Alessandro Monforte Cisco - SMAU Napoli 2017
•Download as PPTX, PDF•
1 like•470 views
Sicurezza: come proteggersi preventivamente da attacchi malware zero day
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Alessandro Monforte Cisco - SMAU Napoli 2017
Similar to Alessandro Monforte Cisco - SMAU Napoli 2017 (20)
More from SMAU
More from SMAU (20)
Recently uploaded
Recently uploaded (20)
Alessandro Monforte Cisco - SMAU Napoli 2017
- 1. + Protezione dai malware «zero day» Alessandro Monforte Regional sales manager, security cloud, Cisco Systems amonfort@cisco.com
- 2. Workplace desktops Business apps Critical infrastructure Business apps Salesforce, Office 365, DocuSign, etc. Branch office Critical infrastructure Amazon, Rackspace, Windows Azure, etc. Roaming laptops Internet IT today
- 3. Users and apps have adopted the cloud 49% of the workforce is mobile 82% admit to not using the VPN 70% increase in SaaS usage 70% of branch offices have DIA Security controls must shift to the cloud ,
- 4. Your security challenges Malware and ransomware Gaps in visibility and coverage Cloud apps and shadow IT Difficult to manage security
- 5. Our view of the internet 120B requests per day 15K enterprise customers 85M daily active users 160+ countries worldwide 3M+ daily new domain names Discover 70K+ daily malicious destinations Identify 7M+ malicious destinations while resolving DNS Enforce Our efficacy
- 6. SEA Attack on the NY Times and Twitter
- 7. OpenDNS Security Graph August 27, 2013 Malicious IP discovered, blocked
- 8. Wannacry?? Not with Umbrella ! From www.malwaretech.com:
- 9. Easy as 1-2-3 208.67.222.222 Cisco Umbrella 1 2 3 Configure network IP address on Umbrella Point DNS to Cisco Umbrella Enforce and report
- 10. Patient Zero Hit Defense Signatures Built Target Expansion Wide-Scale Prevalence Monitor Adaption Based on Results Domain Registration, IP, ASN Intel., Public / Private Announcements Reconnaissance and Infrastructure Setup Anatomy of a Cyber Attack
- 11. Defense Signatures Built Co-occurrence model Domains guilty by inference a.com b.com c.com x.com d.com e.com f.com time - time + Co-occurrence of domains means that a statistically significant number of identities have requested both domains consecutively in a short timeframe Possible malicious domain Possible malicious domain Known malicious domain
- 12. Spike rank model Patterns of guilt y.com DAYS DNSREQUESTS Massive amount of DNS request volume data is gathered and analyzed DNS request volume matches known exploit kit pattern and predicts future attack DGA MALWARE EXPLOIT KIT PHISHING y.com is blocked before it can launch full attack
- 14. What you can find with threat intelligence 50% Encountered APT (Advanced Persistent Threat) Across 200+ recent POVs: 82% Encountered ransomware 77% Encountered phishing 81% Encountered C2 callback 86% Encountered Angler 74% Encountered Locky
- 16. .01 .02 .03 .04
Editor's Notes
- Script Prior to the attack OpenGraphiti shows that each of these networks are disjoint, no sign of a redirect. Click for animation After the attack, you can see that traffic from each site is routed to the SEA IP We are able to map out all other known domains hosted at that same IP. One of which appears to be a paypal fishing site. Guilt by association helps us to confirm that this IP and it’s associated domains are locations we want to prevent our users from connecting to. After confirming that we are blocking nytimes for the right reaons, we were able to redirect users to the correct IP for nytimes.com Click for animation During the attack Rajiv Pant (VP of nytimes) tweeted to use OpenDNS as a workaround.