Local Edition
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Local Edition
Protecting Against Emerging Threats
Ch...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Agenda
• History of malware – How did we get here?
•...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
The Industrialization of Malware
20001990 1995 2005 ...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Malware as a Service
Exploit Kits let anyone be a cy...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
More than Just a File
Survey
What does environment l...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Don’t be Distracted by the DDoS
7
 LOIC: Low Orbit ...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
The end user… by the numbers
9% of users have at lea...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Context of Malware
Sourcefire Confidential Internal ...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Context Beyond the Event Horizon
Antivirus
Sandboxin...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
The Malware Triage Nightmare
Responding to an infect...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Putting the Defenses into Context
12
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Context is Key
Looking at the whole picture
13
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Context for Network Assets
Looking at the whole pict...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Context for File Movement
Looking at the whole pictu...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Context for File Movement
Looking at the whole pictu...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Context for File Movement
Looking at the whole pictu...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Context on the Endpoint
Looking at the whole picture
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Context unites different problem spaces …
Looking at...
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Feedback
Don’t forget to give us your
feedback!
20
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Register for Cisco Live
Cisco Live
www.ciscolive.com...
Cisco Live AMP
Upcoming SlideShare
Loading in...5
×

Cisco Live AMP

378

Published on

Network Malware Protection (Chris Hoff presenting)

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
378
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
30
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Cisco Live AMP

  1. 1. Local Edition
  2. 2. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Local Edition Protecting Against Emerging Threats Christopher Hoff Advanced Malware Security Specialist <SESSION ID>
  3. 3. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Agenda • History of malware – How did we get here? • Malware Trends: 2102 & 2013 cyber attacks • Context is Key to Defense • Q&A 3
  4. 4. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public The Industrialization of Malware 20001990 1995 2005 2010 2015 2020 Hacking Becomes an Industry Sophisticated Attacks, Complex Landscape Phishing, Low Sophistication Viruses 1990–2000 Worms 2000–2005 Spyware and Rootkits 2005–Today APTs Cyberware Today Sourcefire Confidential Internal or Partner Use Only
  5. 5. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Malware as a Service Exploit Kits let anyone be a cyber criminal 5 • Subscription Services • 24/7 Tech Support • Easy Configuration and Deployment • C&C and Botnet Included • Referral Services
  6. 6. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public More than Just a File Survey What does environment look like? What are the countermeasures? Write Craft context-aware malware to penetrate this environment Test Validate malware works, can evade countermeasures Execute Deploy malware. Move laterally, establish secondary acces Accomplish Extract data, destroy, plant evidence, compromise.
  7. 7. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Don’t be Distracted by the DDoS 7  LOIC: Low Orbit Ion Cannon - TCP, UDP, HTTP flood - Anonymous (not so much) - "Hivemind" feature for remote/central control, botnet control - Social network campaigns to recruit users to joining DDoS  HOIC: High Orbit Ion Cannon - HTTP flood only - Boost Scripts: Evasion, randomization  JS LOIC  Brobat / itsoknoproblembro
  8. 8. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public The end user… by the numbers 9% of users have at least one malware detection event, of which: ‒ 66% are repeat offenders ‒ 20% are frequent offenders ‒ 1.6% of users are completely pwned (>100 detections) Approximate stats (one-month period). Source: Sourcefire VRT I like to see what happens. I am a clicker. I click links regardless.
  9. 9. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Context of Malware Sourcefire Confidential Internal or Partner Use Only  Don’t think of isolated instances; instead, think ecosystem  Address ecosystem, otherwise re-infections occur Clean Malicious Original Dropper Unknown What about the files dropped by the dropper?
  10. 10. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Context Beyond the Event Horizon Antivirus Sandboxing Initial Disposition = Clean Point-in-time Detection Initial Disposition = Clean Cisco AMP Blind to scope of compromise Actual Disposition = Bad = Too Late!! Turns back time Visibility and Control are Key Not 100% Analysis Stops Sleep Techniques Unknown Protocols Encryption Polymorphism Actual Disposition = Bad = Blocked Retrospective Detection, Analysis Continues
  11. 11. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public The Malware Triage Nightmare Responding to an infection = Headaches = Time = $$ = Limited Effectiveness  Where do I start?  How bad is the situation?  What systems were impacted?  What did the threat do?  How do we recover?  How do we keep it from happening again?
  12. 12. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Putting the Defenses into Context 12
  13. 13. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Context is Key Looking at the whole picture 13
  14. 14. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Context for Network Assets Looking at the whole picture
  15. 15. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Context for File Movement Looking at the whole picture
  16. 16. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Context for File Movement Looking at the whole picture
  17. 17. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Context for File Movement Looking at the whole picture
  18. 18. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Context on the Endpoint Looking at the whole picture
  19. 19. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Context unites different problem spaces … Looking at the whole picture Boundary End-point Infrastructure From where? To what? To whom? Where an event occurs defines the first questions analysts ask Placing the event in the right context is critical in reducing valuable analyst time during a security incident
  20. 20. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Feedback Don’t forget to give us your feedback! 20
  21. 21. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Register for Cisco Live Cisco Live www.ciscolive.com/us 2121
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×