Cisco Live AMP

Like this? Share it with your network

Share

Cisco Live AMP

  • 439 views
Uploaded on

Network Malware Protection (Chris Hoff presenting)

Network Malware Protection (Chris Hoff presenting)

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
439
On Slideshare
439
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
19
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Local Edition
  • 2. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Local Edition Protecting Against Emerging Threats Christopher Hoff Advanced Malware Security Specialist <SESSION ID>
  • 3. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Agenda • History of malware – How did we get here? • Malware Trends: 2102 & 2013 cyber attacks • Context is Key to Defense • Q&A 3
  • 4. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public The Industrialization of Malware 20001990 1995 2005 2010 2015 2020 Hacking Becomes an Industry Sophisticated Attacks, Complex Landscape Phishing, Low Sophistication Viruses 1990–2000 Worms 2000–2005 Spyware and Rootkits 2005–Today APTs Cyberware Today Sourcefire Confidential Internal or Partner Use Only
  • 5. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Malware as a Service Exploit Kits let anyone be a cyber criminal 5 • Subscription Services • 24/7 Tech Support • Easy Configuration and Deployment • C&C and Botnet Included • Referral Services
  • 6. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public More than Just a File Survey What does environment look like? What are the countermeasures? Write Craft context-aware malware to penetrate this environment Test Validate malware works, can evade countermeasures Execute Deploy malware. Move laterally, establish secondary acces Accomplish Extract data, destroy, plant evidence, compromise.
  • 7. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Don’t be Distracted by the DDoS 7  LOIC: Low Orbit Ion Cannon - TCP, UDP, HTTP flood - Anonymous (not so much) - "Hivemind" feature for remote/central control, botnet control - Social network campaigns to recruit users to joining DDoS  HOIC: High Orbit Ion Cannon - HTTP flood only - Boost Scripts: Evasion, randomization  JS LOIC  Brobat / itsoknoproblembro
  • 8. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public The end user… by the numbers 9% of users have at least one malware detection event, of which: ‒ 66% are repeat offenders ‒ 20% are frequent offenders ‒ 1.6% of users are completely pwned (>100 detections) Approximate stats (one-month period). Source: Sourcefire VRT I like to see what happens. I am a clicker. I click links regardless.
  • 9. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Context of Malware Sourcefire Confidential Internal or Partner Use Only  Don’t think of isolated instances; instead, think ecosystem  Address ecosystem, otherwise re-infections occur Clean Malicious Original Dropper Unknown What about the files dropped by the dropper?
  • 10. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Context Beyond the Event Horizon Antivirus Sandboxing Initial Disposition = Clean Point-in-time Detection Initial Disposition = Clean Cisco AMP Blind to scope of compromise Actual Disposition = Bad = Too Late!! Turns back time Visibility and Control are Key Not 100% Analysis Stops Sleep Techniques Unknown Protocols Encryption Polymorphism Actual Disposition = Bad = Blocked Retrospective Detection, Analysis Continues
  • 11. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public The Malware Triage Nightmare Responding to an infection = Headaches = Time = $$ = Limited Effectiveness  Where do I start?  How bad is the situation?  What systems were impacted?  What did the threat do?  How do we recover?  How do we keep it from happening again?
  • 12. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Putting the Defenses into Context 12
  • 13. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Context is Key Looking at the whole picture 13
  • 14. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Context for Network Assets Looking at the whole picture
  • 15. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Context for File Movement Looking at the whole picture
  • 16. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Context for File Movement Looking at the whole picture
  • 17. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Context for File Movement Looking at the whole picture
  • 18. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Context on the Endpoint Looking at the whole picture
  • 19. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Context unites different problem spaces … Looking at the whole picture Boundary End-point Infrastructure From where? To what? To whom? Where an event occurs defines the first questions analysts ask Placing the event in the right context is critical in reducing valuable analyst time during a security incident
  • 20. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Feedback Don’t forget to give us your feedback! 20
  • 21. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public Register for Cisco Live Cisco Live www.ciscolive.com/us 2121