cisco cyber range · presentation_id cisco and/or its affiliates. all rights reserved. cisco public...

Cisco Cyber Range

Paul Qiu

Senior Solutions Architect

Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public

“What I hear, I forget What I see, I remember What I do, I understand”

A platform to experience the intelligent Cyber Security for the real world

~ Confucius

Cyber Range Service

Cyber Range Overview

4


Agenda

Cyber Range Journey

Cisco Cyber Security Overview

Cyber Range Overview & Architecture

Cyber Range APT Case Study

5

Cisco Cyber Range Journey


08/2014 - PACIFIC ENDEAVOR 2014 10 teams are doing Cyber Range Challenge


09/2014 - Cyber Range 5 Day Workshop – India Service Provider


01/2015 – Cyber Range 5 day Workshop – India Service Provider


10/2014 - Cyber Range 3 Day Workshop – Taiwan Manufacturer

Cisco Cyber Security Overview


Breaches Happen in Hours …. But Go Undetected For Weeks/Months

Initial Compromise to

Data Exfiltration

Initial Attack to Initial

Compromise

Initial Compromise to

Discovery

Discovery to Containment/

Restoration

Seconds Minutes Hours Days Weeks Months Years

10%

8%

0%

0%

75%

38%

0%

1%

12%

14%

2%

9%

2%

25%

13%

32%

0%

8%

29%

38%

1%

8%

54%

17%

1%

0%

2%

4%

Timespan of events by percent of breaches

+

In 60% of

breaches, data is

stolen in hours.

85% of breaches

are not

discovered for

weeks.


Anatomy of a Modern Threat

Campus

Advanced online threat

bypasses perimeter defence

Perimeter

Enterprise

Data Centre

Threat spreads and attempts

to exfiltrate valuable data

Public Network

Infection entry point occurs

outside of the enterprise

Internet and

Cloud Apps


Cisco Cyber Security

VISIBILITY Deep Insight to Detect Advanced Threats

INTELLIGENCE Contextual Awareness to Pinpoint Attacks

CONTROL Ubiquitous Defence to Manage Threats


Visibility

NetFlow Network-wide traffic

patterns

Identity User, device, access,

location, time

AVC Application

recognition and

identification

Security Firewall, intrusion,

web & email security


Intelligence

Reputation Security Intelligence

Operations (SIO)

Analytics Stealthwatch,

Splunk


Control

Security Firewall, intrusion,

web & email security

TrustSec Network flow tagging

and blocking



A platform to experience the intelligent Cyber Security for the real world


Cyber Range Remote Capabilities

Road Show

Partners

Campuses

Exhibition Centre

Customer Sites

Internet


•

•

•

•

•

•


•

•


Cyber Range Capabilities

… can improve cyber defence operational capabilities, by way of:

• Architecture / Design validation

• Incident response playbook creation / validation

• War game exercises

• Hands-on training for individual technologies

• Threat mitigation process verification

• Simulating advanced threats (zero day / APT)


Cisco Cyber Range Service Features

Infrastructure Attacks Visibility and Control

Wired, wireless, and remote access

Network and routing

Client simulator Server simulator Application

simulator Traffic generation

Day 0 Attack/New threats

DDoS Network reconnaissance Application attacks Data Loss Computer malware Mobile device malware Wireless Attacks Evasion techniques Botnet simulation Open source attack tools Virtual Network Attacks

Global Threat Intelligence(Cloud)

Firewall & IDS/IPS Signature based Detection Behaviour based Detection Data Loss Prevention Web & email Security Application Visibility & Control Wireless Security Identity & access management Security and event

management Event correlation Packet Capture and Analysis Virtual Network Security TrustSec-SGT Software Defined Network

Cyber Range Architecture


Covering The Entire Attack Continuum

Visibility and Context

Firewall

NGFW

NAC + Identity Services

VPN

UTM

NGIPS

Web Security

Email Security

Advanced Malware Protection

Network Behaviour Analysis

BEFORE Discover

Enforce

Harden

AFTER Scope

Contain

Remediate

Attack Continuum

Detect

Block

Defend

DURING


Foundation

Prevent

Firewall

Anti-Virus

Host IPS

Web proxy

Anti-Spam

Network IPS

Detect

Network IDS

NetFlow anomaly

Advanced Malware

Behavioural anomaly

Collect

NetFlow

Event logs

Web proxy logs

Web firewall

Mitigate

IP blackhole

account

disablement

scalable load balancer device monitoring

Analyse

NetFlow analysis

SIEM analysis

Malware analysis

Cisco CSIRT Protection Model


Cyber Range Network Components Overview


Cyber Range Splunk Architecture

2 x Search Heads

1 x Indexer Mirrored Dev

Servers

CyberRange

“Live” Inside

Network

Mail Logs

(ESA) Access Logs

(WSA) Syslog

(ASA, ISE, etc)

SDEE

(IPS)

Scripted Input HTTPS

Index Forwarding

syslog TCP/UDP

eStreamer

(sFIRE) WWW

Lancope

Cisco Cyber Range APT Case Study


APT - Kill Chain

Recon

• Harvest contact info from social media

Weaponize

• Couple exploit with backdoor to deliver payload

Deliver

• Deliver weaponized bundle to victim via email, web, USB

Exploit

• Leverage vulnerability to execute code on victim system

Install

• Install malware on asset

Control

• Use command channel to control victim remotely

Action on Objectives

• Steal information, exfiltrate, etc.


The Great Bank Robbery: the Carbanak APT

https://securelist.com/blog/research/68732/the-great-bank-robbery-the-carbanak-apt/
















Carbanak APT Case Study

Finance

Server

Attackers

Cyber Range “ The Defenders ”


Cyber Range Network Components Overview


Sourcefire Intrusion Events


Sourcefire Intrusion Events Detail


Sourcefire Intrusion Events Packet Capture


CTD Shows Data Loss


CTD Shows Data Loss Alarms


CTD Detail Flow


Splunk Search

cisco cyber range · presentation_id cisco and/or its affiliates. all rights reserved. cisco public...

Documents