global threat security update version 1.0 · hire espionage (corporate/ government) bot-net...
TRANSCRIPT
AgendaAgenda
Wh t d Wh Th tWhat and Where are Threats
Threat Trends
Year in Review
ConclusionConclusion
Who we are/ How Cisco can help
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC 2001 2
Wh t d Wh Th tWhat and Where are Threats
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 3
What? Where? Why?What? Where? Why?
Wh t i Th t?What is a Threat?An indication or warning of probable trouble
Where are Threats?Everywhere you can, and more importantly, cannot think of
Why are there Threats?• The almighty dollar (or euro), the underground cyber
i i d t i th i d tcrime industry is a growth industry• Political and nationalistic motivations
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC 2001 4
Examples of ThreatsExamples of Threats
T t d H kiTargeted Hacking
Vulnerability Exploitation
Malware Outbreaks
Economic EspionageEconomic Espionage
Intellectual Property Theft or Loss
Network Access Abuse
Theft of IT Resources
Denial of Service
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC 2001 5
Areas of OpportunityAreas of Opportunity
Users ck
Applications e st
ac
Applications
p th
e
Network Services
ng u
p
Operating Systems Mov
in
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC 2001 6
M
Operational Evolution of ThreatsOperational Evolution of Threats
Threat Evolution Emerging Threat Nuisance Threat
Policy and on
Threat Evolution Unresolved Threat Nuisance Threat
Policy and Process
DefinitionFormalized ProcessSocialized ProcessReactive Process
Rea
ctio
Automated Response
Human “In the Loop”
Manual ProcessMitigation
Technology Evolution
Ope
ratio
nal
Bur
den
No End-User “Help-Desk” Aware— End-User Increasingly SelfEnd-User po
rt enO
No End User Knowledge
pKnow Enough to Call Increasingly Self-
ReliantEnd User
Awareness
Sup
pB
urd
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC 2001 7
Operational Evolution of ThreatsOperational Evolution of Threats
Threat Evolution Emerging Threat Nuisance Threat
on
Threat Evolution Unresolved Threat Nuisance Threat
Policy andFormalized ProcessSocialized ProcessReactive Process
Rea
ctioPolicy and
Process Definition
Automated Response
Human “In the Loop”
Manual Process
Ope
ratio
nal
Bur
denMitigation
Technology Evolution
No End-UserEnd-User
Increasingly Selfport en
O
End-User “Help-Desk” Aware—No End User Knowledge
Increasingly Self-ReliantS
upp
Bur
d
“New”, Unknown, orP bl W H ’t
End User Awareness
pKnow Enough to Call
Largest Volume of ProblemsF f M t f D t D
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC 2001 8
Problems We Haven’t Solved Yet
Focus of Most of Day to Day Security Operations
Th t T dThreat Trends
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 9
TrendsTrends
Evolution of intentEvolution of intent
The cybercrime industry
BotnetsBotnets
Blended attacks/Next Generation Spam
PhishingPhishing
Port 80
Web 2 0 abuseWeb 2.0 abuse
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC 2001 10
Evolution of Intent20062003 2004 2005 2007 2008
Evolution of Intent2009 2010
Notoriety
Fame
Netsky, Bagle, MyDoom
SQL Slammer
MoneyZotob
Conficker, ZeuS, Koobface
= Major Media Event
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC 2001 11
Cybercrime Industry: In the PastCybercrime Industry: In the Past
End ValueWriters Asset
Fame
Theft
Tool and Toolkit Writers
Malware Writers
Compromise Individual Host or
Application
Espionage(Corporate/
Government)
Worms
Viruses
Malware Writers
Compromise EnvironmentViruses
Trojans
Environment
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC 2001 12
Cybercrime Industry: TodayCybercrime Industry: Today
Writers Middle Men Second Stage Abusers
First Stage Abusers End ValueAbusers
Tool and Toolkit Writers
Abusers
Hacker / Direct Attack Compromised
Host and Application
Fame
Theft
Bot-Net CreationWorms
Malware Writers
Machine Harvesting
Extortionist/ DDoS-for-
Hire
ApplicationEspionage(Corporate/
Government)
Bot-Net Management: For Rent, for Lease,
for Sale
Viruses
Trojans
Spammers/ Affiliates
Phishers
Commercial Sales
F d l t S l
Extorted Pay-Offs
Personal Information
Spyware Information Harvesting
Information Brokerage
Pharmer/DNS Poisoning
Fraudulent Sales
Click-Through Revenue
Electronic IP Leakage
Internal Theft: Abuse of Privilege
BrokerageIdentity Theft Financial Fraud
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC 2001 13
$$$ Flow of Money $$$
“Noise” LevelNoise Level
Large Scale Worms
Public AwarenessAwareness
Targeted Attacks
2000 2008
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC 2001 14
Time
Cyber Crime Profit LevelCyber Crime Profit Level
TargetedIllicit Dollars
Gained
Targeted Attacks
Large Scale Worms
Time2000 2008
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC 2001 15
Time
Source: ICR 2001, 2007
BotnetsBotnets
Botnet: A collection of compromised machines running programs underBotnet: A collection of compromised machines running programs under a common command and control infrastructure
Building the Botnet: Many, many malcode vectors
Controlling the Botnet:C t h l f f t i ll IRC t IRC lik h lCovert-channel of some form; typically IRC or custom IRC-like channel
Historically have used free DNS hosting services to point bots to the IRC server
Recent attempts to sever the command infrastructure of botnets has resulted in more sophisticated control systemssophisticated control systems
Control services increasingly placed on compromised high-speed machines
Redundant systems and blind connects are implemented for resilience (fast-flux)
D k if B t l t k?Do you know if Bots are loose on your network?
See Infiltrating a Botnet http://www.cisco.com/web/about/security/intelligence/bots.html
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC 2001 16
Source: www.wikipedia.com
Next Generation SpamNext Generation Spam
Growing in sophisticationGrowing in sophisticationTargeted Blending email and web
New vectors include:
SMS vishing
IM SPAM (SPIM)
Extensive use of social engineeringengineering
3rd Generation SPAM doesn’t embed malcode or links (please open service ports into(please open service ports into your network)
50% of users still open SPAM or click links
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC 2001 17
or click links
Phishing and Its VariantsPhishing and Its Variants
Traditional phishing stillTraditional phishing still in use
Spear-phishingp p gTargeted phishing attemptsIT AdminsIT AdminsSpecific job rolesSpecific companiesp p
WhalingPhishing attempts g pspecifically targeting a high value targetC level execs
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC 2001 18
Port 80 The New Internet50% of traffic is “easy to classify”
Port 80—The New Internet
Predictable traffic,Recognized domains
50% of traffic is “hard to classify”
me
50% of traffic is hard to classify110M sites, growing 40% annuallyMixture of legitimate sites, spyware and malware
Traf
fic V
olum
Big Head
T
Long Tail
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC 2001 19
# of Sites
Malware Threat DistributionMalware Threat Distribution
Malware Infections
E il V t Email Vector
Web Vector
Time
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC 2001 20
Malware infection vectors are shifting from email to web
Web 2 0 AbuseWeb 2.0 Abuse
Commercial tools forCommercial tools foraccount creation, posting,CAPTCHA*, IP rotation are readily available
Targets popular sites and blogs including Gmail, Yahoo!, Twitter, Facebook , ,and Craigslist
Enables abuse of manyservices including webmailservices including webmailaccount creation forspamming
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC 2001 21
*Completely Automated Public Turing test to tell Computers and Humans Apart.
What Does This Mean?What Does This Mean?
Threats and criminals areThreats and criminals are faster, smarter & more covert
Criminals have more vulnerabilities to exploit
Criminals are evolving their t h i t ttechniques, users must stay current
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC 2001 22
Y i R iYear in Review
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 23
Cisco Cybercrime ROI Matrix
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC 2001 24
Cybercrime Product of the Year!Cybercrime Product of the Year!
“Antivirus XP has found 2794Fake AV is 15% of all malware - Antivirus XP has found 2794 threats. It is recommended to proceed with removal”
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC 2001 25
Criminal SaaS Offerings ExpandCriminal SaaS Offerings Expand
Service dedicated to checking if a malwareService dedicated to checking if a malware executable is detectable by AV engines:
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC 2001 26
Cisco Cybercrime Showcase WinnerMost Audacious Criminal OperationMost Audacious Criminal Operation
ZeuS
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC 2001 27
ZeuS: Banking Trojan prime exampleZeuS: Banking Trojan prime example
“$10 million lost in one 24-hour period.”$ p
“…[C]riminals have used the Internet to steal more than $100 million from U.S. banks so far this year and they did it without ever having to draw a gun or pass a note to a teller…I've seen attacks where there's been $10 million lost in one 24-hour period.”
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC 2001 28
p-Sean Henry, an assistant director of the FBI in charge of the bureau's cyber division.
Automation of Targeted & Blended Attacksg
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC 2001 29
Why ZeuS?
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC 2001 30
What Happened in Kentucky?
County treasurer had ZeuS malware on his PCCriminals stole credentials and logged in to bankCriminals stole credentials and logged in to bank accounts from treasurer’s PC
Reconnaissance used to plan theftpMule recruitment via Careerbuilder.comCreated mules as fictitious employeesMules receive $9700 and sent $8700 to Ukraine via Western Union
Transactions were wire transfers <$10,000Total of $415k stolen
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC 2001 31
Screen Injection
Your browser NOT on ZeuS:
Your browser on ZeuS:Your browser on ZeuS:
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC 2001 32Courtesy Silver Tail Systems
ZeuS StatisticsZeuS Statistics
1329 C&C servers tracked by ZeuS Tracker1329 C&C servers tracked by ZeuS TrackerEstimate of 1.6M bots in ZeuS botnets960 estimated financial targets (85%)Top 5 US banks EACH targeted by over 500 p g yZeuS botnets - Cisco88% of Fortune 500 companies had data88% of Fortune 500 companies had data stolen by ZeuS - RSASmaller companies appear more impactedSmaller companies appear more impacted
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC 2001 33
Source: ZeuS Tracker - https://zeustracker.abuse.ch/
The Banking Trojans/BotnetsThe Banking Trojans/Botnets“FBI: Cyber Crooks Stole $40M From U.S. Small, Mid-Sized Firms”
"There may have been a handful of cases of this specific type of crime before 2009, but attacks like this and in this volume really only picked up toward the end of last year "of last year,
ZeuS, Ilomo (Clampi), URLzone:C i t d ti l ith t j- Compromise account credentials with trojans
- Transfer small <$10,000 increments- Use ‘money mules’ to transfer funds- Deposit in overseas accounts
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC 2001 34
Web Reputation Hijacking: Legitimate Websites, Invisible Threats
User has no visible indication of hidden codeHacked multiple times with exploit code
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC 2001 35
Hacked multiple times with exploit code
Employees Engage in Risky Behavior
U th i d A li ti U 70% f ITUnauthorized Application Use: 70% of IT say the use of unauthorized programs result in as many as half of data loss incidents.
Misuse of Corporate Computers: 44% of employees share work devices with others without supervision.
Unauthorized Access: 39% of IT said they have dealt with an employee accessing unauthorized parts of a company’s network or facility. p p y y
Remote Worker Security: 46% of employees to transfer files between work and personal
tcomputers.
Misuse of Passwords: 18% of employees share passwords with co-workers. That rate jumps to
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC 2001 36
p j p25 percent in China, India, and Italy.
S i l N kiSocial NetworkingOpportunity and Vulnerability
Business and network expansionPrivacy, Identity, IP protectionThe criminals are already there: Koobface spam invitesthere: Koobface spam invites, security warnings, tinyurls, transient trust, anonymized data reconstructiondata reconstructionSocial sites promote trust, Single Sign-on exploited toSingle Sign on exploited to send malware Policy and User Awareness
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC 2001 37
Social Networking ExploitsSocial Networking Exploits
Most important communications tool of the decade.Builds on email, IM.
Big crowds = big targets.Facebook hit 400M+ users in 2010
…and criminals have automated how to best penetrate the networks we trust
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC 2001 38
Social Networking Single Sign on ExploitedSocial Networking Single Sign-on Exploited
4,000+ accounts compromised
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC 2001 39Source: eSoft and lastwatchdog.com
Advertising also sold via phishing pages
Web Browser VulnerabilitiesWeb Browser Vulnerabilities
B l 8% f 3 100 t t l b li ti lBrowser vulns 8% of 3,100 total web application vulnsSafari vulns mostly due to iPhone browser
Source: Cenzic Web Application Security Trends Report – Q1-Q2, 2009, Cenzic Inc
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC 2001 40
Malicious PDF FilesMalicious PDF Files
M li i PDF fil i d 80% f liMalicious PDF files comprised 80% of online exploits in Q4 2009 - up from 56% in Q1 2009
PoC PDF file executes embedded executable without exploiting a security vulnerability
Ubiquity of Adobe Reader
PDF perceived as a trusted file format
Increase in vulnerabilities reported in Adobe products
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC 2001 41
Major Vulnerability Discovered in DNSMajor Vulnerability Discovered in DNS
J l 2008 D K i k dJuly 2008, Dan Kaminsky announced a fundamental flaw in how DNS operates.
Massive source port randomization multivendor patch released
The flaw allowed an attacker to poison DNS records of any domain in a matter of seconds.
This could lead to major DNS poisoning attacks –no need to “trick the user”.
DNSSEC solution – more later
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC 2001 42
Uptick in DDoS AttacksUptick in DDoS Attacks
Sourced from BotNets – think DDoS as a Service (DDaaS)( )
Diverse targets disrupting service to millions of customers– Cloud computing provider– Web hosting provider – Security provider – DNS registrar– Telecom provider
T ti DNS t lif tt kTargeting DNS to amplify attacks
40 Gbps seen
Not extortion attempts
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC 2001 43
Exploiting Cisco RoutersExploiting Cisco Routers
J 2009 it h “FX” t dJanuary 2009, security researcher “FX” presented a paper of efforts to exploit Cisco routers with minimal knowledge about the router itselfknowledge about the router itself
Previously, detailed knowledge about image version and configuration was neededand configuration was needed
Andy David’s IODIDE custom debugger for IOS
All require an enabling vulnerability
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC 2001 44
Cisco RoutersCisco Routers
In the past people didn’t worry about CiscoIn the past, people didn t worry about Cisco vulnerabilities as they hadn’t been shown to be exploitablep
FX’s work takes exploiting Cisco routers one step closerp
Now is the time to take updating IOS seriously (if you don’t already)( you do t a eady)
Cisco IOS Image Verificationhttp://cisco com/web/about/security/intelligence/iosimage htmlhttp://cisco.com/web/about/security/intelligence/iosimage.html
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC 2001 45
Intellectual Property LeakageIntellectual Property LeakageMarine One classified data found on computer in IIran
• Avionics info and radar and missile defense schematics• P2P blamedP2P blamed
UK Ministry of Defence reported 347 losses of protected information in 2009p
• Increased awareness of need to report losses• Better data management and auditing of data and media• Secret info leaked 16 times over 18 months via social
networking
3 000 Health Care related files including personally3,000 Health Care related files, including personally identifying info on 1,000’s of patients, shared on P2P networks
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC 2001 46
ConclusionsConclusions
Attackers are always modifying theirAttackers are always modifying their methods
Users are the main focus of attacksUsers are the main focus of attacks
Attackers follow the money
Major systems (DNS, Internet PKI) have flaws, nothing is perfect
Blended attacks are numerous and evolving
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC 2001 47
RecommendationsRecommendations
User education and securityUser education and security awareness training are critical
Keep an eye on “old problems”Keep an eye on old problems while being vigilant about new risks
Never underestimate the insiderNever underestimate the insider threat
Develop strong (and realistic)Develop strong (and realistic) policies for protecting sensitive data
Security must move at the speed ofSecurity must move at the speed of crime
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC 2001 48