area of the Canadian government to focus on those topics, and you can see
here, if we go to just a subdirectory off that same website, again, you have a
malware distribution content page and, again, doesn't matter what you click on in
this site. It's going to give you malware, right?
So that's just a compromised source site, a legitimate website where someone
has compromised it and established a subdomain. This is an effort to sort of hide
something on a site that would be classified as a safe site and then, you know,
use the positive reputation of that domain to then hide the distribution of the
malware. Interestingly, this has led to some new advances in technology, and
when I talked about earlier, the 30 billion requests that we look at in web security
today, that--that is broken down by every object. Every piece of content that we
see in that web transaction, we're gonna analyze. We're gonna look at the source
of that content, and we're gonna evaluate whether or not it's malicious. And it's
because of this exact approach right here. It's the fact that people are using
legitimate sites to hide that malware.
So then the other area that I want to talk about here-- and this one is one where
we're seeing really just an explosion in incidents of malware-- is when you take a
legitimate site and not even compromise that site but you take advantage of the
fact that so many sites nowadays are sharing user-generated content, and you
tailor that user-generated content to provide malware, either provide malware
directly or provide a link to malware or provide content that exploits a browser or
exploits a client application, such as a PDF reader, and then takes advantage of
that to further spread the malicious activity.
This one here is just a support website for Siemens, and one of the most
common sites you can hit on any support website, regardless of what the
technology is or the service or the company or the business, is going to be the
login failure page. That's generally the most visited site on any of these public
forums, and on this one, you can see that there are some topics there that users
can log in and place a comment or question in the queue, and the frequently
asked questions will bump to the top and display right there on that login help

2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public

Page 10 of 13

Module 5: Security Intelligence: Tracking a Global Threat

page. The idea is, users can kind of help each other, right? This is just another
example of, like I said, a very common trend that's user-generated content. But in
this case, each one of these links that say something that looks legitimate if
you're having trouble logging in, they're all malicious.
So each one of these links, then, goes to malware, and you can actually see that
again. If you look here, you see some JavaScript, and if you'll see the multiple,
multiple links to the same JavaScript, it's hosted there out of Russia. It is--it is
malicious, and we were able to identify this one, again, because it falls in a
pretty, um-- pretty identifiable sort of path of compromise, but certainly, you see
that the legitimate sites that host user-generated content have become one of the
battlegrounds of the distribution of this malware.

Facebook Profile as an Attractive Target (38:39)

So the last area that I want to talk about-- and I think this one is extremely
interesting-- is a Facebook vector. Goes without saying that Facebook is an
incredibly popular site, and Facebook represents a large amount of the day-today traffic of users, not just outside of the enterprise but within the enterprise as
well, and, in fact, some recent research we were doing indicated that as much as
14% to 15% of the content-- that's like the total volume of content that we
analyze on a supposedly secure enterprise installation-- was actually Facebook,
so this is where-- this is an installation where Facebook was supposedly locked
down and not accessible, and it still represented about 14% to 15% of the
content that was going through the-- going through the web transactions there.
So it's a very attractive vector for attack.
I think most of us could probably say, if we have used Facebook or we know
friends who use Facebook, we're probably aware that there has been some
compromise out there, but what's particularly interesting about Facebook is that,
again, going back to the concept of targeted threats, going back to the concept of
demographic targeting, Facebook gives you all of the tools that you need to do
that type of targeting. If you advertise on Facebook, when you design your
advertisement, you have the ability to put whatever type of link you want in there
and then, on top of that, provide the title and the body and put together
something that will tailor to a specific demographic, and then Facebook will
actually tell you how you're doing in tailoring to that demographic.
So in this case, you know, just kind of going back to the Canadian example, we
can put together a link that says, "Hey, here's something that would impact
Canadian government employees." If we wanted-- if we were trying to
compromise Canadian government resources, we'd put together this site, and it
says, you know, "Canadian government to shed 33% of workers," right? Not true
at all, but it's the sort of thing that we anticipate that government workers in
Canada would click on, 'cause they'd want to know about that.
And we, of course, would put in our URL here, which goes to a malicious site that
provides malware. And over here, Facebook will tell us, "Hey, with this

2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public

Page 11 of 13

Module 5: Security Intelligence: Tracking a Global Threat

advertisement, we anticipate that you'll go out "and put that in front of 18,540
people "and not just 18,540 random people "but people who specifically live in
Canada. "They're age 18 or older, "and they work at the Canadian Forces or
government of Canada." That enables us to be extremely specific with where we
place our trolling for potential malware installs.
And so Facebook is an incredible tool, and what we're seeing is just, again, not-a great increase in the amount of threat that we see associated with that. So
hopefully there are a couple of things that I would like for you to think about when
we talk about all of the different lessons that we have learned.

Summary (41:52)
One, in order to be effective at understanding the threat environment, you have
to look at live threats. You--lab work is great. Honeynets are fantastic, and, you
know, that's the sort of standard duty of care that we engage in on a regular-- on
a regular day-to-day basis, but to be effective, we have to look at the live threats
in live deployments. That's the source of real, true security intelligence now, and I
think that's where the security industry is going and, you know, as I've illustrated
today, where we're focusing our efforts and investments.
The second thing I want to hit on is, but once you have that data, combining it is
all about comparing multiple types of data and parameterizing that information.
So you want to look at all of the different vectors of a blended threat so that you
can view the timeline of that threat. You know, we track for over 26 million public
entities on the internet. We track the entire security history that we have seen
associated with that entity, and that's a number that increases every day, but
that's what's necessary to really understand, end to end, that threat history.
And then the last thing that I want to touch on is, it's not about casting a broad
net and looking for the biggest fish, because increasingly, that's a behavior that
those engaged in a cybercrime economy have identified and are using those
same approaches to make their threats fly under the radar, so moving away from
what I was calling earlier sort of the big, dumb, loud activity and going to things
that are a little bit more tailored, specifically tailoring those threats for the types of
compromised host that you're looking for, right? You want to find those alwayson-- those always-on installs in specific areas with high bandwidth, so specific
type of users, and if you're going to compromise them for the purposes of
gathering information, you want to make sure that they have access to that
information that you might like, as we were talking about earlier with the
government employees targeted through Facebook.
So that's given you a feel for how we gather our intelligence and some of the
intelligence that we've gathered. This type of information, we provide over 20
publications throughout the year and also a number of different forums where we
discuss these threats with you. We'll be talking here in, you know, various RSA
discussions in more detail about some of these threats, so if you're interested in
learning more, please reach out to us in those locations or, you know, reach out

2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public

Page 12 of 13

Module 5: Security Intelligence: Tracking a Global Threat

to-- reach out to us within the Cisco Security Intelligence Operations
organization, and we'd love to talk more.

2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public

Page 13 of 13