cisco connect toronto 2017 - anatomy-of-attack
TRANSCRIPT
© 2016 Cisco and/or its affiliates. All rights reserved. 1
CiscoConnect
Anatomy of an AttackChris Parker-JamesConsulting Systems Engineer, Cloud Security
October 12th, 2017
© 2016 Cisco and/or its affiliates. All rights reserved. 2
AgendaAnatomy of an Attack
What’s Changed? Cisco’s Solution
Cisco Umbrella
Cisco Cloudlock
Why Cisco?
© 2016 Cisco and/or its affiliates. All rights reserved. 3
Anatomy of a cyber attack
Reconnaissance and infrastructure setup
Domain registration, IP, ASN Intel
Monitor adaption based on results
Target expansion
Wide-scale expansion
Defense signatures built
Patient zero hit
© 2016 Cisco and/or its affiliates. All rights reserved. 4© 2016 Cisco and/or its affiliates. All rights reserved. 4
Locky/WannacryRansomware
© 2016 Cisco and/or its affiliates. All rights reserved. 5
Mapping attacker infrastructure
SEP 12-26 DAYS
Umbrella
AUG 17
LOCKY
*.7asel7[.]top
?Domain → IP
Association
?IP → Sample
Association
?IP → Network
Association
?IP → Domain
Association
?WHOIS
Association
?Network → IP
Association
© 2016 Cisco and/or its affiliates. All rights reserved. 6
91.223.89.201 185.101.218.206
600+ Threat Grid files
SHA256:0c9c328eb66672ef1b84475258b4999d6df008
*.7asel7[.]top LOCKY
Domain → IPAssociation
AS 197569IP → NetworkAssociation
1,000+ DGA domains
ccerberhhyed5frqa[.]8211fr[.]top
IP → DomainAssociation
IP → SampleAssociation
CERBER
Mapping attacker infrastructure
© 2016 Cisco and/or its affiliates. All rights reserved. 7
-26 DAYS AUG 21
Umbrella
JUL 18
JUL 21
Umbrella
JUL 14 -7 DAYS
jbrktqnxklmuf[.]info
mhrbuvcvhjakbisd[.]xyz
LOCKY
LOCKY
DGA
Network → DomainAssociation
DGA
Threat detected same daydomain was registered.
Threat detected beforedomain was registered.
DOMAINREGISTERED
JUL 22-4 DAYS
Mapping attacker infrastructure
© 2016 Cisco and/or its affiliates. All rights reserved. 8© 2016 Cisco and/or its affiliates. All rights reserved. 8
Google OAuth attack
© 2016 Cisco and/or its affiliates. All rights reserved. 9
Sequence of events (1 of 2)
Attacker sets up infrastructure and fake app; sends
phishing email
Victimopens email
and clicks link
1 2
!
Victim is sent to Google’s OAuth page for authentication and to grant permissions.
Then the user will be redirected to an attacker-controlled website
© 2016 Cisco and/or its affiliates. All rights reserved. 10
Sequence of events (2 of 2)
On the backend…If allowed, Google provisions an
OAuth token, appends it to redirect_uri, and instructs victim’s browser to redirect to attacker’s
domain
Attackergains access to OAuth token once the user is redirected to one of the
attacker-controlled domains
Note: users were redirected to these domains whether they
clicked Deny or Allow
4 5
g-cloud[.]win
Attackeruses the granted privileges (email
contacts, delete emails, etc.)
6
Victimprompted to allow/deny
access
3
Uses access to send emails from victim’s account and propagate the worm
© 2016 Cisco and/or its affiliates. All rights reserved. 11
How Cisco Security can help
Victimredirected to
attacker’s domain
Attackergains access to
OAuth token
AttackerHas persistent access to the
victims’ account
Victimopens email
and clicks link
Victimgrants access to
their account
If attack is successful, Cloudlock
revokes OAuth token
Umbrella blocks user redirect to
malicious domain. Attacker never
receives OAuth token if blocked here.
Umbrella Investigateused to research attacker’s
infrastructure
Email Security
blocks malicious
emails
© 2016 Cisco and/or its affiliates. All rights reserved. 12© 2016 Cisco and/or its affiliates. All rights reserved. 12
The way we work has changed.
© 2016 Cisco and/or its affiliates. All rights reserved. 13
Branch office
What’s changed
Apps, data, and identities move to the cloud
Business drives use of cloud apps and collaboration is easier
No longer need VPN to get work done
Branch offices have direct internet access
HQ Roaming
© 2016 Cisco and/or its affiliates. All rights reserved. 14
Branch office
How risk is different today
Users not protected by traditional security stack
Gaps in visibility and coverage
Expose sensitive info (inadvertently or maliciously)
Users can install and use risky apps on their own
HQ Roaming
© 2016 Cisco and/or its affiliates. All rights reserved. 15
Branch office
Our solution
UmbrellaSecure access to the internet
CloudlockSecure usage of cloud apps
HQ Roaming
© 2016 Cisco and/or its affiliates. All rights reserved. 16
Cisco cloud securityShared focus, complementary use cases
Visibility and control
Threat protection
Forensics
Data protection
Malware / ransomware
Cloudlock
For Shadow IT and connected cloud apps (OAuth)
Protect cloud accounts from compromise and malicious insiders
Analyze audit cloud logs
Assess cloud data risk and ensure compliance
Prevent cloud-native (OAuth) attacks
Umbrella
For all internet activity
Stop connections to malicious internet destinations
Investigate attacks with internet-wide visibility
Block C2 callbacks and prevent data exfiltration
Prevent initial infection and C2 callbacks
© 2016 Cisco and/or its affiliates. All rights reserved. 17
Cisco UmbrellaSecure access to the internet
© 2016 Cisco and/or its affiliates. All rights reserved. 18
First line of defense against internet threatsUmbrella
SeeVisibility to protect access everywhere
LearnIntelligence to see attacks
before they launch
BlockStop threats before
connections are made
© 2016 Cisco and/or its affiliates. All rights reserved. 19
UmbrellaStart blocking in minutes
Easiest security product you’ll ever deploy
Signup1
2 Point your DNS
3 Done
© 2016 Cisco and/or its affiliates. All rights reserved. 20
How fast do we resolve DNS requests?
Measured in milliseconds
Source: MSFT Office 365 Researcher, ThousandEyes Blog Post, May 2017
157
130
119
92
78
75
74
50
45
33
SafeDNS
FreeDNS
DNS.WATCH
Comodo
Level3
OpenNIC
Verisign
Dyn
Umbrella
Overall
75
132
106
39
17
38
43
12
17
25
North America
135
41
34
44
32
52
43
31
31
29
Europe/EMEA
197
275
268
198
167
119
112
80
59
39
Asia/APC
184
225
218
119
110
108
140
73
99
42
Latin America
322
195
169
164
171
81
176
165
23
38
Africa
© 2016 Cisco and/or its affiliates. All rights reserved. 21
Enterprise-wide deployment in minutes
DEPLOYMENT
Cisco endpoint
No additional agents to deploy with AnyConnect
Or Umbrella roaming client works alongside other VPNs for DNS and IP redirection
AnyConnect WLAN controller
ISR 4K
Cisco networking
Out-of-the-box integration Use of tags for granular
filtering and reporting Policies per VLAN/SSID
Other network devices
DNS/DHCP serversWireless APs
Simple configuration change to redirect DNS
Policies for corporate and guests
© 2016 Cisco and/or its affiliates. All rights reserved. 22
Where does Umbrella fit?MalwareC2 CallbacksPhishing
HQ
Sandbox
NGFW
Proxy
Netflow
AV AV
BRANCH
Router/UTM
AV AV
ROAMING
AV
First line It all starts with DNS
Precedes file execution and IP connection
Used by all devices
Port agnostic
© 2016 Cisco and/or its affiliates. All rights reserved. 23
Built into foundation of the internet
Umbrella provides:
Connection for safe requests
Prevention for user and malware-initiated connections
Proxy inspection for risky URLs
Safe request
Blocked request
© 2016 Cisco and/or its affiliates. All rights reserved. 24
Cisco Talos feedsCisco WBRSPartner feeds
Custom URL block list
Requests for “risky” domainsIntelligent proxy
URL inspection
File inspection AV EnginesCisco AMP
ENFORCEMENT
© 2016 Cisco and/or its affiliates. All rights reserved. 25
Prevents connections before and during the attack
Command and control callbackMalicious payload drop
Encryption keys
Updated instructions
Web and email-based infectionMalvertising / exploit kit
Phishing / web link
Watering hole compromise
Stop data exfiltration and ransomware encryption
ENFORCEMENT
© 2016 Cisco and/or its affiliates. All rights reserved. 26
Our view of the internet
100Brequests per day
12Kenterprise customers
85Mdaily active
users
160+countriesworldwide
INTELLIGENCE
© 2016 Cisco and/or its affiliates. All rights reserved. 27
Intelligence to see attacks before launched
Data Cisco Talos feed of malicious
domains, IPs, and URLs Umbrella DNS data —
100B requests per day
Security researchers Industry renown researchers Build models that can automatically
classify and score domains and IPs
Models Dozens of models continuously
analyze millions of live events per second
Automatically uncover malware, ransomware, and other threats
INTELLIGENCE
© 2016 Cisco and/or its affiliates. All rights reserved. 28
Statistical models
Guilt by inference Co-occurrence model
Geolocation Model Secure rank model
Guilt by association Predictive IP Space Modeling Passive DNS and WHOIS Correlation
Patterns of guilt Spike rank model
Natural Language Processing rank model
Live DGA prediction
INTELLIGENCE
2M+ live events per second
11B+ historical events
© 2016 Cisco and/or its affiliates. All rights reserved. 29
Co-occurrence modelDomains guilty by inference
a.com b.com c.com x.com d.com e.com f.com
time - time +
Co-occurrence of domains means that a statistically significant number of identities have requested both domains consecutively in a short timeframe
Possible malicious domain Possible malicious domainKnown malicious domain
INTELLIGENCE
© 2016 Cisco and/or its affiliates. All rights reserved. 30
Spike rank modelPatterns of guilt
y.com
DAYSD
NS
REQ
UES
TSMassive amount of DNS request volume data is gathered and
analyzed
DNS request volume matches known exploit kit pattern and predicts future attack
DGA MALWARE EXPLOIT KIT PHISHING
y.com is blocked before it can launch full attack
INTELLIGENCE
© 2016 Cisco and/or its affiliates. All rights reserved. 31
Predictive IP Space Monitoring Guilt by association
Pinpoint suspicious domains and observe their IP’s fingerprint
Identify other IPs – hosted on the same server – that share the same fingerprint
Block those suspicious IPs and any related domains
DOMAIN
209.67.132.476
209.67.132.477
209.67.132.478
209.67.132.479
INTELLIGENCE
© 2016 Cisco and/or its affiliates. All rights reserved. 32
‘Sender Rank’ model: predict domains related to spammers
Identify queries to spam reputation services
Our 85M+ users leverage email reputation services check for
spam; we see requests made to check domains found in emails
MAIL SERVERS
REPUTATION SERVICES
a.spam.ru. checkspam.comb.spam.ru. checkspam.com
Domain of service
Domain of sender
Model aggregates hourly graphs per domainShort bursts of 1000s of
“Hailstorm” spam uses many FQDNs, e.g. subdomains, to hide from reputation services
a.spam.ru
…
b.spam.ru
z.spam.ru
spam.ru
suspect domain
identified
Model identifies owners of “Hailstorm” domains
After confirmation, query WHOIS records to get
registrant of sender domain
?
?
?
Type of domain
Domain popularity
Historical activity
Confirm “Hailstorm” domain
check behavior patterns
Block 10,000s of domains before new attacks happen
Attackers often register more domains to embed links in phishing
or C2 callbacks in malware
badguy
Model automatically places registrants on a watch list
New domains registered at a future time
Model automatically verifies new domains
New malicious domain blocked by Umbrella
INTELLIGENCE
© 2016 Cisco and/or its affiliates. All rights reserved. 33
1. Any user (free or paid) requests the domain1
2. Every minute, we sample from our streaming DNS logs.3. Check if domain was seen before & if whitelisted2.4. If not, add to category, and within minutes, DNS resolvers are updated globally.
Domains used in an attack.
Umbrella’s Auto-WHOIS model may predict as malicious.
Attackers register domains.
Before expiration3, if any user requests this domain, it’s logged or blocked as newly seen.
Later, Umbrella statistical models or reputation systems identify as malicious.
‘Newly Seen Domains’ category reduces risk of the unknown
EVENTS1. May have predictively blocked it already, and
likely the first requestor was a free user. 2. E.g. domain generated for CDN service.3. Usually 24 hours, but modified for best results, as needed.
Reputation systems protected
CiscoUmbrella
24 HOURS
protected
DAYS TO WEEKS
not yet a threat
not yet a threat
unprotected
potentiallyunprotected
MINUTES
INTELLIGENCE
© 2016 Cisco and/or its affiliates. All rights reserved. 34
Our efficacy
3M+daily new
domain names
Discover
60K+daily malicious
destinations
Identify
7M+malicious destinations while resolving DNS
Enforce
INTELLIGENCE
© 2016 Cisco and/or its affiliates. All rights reserved. 35
What sets Umbrella apart from competitors
Easiestconnect-to-cloud
deployment
Fastest and most reliable
cloud infrastructure
Broadestcoverage of malicious destinations and files
Most open platform for integration
Most predictiveintelligence to stop
threats earlier
© 2016 Cisco and/or its affiliates. All rights reserved. 36
Cisco CloudlockSecure usage of cloud apps
© 2016 Cisco and/or its affiliates. All rights reserved. 37
User
Cloudlock can provide visibility and control over global cloud activities
© 2016 Cisco and/or its affiliates. All rights reserved. 38
Key questions organizations have
ApplicationsDataUsers/Accounts Who is doing what in
my cloud applications? How do I detect account
compromises? Are malicious insiders
extracting information?
Do I have toxic and regulated data in the cloud? Do I have data that is being
shared inappropriately? How do I detect policy
violations?
How can I monitor app usage and risk? Do I have any 3rd party
connected apps? How do I revoke risky apps?
© 2016 Cisco and/or its affiliates. All rights reserved. 39
Cisco Cloudlock addresses customers’ most critical cloud security use cases
Discover and Control
User and EntityBehavior Analytics
Cloud Data Loss Prevention (DLP) Apps Firewall
Cloud Malware
Shadow IT/OAuth Discovery and Control
Data Exposures and Leakages
Privacy and Compliance Violations
Compromised Accounts
Insider Threats
© 2016 Cisco and/or its affiliates. All rights reserved. 40
Here’s an example of why you need cloud user security
North America9:00 AM ETLogin
Africa10:00 AM ETData export Distance from the US
to the Central African Republic: 7362 miles
At a speed of 800 mph, it would take 9.2 hours to travel between them
In one hour
© 2016 Cisco and/or its affiliates. All rights reserved. 41
Have you ever been to 68 countries in one week?
© 2016 Cisco and/or its affiliates. All rights reserved. 42
More than 24,000 files per organization publicly accessible
Data exposure per organization
Accessible by external collaborators
Accessible publicly
Accessible organization-wide
2%
10%
12%
24,000 filespublicly accessible per organization
of external sharing done with non-corporate email addresses70%
Source: Cloudlock CyberLab
© 2016 Cisco and/or its affiliates. All rights reserved. 43
33 mins
22 mins18mins 17mins 15mins
10mins
Consider “connected” cloud apps: Pokémon Go
Daily time spent in Pokémon Go by average iOS user
Pokémon Go breaks another record:Higher daily average user time than Facebook, Snapchat, and Instagram
Source: SensorTower
40
30
20
10
0
Pokémon Go
The picture can't be displayed.
Facebook Snapchat Twitter Instagram Slither
Time to reach 100 million users worldwide
An Unusual Start: Pokémon Go breaking all mobile gaming records globally.
1 month (estimated)
4.5 yrs
7 yrs
16 yrs
75 yrs
YEAR OF LAUNCH
1878
1879
1900
2004
2016The picture can't be displayed.
© 2016 Cisco and/or its affiliates. All rights reserved. 44
Identities Data Apps
Cisco CloudlockCloud Access Security Broker (CASB)
© 2016 Cisco and/or its affiliates. All rights reserved. 45
Public APIs
Cisco NGFW / Umbrella
ManagedUsers
ManagedDevices
ManagedNetwork
UnmanagedUsers
UnmanagedDevices
UnmanagedNetwork
CASB – API Access (cloud to cloud)
© 2016 Cisco and/or its affiliates. All rights reserved. 46
Cloudlock has over 70 pre-defined policies
PII SIN/ID
numbers Driver license
numbers Passport
numbers
Education Inappropriate
content Student loan
application information FERPA
compliance
General Email address IP address Passwords/
login information
PHI HIPAA Health
identification numbers (global) Medical
prescriptions
PCI Credit card
numbers Bank account
numbers SWIFT codes
© 2016 Cisco and/or its affiliates. All rights reserved. 47
Cloudlock provides automated response actions
Detect Alert(Admin/Users)
Security Workflows
Response Actions
API Integrations
© 2016 Cisco and/or its affiliates. All rights reserved. 48
Smartest Intelligence CyberLab, crowd-sourced community
trust ratings
Proven Track Record Deployed at over 700
organizations and supporting deployments over 750,000
users
FedRAMP In ProcessThe only FedRAMP In Process CASB working towards an Authority to
Operate via Agency Authorization
Cisco Ecosystem Integrated, architectural
approach to security, vendor viability
Cloud-Native Full value instantly, no disruption
Differentiators
CiscoCloudlock
© 2016 Cisco and/or its affiliates. All rights reserved. 49© 20136 Cisco and/or its affiliates. All rights reserved. 49
Why Cisco Cloud Security?
© 2016 Cisco and/or its affiliates. All rights reserved. 50
Why customers love Cisco cloud security
Cisco cloud security
Most effective protection
Simplest to deploy
and manage
Most open platform
Most reliable
© 2016 Cisco and/or its affiliates. All rights reserved. 51
Real customer results
“Deployed to 30,000 employees in less than 60 minutes”
“Reduced infections by 98%...saved 1.7 months
of user downtime per year”
“Cut incident response time by 25-30%”
Umbrella
“Reduced public exposure by 62%
in one day”
“Intelligently reduced OAuth-connected apps by 34% in one week”
“Deployed to 125,000 employees in less than 5 minutes”
Cloudlock
© 2016 Cisco and/or its affiliates. All rights reserved. 52
Try Umbrella and Cloudlock today.
Tackle ransomware and other threats with: UmbrellaEnable the secure use of the cloud with:Cloudlock
Thank you.