Cyber Security and Cisco Security Update
Kevin Switzer – Technology ConsultantIngram MicroBill O’Malley – Technical Solutions ArchitectCisco Systems
1405002 rev 6.27.14
Proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.2
Verizon Data Breach Report:
https://enterprise.verizon.com/resources/reports/dbir/
Cisco Cyber Security Report Series:
https://www.cisco.com/c/en/us/products/security/security-reports.html
Cisco Threat of The Month
https://www.cisco.com/c/en/us/products/security/threat-of-the-month.html
Brian Krebs always puts out great articles:
https://krebsonsecurity.com/
A variety of good resources available at TALOS intelligence:
https://talosintelligence.com
‘Beers with TALOS’
https://talosintelligence.com/podcasts
FBI Infraguard:
https://www.infragard.org/
Security Resources
MSSP Alert
https://www.msspalert.com
Naked Security
https://nakedsecurity.sophos.com
Cyberheist News
https://www.knowbe4.com/cyberheistnews
Wired
https://www.wired.com/category/security
CyberTalk.org
https://www.cybertalk.org/
1405002 rev 6.27.14
Proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.3
• Threat Update− DNS Hijacking * Email – Malware highway * Office365 Phishing
− Encrypted Traffic Threats
• Best Practice Security Strategies− Minimum requirements
− Advanced Kill Chain
• Cisco− TALOS – Threat Research Division
− CTR – Cisco Threat Response
− Threat Hunting Workshop
− Cisco SecureX
Agenda
1405002
Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission. 4
DNS Hijacking
o These DNS attacks do not go directly after the user
- They attack the ‘librarian’
o The attack comes down to altering the route to a legitimate website to lead to a malicious one
- You ask for the IP address of a particular website, but the DNS records have been changed
1405002
Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission. 5
DNS Hijacking – How This Happens
o The DNS administrator targeted by phishing, giving up his or her credentials, and the attackers
log into the DNS interface and change the site’s IP address(s).
o The DNS hosting interface—where records are managed and updated— accessible by the
attacker allowing the them to change records for the domain.
o They build a fake site to mimic to the site they thought they were accessing
o Sea Turtle - 40 organizations in 13 countries affected in 2019
o You can’t typically blame the person that ‘clicked’
o To protect yourself:
- Implement DNS Security
- Require MFA for DNS record changes
- Tools such as BGPmon or Cross Network Insights to monitor for
DNS Hijacking attempts.
1405002
Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission. 6
Email – ‘Malware Highway’
According to Verizon Data Breach Report
92% of Malware distribution
96% of Phishing
Binary files are just 2% of Malware attachments (.exe,
now also Java and Flash)
Users much more aware of these
Easier to detect
The most common attachment types are simply the
types that are sent around the office on a regular day—
two in every five malicious files are Microsoft Office
documents.
1405002
Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission. 7
Office 365 Phishing
The email appears to come from Microsoft. It says that your Office
365 email address will be disconnected due to errors or policy
violations. The only way to prevent this from happening is by
verifying the address at the provided link.
This is an attempt to phish Office 365 credentials. The emails and
URLs used may even look like something you’d expect to find
surrounding Office 365.
Identity Theft (300% increase in Microsoft user accounts attacked)
1405002
Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission. 9
Encrypted Traffic Is Increasing Rapidly
50%
75%
0%
10%
20%
30%
40%
50%
60%
70%
80%
Encrypted Web Traffic
2016
2019
Source: “TLS/SSL: Where Are We Today?”, NSS Labs, October 2018
• Enterprises a few years ago saw
40% – 50% of all web traffic as
encrypted
• That number increased to 75% by
end of 2019
• 97% of surveyed enterprises are
seeing an increase in encrypted
web traffic
• 30-40% of attacks are now
encrypted
• ENCRYPTED TRAFFIC
ANALYTICS
1405002
Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission. 10
Threats in Encrypted Traffic
Technique used by attackers to avoid being detected by network monitoring tools
For example: Banking trojans encrypt the data they’re exfiltrating
Can be detected through a technique called traffic fingerprinting
Looks for know patterns known for malicious activity
However, good hackers will insert random dummy packets to bypass
Best Solution is Encrypted Traffic Analytics
Uses machine learning and behavioral modeling to detect
Does this without decryption (required by some regulations)
Cisco Stealthwatch Enterprise offers this feature, Steathwatch Cloud in future
63% of all threats incidents discovered by Stealthwatch were encrypted
Proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission. 11
Security Best Practices
1405002 rev 6.27.14
Proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.12
• Assumed several false identities including:
− airline pilot, physician, U.S. Bureau of Prisons agent, Lawyer
• Cashed $2.5 million worth of fraudulent checks
• Took more than 250 free flights
• Movie based on his cons – Catch me if you can
• TV Show – White Collar
• Has been working with the FBI for 43 years now
− First 20 years on forgery and bank fraud
− 20+ years in cyber security
“Hackers I have interviewed say 99% of networks are not hackable, due to good security in place.”
“They have to wait until someone makes a mistake. Until someone does something they should not have
done. Or, someone failed to do something they were supposed to do.”
“Hackers do not cause breaches do, people do.”
“Attackers will typically make at last two phone calls to their target”
Frank Abagnale – FBI Consulting Agent
1405002 rev 6.27.14
Proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.13
• NGFW− NGIPS
− Properly configured policies
• Signature based Anti Virus/Anti Malware
• Secure Email Solution− On Prem or Cloud
• Consider upgrading − Gen 1 Firewalls
− Legacy AV lacking AM capabilities
− CASB if using cloud services
Bare Minimum Requirements
1405002 rev 6.27.14
Proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.15
Cisco Defense against the “Kill Chain”
RECON STAGE
TARGET
CALLBACK PERSIST
BREACH
LAUNCH EXPLOIT INSTALL
COMPROMISE
End–to–EndInfrastructure
Defense
NGIPS
NGFW
Flow
Analytics
Network
Anti-
Malware
NGIPS
NGFW
Host
Anti-
Malware
DNSDNS
Security
Web
Security
Security
NGIPS
DNSDNS
Security
Web
Security
NGIPS
Threat
Intelligence
TOO
MANY
OF
THESE
GUYSProprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.
16
NOT
ENOUGH
OF
THESE
GUYS
Proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.17
Proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.18
TOO MANY
NOISY ALERTS
1405002
Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission. 19
A U.S. Natural Gas Operator Shuts Down for 2 Days After a Phishing Attack Infects it With Ransomware
• https://blog.knowbe4.com/cyberheistnews-vol-10-9-a-u.s.-natural-gas-operator-shuts-down-for-2-days-after-a-phishing-attack-infects-it-with-ransomware
• https://www.bbc.com/news/technology-51564905
“It was so severe in part because the organization was not prepared for such an attack.” - DHS statement
The DHS said the affected organization had not properly prepared for a cyber-attack of this kind -with its emergency plans being focused on all sorts of physical attacks instead.
"Consequently, emergency response exercises also failed to provide employees with decision-making experience in dealing with cyber-attacks,"
Feb 19, 2020
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Bill O’Malley – Technical Solutions Architect – Security
Cisco Threat Response (CTR)
Breach Defense
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
7BRecords $4M
Avg Cost of a Breach
14 Seconds
89% Breached by
2022
66 Days to
Contain
The Quantitative Impact of Data Breaches
YEAR IN MALWARE
2019
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Challenge: Time“Give my team time back. And help us work together faster.”
Challenge: Expertise“My team can’t be experts on every threat. Give us answers at our fingertips.”
Challenge: Evidence“We can’t dig for answers. Give us one place to find answers across all our tools.”
Personal wins
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Threat Response Is IncludedWith Select Cisco Security Product Licenses
Cisco Email Security
Cisco NGFW/NGIPS
Cisco AMP for Endpoints
Cisco Umbrella
Cisco Threat Grid
You’re Already Entitled to Threat Response If You Have...
Cisco Stealthwatch
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Audience: Technical Presales/SEs, Architects
• Hosted on-site at your partner or Cisco office locations
• Learn concepts and techniques of threat hunting using a unified, cloud-hosted tools
• Labs provide an easy-to-follow, step-by-step guide to understanding today's threat landscape
Threat Hunting Workshops
Workshop Dates:
• April 27: Pewaukee, WI
• April 28: Appleton, WI
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Stop by the Cisco Booth for a CTR Demo.Questions?