emerging threats - alcatron.net live 2014 melbourne/cisco live content... · emerging threats –...
TRANSCRIPT
![Page 1: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/1.jpg)
![Page 2: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/2.jpg)
Emerging Threats – The State of Cyber Security BRKSEC-2010
Gavin Reid - Director TRAC
Craig Williams - Technical Leader TRAC
![Page 3: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/3.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
Threat Research, Analysis and Communications
TRAC dissects current threats to identify & understand trends.
TRAC examines threats in the context of Cisco’s products and services. When possible, TRAC makes product improvements & recommends changes.
TRAC performs exploratory data analysis, leveraging advanced statistical and computational techniques to illuminate patterns in vast amounts of data.
http://blogs.cisco.com/tag/trac/
![Page 4: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/4.jpg)
Watering Hole Attacks
![Page 5: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/5.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
A Watering Hole – Looks Safe?
![Page 6: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/6.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
A Watering Hole – There Could Be Danger..
![Page 7: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/7.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
Watering Hole Attacks
www.twitter.com
www.linkedin.com
www.industry_related.com
![Page 8: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/8.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
Watering Hole Attacks
Stage 1: Compromise
www.twitter.com
www.linkedin.com
www.industry_related.com
![Page 9: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/9.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
Watering Hole Attacks
Stage 1: Compromise Stage 2: Visits
www.twitter.com
www.linkedin.com
www.industry_related.com
![Page 10: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/10.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
Specific Website
Watering Hole Attacks
Installs Malware
Controls
Compromises
Profiles Users
![Page 11: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/11.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
Specific Website
Watering Hole Attacks
Installs Malware
Controls
Compromises
Profiles Users
![Page 12: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/12.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
Specific Website
Watering Hole Attacks
Installs Malware
Controls
Compromises
Profiles Users
![Page 13: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/13.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
Specific Website
Watering Hole Attacks
Installs Malware
Controls
Compromises
Profiles Users
![Page 14: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/14.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
The Department of Labor Attack
Watering Hole Attack
Very targeted attack but a large volume of victims
Attack was zero-day (CVE-2013-1347)
‘Site Exposure Matrices’ website serving malware from ‘dol.ns01.us’
![Page 15: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/15.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
Incorporating Content Detection Evasion Techniques
![Page 16: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/16.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
Advanced Reconnaissance
![Page 17: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/17.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
Advanced Reconnaissance
![Page 18: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/18.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
Energy & Oil Sector Attacks
• An oil and gas exploration firm with operations in Africa, Morocco, and Brazil;
• A company that owns multiple hydro electric plants throughout the Czech
Republic and Bulgaria;
• A natural gas power station in the UK;
• A gas distributor located in France;
• An industrial supplier to the energy, nuclear and aerospace industries;
• Various investment and capital firms that specialise in the energy sector.
![Page 19: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/19.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
Energy & Oil Sector Attacks
Ten websites detected redirecting to three exploit sites:
![Page 20: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/20.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
Energy & Oil Sector Attacks
CVE-2012-1723: Java
CVE-2013-1347: Internet Explorer 8
CVE-2013-1690: Firefox / Thunderbird
![Page 21: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/21.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
Energy Sector Watering Hole
Phish Credentials Web Design Company
Web Design Clients
Malicious Redirect
C2
kenzhebek.com
US Based VPS
![Page 22: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/22.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
Indicators of Compromise (IOC) – Advanced Attacks
Advanced Attacks are very difficult to detect
– Increase in activity volume to bad or unknown websites
– Internal phishing attempts
– AV hits on attachments on internal to internal emails
– Malformed HTTP requests
– Attempts to exfiltrate data – often encrypted
– New/unknown processes running on box
– Check NetFlow: Cyclical connections to IP addresses with bad/unknown reputation
![Page 23: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/23.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
Thwarting Advanced Attacks
TRAC’s investigation found companies demonstrating signs of compromise; These organisations were notified.
Domain’s + IPs associated with the attackers were added to blacklists.
Created new IPS Signatures: 2198-0 and 2198-1.
TRAC recommended that Enterprise organisations consider blocking/monitoring free domains offered by orgs like ChangeIP.com, because of the history & potential for abuse.
![Page 24: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/24.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
Specific Website
Watering Hole Attacks - Protection
Installs Malware
Controls
Compromises
Profiles Users
![Page 25: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/25.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
Specific Website
Watering Hole Attacks - Protection
Installs Malware
Controls
Compromises
Profiles Users
![Page 26: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/26.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
Specific Website
Watering Hole Attacks - Protection
Installs Malware
Controls
Compromises
Profiles Users
![Page 27: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/27.jpg)
DDoS Attacks
![Page 28: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/28.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
DDoS Attacks on Banks
• Can mask wire fraud before, during, or after
• Overwhelm bank personnel
• Prevent transfer notification to customer
• Prevent customer from reporting fraud
Costly disruption of service, or…?
![Page 29: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/29.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
DarkSeoul
Politically AND financially motivated
Targeted attack
against South Korean
banks & media outlets
Overwriting malware
targeted workstations,
servers
Simultaneous payload at 2
p.m. KST sharp. Over
35,000 systems crippled
![Page 30: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/30.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
“Biggest” DDOS Ever
![Page 31: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/31.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
“Biggest” DDOS Ever
![Page 32: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/32.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
2 million compromised end-users X 150 Kbps upstream bandwidth
= 300 Gbps
User DDoS
![Page 33: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/33.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
1000 compromised Data Centre servers X 10 Mbps upstream
bandwidth = 10 Gbps
Server DDoS
![Page 34: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/34.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
10 DC servers @ 10Mbps * 300 open DNS resolvers * 8.5x
Magnification = 255Gbps
DNS Amplification DDoS
![Page 35: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/35.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
Failed DDoS Response by Network Solutions
0
20000
40000
60000
80000
100000
120000
140000
Wed Jun 1923:00:00 2013
Thu Jun 2001:00:00 2013
Thu Jun 2003:00:00 2013
Thu Jun 2005:00:00 2013
Thu Jun 2007:00:00 2013
Thu Jun 2009:00:00 2013
Thu Jun 2011:00:00 2013
Thu Jun 2013:00:00 2013
Thu Jun 2015:00:00 2013
Requests for LinkedIn, Others Diverted to 204.11.56.0/24
![Page 36: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/36.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
Is Your DNS Server Vulnerable?
Incoming DNS Request
Outbound DNS Response
Reject Spoofed Packets
Limit Outbound Rate
Block Large DNS Replies
DNS Nameserver
Limit Recursion
![Page 37: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/37.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
NTP DDoS
MON_GETLIST – returns last 600 connections
My testing
– 233B UDP request -> 7276B return traffic split across 17 packets
Source address can be spoofed
Similar to DNS Amplification…
![Page 38: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/38.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
NTP DDoS
![Page 39: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/39.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
NTP DDoS
My testing
– 233B UDP request -> 7276B return traffic split across 17 packets
– 100 servers were in the response
– Magnification: 31x
Let’s estimate a worst case:
– 600 responses / 6 per packet = 100 packets * 448 bytes per packet = 44,800B per query
– 44,800B/233B = 192x Possible Magnification
10 DC Servers @ 10Mbps * 192 Magnification * 300 NTP Servers = 5.76Tb/s
The team cymru “worst offenders” list contains 942,431 IP addresses
![Page 40: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/40.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
Is Your NTP Server Vulnerable?
Incoming mon_getlist Request
Outbound Response
Reject ALL OR Spoofed Packets
Limit Outbound Rate
Block Large Replies
Secure NTP Server
Limit Queries
![Page 41: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/41.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
DDoS - Mitigations
Check netflow for unsuccessful attempts, take action!
Don’t be part of the problem – lock down servers!
Secure your router, even the boring DDoS techniques work
– Enable Unicast RPF
– Filter all RFC-1918 using Access Control Lists (ACLs).
– Enable rate limiting
Apply block lists for known misconfigured servers (NTP, DNS, etc)
![Page 42: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/42.jpg)
Ransomware
![Page 43: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/43.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
Ransomware
![Page 44: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/44.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
Browlock
![Page 45: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/45.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
Cryptolocker
![Page 46: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/46.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
Ransomeware - Mitigations
Backup your data properly
Do not allow “anyone” to access backups – air gap where possible
Network Prevension (Fireamp, WSA,ESA)
Host based prevention
– AV, HIPS
– Whitelist client side applications
Minimize deployments of frequently vulnerable software
Training
![Page 47: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/47.jpg)
Targeting Web Infrastructure
![Page 48: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/48.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
Compromising Hosts w/ Bandwidth DarkLeech/CDorked - Mass compromise of Apache Web servers
• September 2012: Increase in hosting server compromise
• Attackers gain root access via brute force login attempts,
vulnerabilities in control panel software, poorly
configured
server software, stolen credentials
• Every site hosted by that server under control
• Originally Apache v2; CDorked expands to Lighttpd,
Nginx
3%
26%
18%
9% 9% 10%
25%
September2012
October 2012 November2012
December2012
January 2013 February 2013 March 2013
Apache Server Compromise Source: Cisco Web Security
Compromised
Hosting Server
Compromised
Website
Compromised
Website
Compromised
Website
Compromised
Website Compromised
Website
Compromised
Website
![Page 49: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/49.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
Popular CMS Targeted (WordPress, Joomla)
7% 7% 7%
12%
21%
15%
8%
22%
August 2012 September2012
October 2012 November2012
December2012
January 2013 February 2013 March 2013
• Brute force login attempts increased
threefold in the first quarter of 2013
• Cisco TRAC discovered a hub of data
used to feed the attacks, including 8.9
million possible username and password
combinations
• It’s not just password123 at risk. The lists
contain many strong passwords
• Stolen credentials is one example of how
attackers may be feeding these lists
Example passwords:
1numb2000core
89525560336sasa
e10adc3949ba59abbe
56e057f20f883e
3l3c7rocard1ograph$
p1206n057ic47i0n
kaeLAA$3
Encounters Resulting from WordPress Compromises Source: Cisco Web Security
Compromising Hosts w/ Bandwidth
![Page 50: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/50.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
Weaponised Web Infrastructure
Content manager attacks continue to rise as complexity increases
![Page 51: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/51.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
Weaponised Web Infrastructure
Content manager attacks continue to rise as complexity increases
![Page 52: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/52.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
IOC – Web Infrastructure
Majority of attacks use well known vulnerabilities
– Patch
– Block external access to internal servers
– Look for unknown or suspicious processes
– Check NetFlow: servers reaching out to external boxes
– Check NetFlow: cyclical connections to IP addresses with bad or unknown reputation
defence in depth
– Use network defences like IPS
– AV
– HIPS
![Page 53: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/53.jpg)
Social Engineering
![Page 54: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/54.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
0.00%
5.00%
10.00%
15.00%
20.00%
25.00%
30.00%
35.00%
40.00%
45.00%
Boston Bombing Spam/Malware Campaign
![Page 55: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/55.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
Curiosity Killed the Cat
2 Explosions at Boston Marathon
Aftermath to explosion at Boston Marathon
BREAKING - Boston Marathon Explosion
Boston Explosion Caught on Video
Explosion at Boston Marathon
Explosion at the Boston Marathon
Explosions at Boston Marathon
Explosions at the Boston Marathon
Video of Explosion at the Boston Marathon 2013
![Page 56: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/56.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
Curiosity Killed the Cat
2 Explosions at Boston Marathon
Aftermath to explosion at Boston Marathon
BREAKING - Boston Marathon Explosion
Boston Explosion Caught on Video
Explosion at Boston Marathon
Explosion at the Boston Marathon
Explosions at Boston Marathon
Explosions at the Boston Marathon
Video of Explosion at the Boston Marathon 2013
![Page 57: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/57.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
Curiosity Killed the Cat
2 Explosions at Boston Marathon
Aftermath to explosion at Boston Marathon
BREAKING - Boston Marathon Explosion
Boston Explosion Caught on Video
Explosion at Boston Marathon
Explosion at the Boston Marathon
Explosions at Boston Marathon
Explosions at the Boston Marathon
Video of Explosion at the Boston Marathon 2013
![Page 58: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/58.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
![Page 59: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/59.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
![Page 60: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/60.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
Yesterday Boston, Today Waco, Tomorrow Malware
CAUGHT ON CAMERA: Fertiliser Plant Explosion Near Waco, Texas
Fertiliser Plant Explosion Near Waco, Texas
Plant Explosion Near Waco, Texas
Raw: Texas Explosion Injures Dozens
Texas Explosion Injures Dozens
Texas Plant Explosion
Video footage of Texas explosion
Waco Explosion HD
![Page 61: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/61.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
IOCs – Spam Compromise
Increase in blocks on Email security appliances
Increase in activity volume to bad or unknown websites
AV hits on attachments
Malformed outgoing HTTP requests
Attempts to exfiltrate data – often encrypted
New/unknown processes running on box
Check NetFlow: cyclical connections to IP addresses with bad or unknown reputation
![Page 62: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/62.jpg)
Hacktivism
![Page 63: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/63.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
The Enemy We Know - Syrian Electronic Army (SEA)
Hackers aligned with Syrian President Bashar al-Assad
Primarily targets:
– news organisations
– political groups
– human rights groups
– VoIP Apps
Effective “Low Tech” Attacks
– Phishing
– Spam
![Page 64: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/64.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
Associated Press Twitter Account Attack
AP Twitter account hacked
Perpetrated by the Syrian Electronic Army.
Same group also successfully attacked:
– 60 Minutes
– BBC
– CBS
– NPR
![Page 65: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/65.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
AP Twitter Account
![Page 66: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/66.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
AP Twitter Account
![Page 67: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/67.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
Consequences
The AP Twitter account loses over 1.8 million followers as a result of the incident, mostly as a result of how Twitter responds to hacked accounts.
The Dow takes a huge dip, then recovers ($136 Billion)
![Page 68: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/68.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
ShareThis
Allows content sharing though customisable widget
Interacts with over 94% of US internet users
2 Million publisher sites
120+ Social Media Channels
![Page 69: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/69.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
Compromising DNS
Registrar
Malicious
Server Actual Server
Request
![Page 70: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/70.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
Compromising DNS
Registrar
Malicious
Server Actual Server
Request
![Page 71: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/71.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
Compromising DNS
Registrar
Malicious
Server Actual Server
Request
Stage 2
![Page 72: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/72.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
Compromising DNS
Registrar
Malicious
Server Actual Server
Request
![Page 73: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/73.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
Compromising DNS
Registrar
Malicious
Server Actual Server
Request
![Page 74: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/74.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
ShareThis
![Page 75: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/75.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
Melbourne IT
Responsible for:
– New York Times
– Huffington Post
![Page 76: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/76.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
Melbourne IT
Responsible for:
– New York Times
– Huffington Post
![Page 77: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/77.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
Defending DNS
Establish a relationship with your providers
Lock down domains
Only authorised transfers via secure means
![Page 78: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/78.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
Defending DNS
Establish a relationship with your providers
Lock down domains
Only authorised transfers via secure means
![Page 79: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/79.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
Outbrain Attack
Outbrain is a Content Suggestion Service. “If you liked this article you might also like…”
Affected The Washington Post, Time, CNN
![Page 80: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/80.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
![Page 81: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/81.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
Outbrain Attack
![Page 82: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/82.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
BarackObama.com
Another successful phish?
![Page 83: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/83.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
Donate.BarackObama.com
![Page 84: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/84.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
Looks Clean?
![Page 85: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/85.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
Or Is It..
![Page 86: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/86.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
![Page 87: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/87.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
Financial Times
SEA compromises
the Financial Times
blog and Twitter
![Page 88: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/88.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
Turkish Government
SEA coordinates
with anonymous
against Turkish
government sites
![Page 89: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/89.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
SEA – Latest Activities
June 05 – SEA
coordinates with
anonymous against
Turkish government sites
![Page 90: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/90.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
Viber Message Service
SEA hacks Viber
messaging service,
alleges they are spying
on uses
![Page 91: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/91.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
![Page 92: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/92.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
Skype
January 1 2014
– Skype Blog
– Skype Twitter
– Skype Facebook page
![Page 93: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/93.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
How Could This Have Been Avoided?
Email security
2 factor authentication
Respond to wide spread phishing attempts
– Web security appliances
Security training for all people associated with ANYTHING involving an external portal
Enable incident response as per handbook
– Increase response as warranted!
Indicators of compromise
![Page 94: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/94.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
Thomson Reuters
July 29 – SEA
compromises Thomson
Reuters twitter accounts
![Page 95: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/95.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
Thomson Reuters
July 29 – SEA
compromises Thomson
Reuters twitter accounts
![Page 96: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/96.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
Thomson Reuters
July 29 – SEA
compromises Thomson
Reuters twitter accounts
![Page 97: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/97.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
Thomson Reuters
July 29 – SEA
compromises Thomson
Reuters twitter accounts
![Page 98: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/98.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
How Could This Have Been Avoided?
Email security
2 factor authentication
Respond to wide spread phishing attempts
– Web security appliances
Security training for all people associated with ANYTHING involving an external portal
Enable incident response as per handbook
– Increase response as warranted!
Indicators of compromise
![Page 99: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/99.jpg)
For more:
http://blogs.cisco.com/tag/trac/
![Page 100: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/100.jpg)
Q & A
![Page 101: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/101.jpg)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKSEC-3883 Cisco Public
Complete Your Online Session Evaluation
Give us your feedback and receive a Cisco Live 2014 Polo Shirt!
Complete your Overall Event Survey and 5 Session Evaluations.
Directly from your mobile device on the Cisco Live Mobile App
By visiting the Cisco Live Mobile Site www.ciscoliveaustralia.com/mobile
Visit any Cisco Live Internet Station located throughout the venue
Polo Shirts can be collected in the World of Solutions on Friday 21 March 12:00pm - 2:00pm
Learn online with Cisco Live!
Visit us online after the conference for full access
to session videos and presentations.
www.CiscoLiveAPAC.com Note: This slide is now a Layout choice
101
![Page 102: Emerging Threats - alcatron.net Live 2014 Melbourne/Cisco Live Content... · Emerging Threats – The State of Cyber Security BRKSEC-2010 Gavin Reid ... A Watering Hole ... 18% 9%](https://reader034.vdocuments.mx/reader034/viewer/2022042305/5ed0cfcb6415977ed94592d7/html5/thumbnails/102.jpg)