© 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicSee No Evil, Speak No Evil, Hear Plent...
© 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicStuxnet(Cyberwar)FlameSonyLulzSecAnony...
© 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicAdvanced Threats – Overview3• What Are...
© 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicAdvanced Threats – DDoS is Just One At...
© 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public15251252005 2006 2007 2008 2009 2010 2...
© 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicAdvanced Threats – DDoS Evolution6• Bi...
© 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicAdvanced Threats – Multi-Stage, Multi-...
© 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicAdvanced Threats – Advanced Persistent...
© 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicAPT Attack Targets & Methodology• Who ...
© 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicRecent APT Malware & Attack Examples• ...
© 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicAdvanced Threats – Multi-Stage, Multi-...
© 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicHow Should We Defend Ourselves?• Broad...
© 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicThe Solution to Stop Advanced Threats1...
© 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicArbor’s Enterprise Solution OverviewAr...
Upcoming SlideShare
Loading in …5
×

See no evil, speak no evil, hear plenty about evil: Using visibility and intelligence to secure your business

2,404 views
2,329 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,404
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
26
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • I
  • See no evil, speak no evil, hear plenty about evil: Using visibility and intelligence to secure your business

    1. 1. © 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicSee No Evil, Speak No Evil, Hear PlentyAbout Evil:Using Visibility and Intelligence to Secure your BusinessDarren AnsteeSolutions Architect Team Leader, Arbor Networks
    2. 2. © 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicStuxnet(Cyberwar)FlameSonyLulzSecAnonymousBankingAttacksAuroraShamoonThe New Global & Advanced Threat LandscapeAdvancedSecurityThreatsMulti-StageMulti-Vector
    3. 3. © 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicAdvanced Threats – Overview3• What Are They?‒ Target a specific organisation or vertical over a period oftime to achieve a specific goal‒ Co-ordinated activity & resources within the attacking entity‒ Use new, modified and / or combinations of attack vectors &methodologies to avoid & evade detection and achieve goal• Are They (Really) New?‒ No, they are just focused & resourced hacking.‒ Goals are varied but have not changed – servicedisruption, data or IP theft, fraud.‒ Motivations include industrial or state sponsoredespionage, organised crime, ideologicalhacktivism, competitive advantage
    4. 4. © 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicAdvanced Threats – DDoS is Just One Attack Vector4• Aimed at disrupting an organisations online presence or service‒ Broad spread of organisations are reliant on the Internet to sell products, offer services or accesscloud based data and applications.• Common features‒ Organized DDoS ‘campaigns‒ No longer JUST packet blasts‒ Combinations of sophisticated andunsophisticated attacks tools• Goal can be disruption or distraction‒ Wide range of motivationsArbor WorldwideInfrastructure SecurityReport, 8th annualDDoS Attack Motivations
    5. 5. © 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public15251252005 2006 2007 2008 2009 2010 2011 2012Advanced Threats – DDoS EvolutionAttackComplexityAttackScale(Gbps)Crafted StateExhaustionSlowloris LOIC &VariantsApacheKillerRefRefMulti-vectorHTTP GET / POSTFloodsMalformedHTTPTHC-SSLDC++Multi-vector ++Kamikaze /Brobot /AmosRUDY
    6. 6. © 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicAdvanced Threats – DDoS Evolution6• Big rise in proportion of WISR respondents seeing multi-vector attacks‒ Up from 27% (2011) to 45.8% (2012)‒ Most effective attacks target limitations in network perimeter & cloud based defenses‒ Hardest to mitigate and generally require layered defensesMulti-Vector Attacks Observed By RespondentArbor World-WideInfrastructure SecurityReport, 8th annualYesNoDont Know
    7. 7. © 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicAdvanced Threats – Multi-Stage, Multi-Vector DDoS• Izz ad-Din al-Qassam Cyber Fighters Attacks on USfinancial sector in Q4 2012• Compromised PHP, WordPress, & Joomla servers• Multiple concurrent attack vectors‒ GET and POST app layer attacks on HTTP and HTTPS‒ DNS query app layer attack‒ Floods on UDP, TCP SYN floods, ICMP & other IP protocols• Unique characteristics of the attacks‒ Very high packet per second rates per individual source‒ Attacks on multiple companies in same vertical‒ Real-time monitoring of effectiveness‒ Agility in modifying attack vectors when mitigated
    8. 8. © 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicAdvanced Threats – Advanced Persistent Threat (APTs)• APT is the Hot Topic in Information Security‒ Aurora (2009) brought the term into the mainstream‒ They actually incorporate a number of threats• APT have Common Features‒ Defined goal, not opportunistic‒ Stealthy infiltration, horizontal propagation‒ Obfuscate trail, to ensure continued compromise‒ Multiple tools / tactics used throughout campaign‒ Significant resources required over an extended period• APT Components Parts, Are They Advanced?‒ Many are off the shelf malware dev kits, though some malwareis built from the ground up‒ Spear phishing & social engineering‒ Drop an infected key in the car park / smoking area etc..
    9. 9. © 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicAPT Attack Targets & Methodology• Who are the targets?‒ GovernmentsEconomic offices, military, diplomatic corps, etc. – anyone working overseas. Outside governmentcontractors, advisors (e.g. academic scholars)‒ Private sector & commercialMultinational businesses – aerospace, energy, pharmaceutical, finance, technology,0.00%10.00%20.00%30.00%40.00%50.00%60.00%70.00%Corporate Network Security Concerns‒ 21.7% of respondentsto the WISR surveyexperienced an APTof some kind on theirnon-service providingnetworks in 2012‒ But, over 50% areconcerned they mightbe targeted in the next12 monthsArbor WorldwideInfrastructure SecurityReport, 8th annual
    10. 10. © 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicRecent APT Malware & Attack Examples• Xtreme RAT – 2012‒ Remote Access Trojan (RAT) that allowed remote users to remotely stealdata from malware-infected machines. The spear phishing e-mails targetedUS and Israeli government institutions.• Shamoon – 2012‒ Malware executable spread using network shared drives. Corrupts files andwipes device boot blocks at specified date.‒ A group named "Cutting Sword of Justice" claimed responsibility for an attackon 30,000 Saudi Aramco workstations causing the company to spend a weekrestoring their services
    11. 11. © 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicAdvanced Threats – Multi-Stage, Multi-Vector Attack Example11LulzSec, an offshoot ofthe Anonymouscollective, launched aDDoS attack using LowOrbit Ion Cannon (LOIC)that camouflaged a databreech of up to 100million customers.Sony estimates more than $170M (USD) inlosses due to the attack while stock analystsexpect losses greater than a $1B. Hackerswere caught and plead guilty.
    12. 12. © 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicHow Should We Defend Ourselves?• Broad and deep visibility are needed to understand attacktraffic and malware behaviors.‒ We need to be able to SEE what is happening outside and inside ournetworks.• Research based actionable intelligence and reputationinformation are needed.‒ We need to HEAR about what is going on out there, so that we canleverage the research capabilities within the industry to protectourselves.• Intelligent, pinpoint mitigation and detailed forensics‒ We need to stop threats to protect the availability of our on-linepresence / access and ensure that entities within our networks cannotexport data / contact known bad actors
    13. 13. © 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicThe Solution to Stop Advanced Threats13Internet &EnterpriseVisibilitySecurityIntelligenceThreatProtectionA World-Class Research Team (ASERT) Analysing the World’s Internet Traffic (ATLAS) to StopEmerging Advanced ThreatsKnow the Network Find the Threat Protect theBusinessBuilt on Global Network Visibility & Security Intelligence
    14. 14. © 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco PublicArbor’s Enterprise Solution OverviewArbor Pravail ProductsDDoS Protection & Cloud SignalingInbound Botnet Blocking (AIF)Activity Based Detection (ATF)Behavioral Based DetectionIdentity Tracking & ForensicsApplication IntelligenceAdvanced ThreatLandscapeDDoSBotnetsAdvanced Malware (0-Day, Stealthy)Insider Threats to Steal DataMobile Devices & BYODDynamic ApplicationsAvailability Protection: Stopinbound DDoS attacks as wellas botnetsSecurity Intelligence: Visibilityand intelligence to monitorand identify misuse of criticalapplications and sensitivesystemsNetwork SituationalAwareness: Risk profiling ofthreats and alerts withintelligence to understand thecontext of the activity thatcreated the alertArbor’s EnterpriseProducts are Designedfor Today’s AdvancedThreat Landscape

    ×