Upload
arbor-networks
View
2.116
Download
2
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
© 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
See No Evil, Speak No Evil, Hear Plenty About Evil:Using Visibility and Intelligence to Secure your Business
Darren Anstee
Solutions Architect Team Leader, Arbor Networks
© 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Stuxnet (Cyberwar)
Flame
Sony
LulzSec
Anonymous
Banking Attacks
Aurora
Shamoon
The New Global & Advanced Threat Landscape
Advanced Security Threats
Multi-Stage Multi-Vector
© 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Advanced Threats – Overview
3
• What Are They?
‒ Target a specific organisation or vertical over a period of time to achieve a specific goal
‒ Co-ordinated activity & resources within the attacking entity
‒ Use new, modified and / or combinations of attack vectors & methodologies to avoid & evade detection and achieve goal
• Are They (Really) New?
‒ No, they are just focused & resourced hacking.
‒ Goals are varied but have not changed – service disruption, data or IP theft, fraud.
‒ Motivations include industrial or state sponsored espionage, organised crime, ideological hacktivism, competitive advantage
© 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Advanced Threats – DDoS is Just One Attack Vector
4
• Aimed at disrupting an organisations online presence or service
‒ Broad spread of organisations are reliant on the Internet to sell products, offer services or access cloud based data and applications.
• Common features
‒ Organized DDoS ‘campaigns
‒ No longer JUST packet blasts
‒ Combinations of sophisticated andunsophisticated attacks tools
• Goal can be disruption or distraction
‒ Wide range of motivations
Arbor Worldwide Infrastructure Security
Report, 8th annualP
oliti
cal/i
deol
ogic
al d
ispu
tes
Onl
ine
gam
ing-
rela
ted
Nih
ilism
/van
dalis
m
Unk
now
nD
emon
stra
ting
capa
bilit
yS
ocia
l net
wor
king
-rel
ated
In
ter-
pers
onal
/inte
r-gr
oup
r...
Mis
conf
igur
atio
n/ac
cide
ntal
Com
petit
ive
rival
ry
Div
ersi
onC
rimin
al E
xtor
tion
Atte
mpt
sF
lash
cro
wds
Fin
anci
al m
arke
t man
ipul
a...
Intr
a-cr
imin
al d
ispu
tes
DDoS Attack Motivations
© 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
2005 2006 2007 2008 2009 2010 2011 20121
10
100
1000
Advanced Threats – DDoS EvolutionAtt
ack ComplexityAtt
ack
Scal
e (G
bps)
Crafted StateExhaustion
Slowloris LOIC &Variants
ApacheKiller
RefRef
Multi-vector
HTTP GET / POSTFloods
Malformed HTTP
THC-SSL
DC++
Multi-vector ++
Kamikaze / Brobot /
Amos
RUDY
© 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Advanced Threats – DDoS Evolution
6
• Big rise in proportion of WISR respondents seeing multi-vector attacks
‒ Up from 27% (2011) to 45.8% (2012)
‒ Most effective attacks target limitations in network perimeter & cloud based defenses
‒ Hardest to mitigate and generally require layered defenses
Multi-Vector Attacks Observed By Respondent
Arbor World-Wide Infrastructure Security
Report, 8th annual
Yes
No
Don't Know
© 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Advanced Threats – Multi-Stage, Multi-Vector DDoS
• Izz ad-Din al-Qassam Cyber Fighters Attacks on US financial sector in Q4 2012
• Compromised PHP, WordPress, & Joomla servers
• Multiple concurrent attack vectors
‒ GET and POST app layer attacks on HTTP and HTTPS
‒ DNS query app layer attack
‒ Floods on UDP, TCP SYN floods, ICMP & other IP protocols
• Unique characteristics of the attacks
‒ Very high packet per second rates per individual source
‒ Attacks on multiple companies in same vertical
‒ Real-time monitoring of effectiveness
‒ Agility in modifying attack vectors when mitigated
© 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Advanced Threats – Advanced Persistent Threat (APTs)
• APT is the Hot Topic in Information Security
‒ Aurora (2009) brought the term into the mainstream
‒ They actually incorporate a number of threats
• APT have Common Features
‒ Defined goal, not opportunistic
‒ Stealthy infiltration, horizontal propagation
‒ Obfuscate trail, to ensure continued compromise
‒ Multiple tools / tactics used throughout campaign
‒ Significant resources required over an extended period
• APT Components Parts, Are They Advanced?
‒ Many are off the shelf malware dev kits, though some malware is built from the ground up
‒ Spear phishing & social engineering
‒ Drop an infected key in the car park / smoking area etc..
© 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
APT Attack Targets & Methodology
• Who are the targets?
‒ Governments
Economic offices, military, diplomatic corps, etc. – anyone working overseas. Outside government contractors, advisors (e.g. academic scholars)
‒ Private sector & commercial
Multinational businesses – aerospace, energy, pharmaceutical, finance, technology,
0.00%20.00%40.00%60.00%
Corporate Network Security Concerns‒ 21.7% of respondents
to the WISR survey experienced an APT of some kind on their non-service providing networks in 2012
‒ But, over 50% are concerned they might be targeted in the next 12 months
Arbor Worldwide Infrastructure Security
Report, 8th annual
© 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Recent APT Malware & Attack Examples
• Xtreme RAT – 2012
‒ Remote Access Trojan (RAT) that allowed remote users to remotely steal data from malware-infected machines. The spear phishing e-mails targeted US and Israeli government institutions.
• Shamoon – 2012
‒ Malware executable spread using network shared drives. Corrupts files and wipes device boot blocks at specified date.
‒ A group named "Cutting Sword of Justice" claimed responsibility for an attack on 30,000 Saudi Aramco workstations causing the company to spend a week restoring their services
© 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public 11
Advanced Threats – Multi-Stage, Multi-Vector Attack Example
LulzSec, an offshoot of the Anonymous collective, launched a DDoS attack using Low Orbit Ion Cannon (LOIC) that camouflaged a data breech of up to 100 million customers.
Sony estimates more than $170M (USD) in losses due to the attack while stock analysts expect losses greater than a $1B. Hackers were caught and plead guilty.
© 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
How Should We Defend Ourselves?
• Broad and deep visibility are needed to understand attack traffic and malware behaviors.
‒ We need to be able to SEE what is happening outside and inside our networks.
• Research based actionable intelligence and reputation information are needed.
‒ We need to HEAR about what is going on out there, so that we can leverage the research capabilities within the industry to protect ourselves.
• Intelligent, pinpoint mitigation and detailed forensics
‒ We need to stop threats to protect the availability of our on-line presence / access and ensure that entities within our networks cannot export data / contact known bad actors
© 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public 13
The Solution to Stop Advanced Threats
Internet & Enterprise Visibility
Security Intelligence
Threat Protection
A World-Class Research Team (ASERT) Analysing the World’s Internet Traffic (ATLAS) to Stop Emerging Advanced Threats
Know the Network Find the Threat Protect the Business
Built on Global Network Visibility & Security Intelligence
© 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Arbor’s Enterprise Solution Overview
Arbor Pravail Products
DDoS Protection & Cloud Signaling
Inbound Botnet Blocking (AIF)
Activity Based Detection (ATF)
Behavioral Based Detection
Identity Tracking & Forensics
Application Intelligence
Advanced Threat Landscape
DDoS
Botnets
Advanced Malware (0-Day, Stealthy)
Insider Threats to Steal Data
Mobile Devices & BYOD
Dynamic Applications
Availability Protection: Stop inbound DDoS attacks as well as botnets
Security Intelligence: Visibility and intelligence to monitor and identify misuse of critical applications and sensitive systems
Network Situational Awareness: Risk profiling of threats and alerts with intelligence to understand the context of the activity that created the alert
Arbor’s Enterprise Products are Designed for Today’s Advanced
Threat Landscape