We’re BACK! - ThreatSTOP | Operationalized Threat...

1 9/17/2009ThreatSTOP Confidential – Do Not Reproduce

Tom Byrnes

Founder & CEO

760.402.3999

[email protected]

We’re BACK!

2 9/17/2009

Manual Processes

ThreatSTOP Confidential – Do Not Reproduce

Shadowserver

Cymru

Bogons

PhishTank

DROP Advisory

Null List

Internet Storm

Center - DShield

SRI MTC

GOOD GUYS WITH

THREAT INFO

ENFORCEMENT TOOLS

Incident

Response

System

Intrusion

Detection

System

Firewalls

Router

Security

Host

System

Security

Auditing00001] 2007-08-20 03:30:41 [Root]system-notification-

00257(traffic): start_time="2007-08-20 03:30:41" duration=0

policy_id=16 service=dns proto=17 src zone=Trust dst

zone=Untrust action=Deny sent=0 rcvd=0 src=172.21.17.55

dst=210.201.138.58 src_port=39410 dst_port=53 [00002] 2007-

08-20 03:30:43 [Root]system-notification-00257(traffic):

start_time="2007-08-20 03:30:43" duration=0 policy_id=16

service=dns proto=17 src zone=Trust dst zone=Untrust

action=Deny sent=0 rcvd=0 src=172.21.17.55 dst=210.201.138.58

src_port=39410 dst_port=53 [00003] 2007-08-20 04:32:34

[Root]system-notification-00257(traffic): start_time="2007-08-20

04:32:34" duration=0 policy_id=21

ThreatSTOP Automates

Process Like Anti-Virus

Auto-Update, but in

Real-Time

Malware Block

List

3 9/17/2009

23%

4%

3%

2%

2%

2%

1%

8%6%10%

40%

1 Day or Less

2 Days

3 Days

4 Days

5 Days

6 Days

7 Days

2 Weeks

3 Weeks

30 Days

Threats Change Rapidly


Source: SANS - Internet Storm Center, DShield top 10,000 sources, 9/17/2009

36% of sources

Persistent 1 week or

less

4 9/17/2009

Drop At first SYN

Dropped

from the

network

Benefits

• Network becomes invisible to attacker

• Attacks never reach their victim, eliminating impact to the network

• No need to waste time investigating the attack

• Works for all traffic (IP, TCP, UDP, etc.)

• Drops only traffic from known bad actors

The Firewall drops connections from

malicious actors at the first attempt.

No additional devices or CPU cycles required


5 9/17/2009

SMTP Traffic Test

With

ThreatSTOP

Without ThreatSTOP With

ThreatSTOP

Bandwidth saturated by SMTP

6 9/17/2009

ThreatSTOP Automation



Reporting

8 9/17/2009

Current Product

Supported Firewalls

BSD/Solaris/SYSVR4/pf

Checkpoint

IPTables

JunOS w Enhanced Services

Netscreen ScreenOS 5 & 6

PIX/ASA

ZoneAlarm

Data Sources


Feed Threat Profile

DShield Network based attacks, worms, botnets

Emergency Latest detected threat:iFrames, Worms, Malware

hosts

SSH Crackers Password brute forcers/cracking

Shadowserver Botnet C&C hosts

PhishTank Active phishing sites

Cyber-TA Malware droppers, C&Cs, Fast-Flux botnets

Bogons DOS (Inc self-DOS, by blocking ranges that used

to be bogon, but are now assigned)

Malware Hosts Site that have been detected as hosting malware

Spyware, browser

hijackers

Spyware and browser hijacking hosts

SpamHAUS DROP Worst networks as identified by SpamHAUS,

hijacked CIDRs, netblocks of crime syndicates

Geographic Netblocks by country. About 98% accurate

9 9/17/2009

Community Security


Customer firewall allows, blocks or

redirects traffic based on lists

Automatically process threat

feeds into lists of bad actors

Automatically gather data from

threat feeds

Using customer selected criteria, create customer specific lists

of who to block

Customer firewalls are updated with

lists using DNS

Log files submitted to ThreatSTOP

Logs parsed for

reports.

Event data used to

detect new attacks,

improving security

for community


Who Are We?

Tom Byrnes - Founder & CEO Security experience spans 25+ years of civilian & military

• Radware, iPivot, Zero Gravity, ADN, Datatech, U.S. Army

VP Engineering – Boris Veksler (Betria Consulting)• 15+ years experience in project management & engineering• Tradebeam, Struxicon, Johnson Controls, Neiman Marcus, Tyco• MBA from Anderson School at UCLA; MS in Structural Analysis & Mathematics/Computer Science from St.

Petersburg Technical Univ.

VP Customer Experience (QA & Operations) – David Daugherty• Operations in e-commerce platforms: Virtual Dreams, ArtistDirect• Test and QA: iPivot, Intel and ADN

Paul Mockapetris – Advisor• Inventor of the Domain Name System (DNS)

• Currently the Chief Scientist and Chairman of Nominum, Inc.

Marcus H. Sachs, P.E. – Advisor• Verizon Exec. Dir. of Gov. Affairs for National Security Policy

• First head of Cybersecurity @ DHS

• Director of the SANS Internet Storm Center

Johannes Ullrich - Advisor• Chief Research Officer for the SANS Institute

• Founded DShield.org

11 9/17/2009

Summary

Internet Service - ThreatSTOP is everywhere.

Works with any traffic management system that has a DNS resolver.

Makes existing systems work better

Increases capacity/reclaims lost bandwidth

Virtuous Cycle: All Users contribute to the Community enhancing

Security for everyone

Pull, not push: Non Intrusive / Secure

Web Based Management and reporting

Easy to Implement and Use

Cost effective: Saves hardware/software and staff time

12 9/17/2009

Subscribe/Contact

www.threatstop.com

[email protected]

+1-858-412-7334

Tom Byrnes: [email protected]

http://www.threatstop.com/

mailto:[email protected]

mailto:[email protected]

13 9/17/2009

Backup Slides


14 9/17/2009

Service Architecture


15 9/17/2009

Configure your lists

16 9/17/2009

Configure your Devices

17 9/17/2009

Easy to Use & Configure

Just add two simple rules to existing firewalls


18 9/17/2009

Viruses

0

20

40

60

80

100

120

140

1/14

/2008

1/15

/2008

1/16

/2008

1/17

/2008

1/18

/2008

1/19

/2008

1/20

/2008

1/21

/2008

1/22

/2008

1/23

/2008

1/24

/2008

1/25

/2008

1/26

/2008

1/27

/2008

1/28

/2008

1/29

/2008

1/30

/2008

1/31

/2008

2/1/

2008

2/2/

2008

2/3/

2008

2/4/

2008

2/5/

2008

Viruses

Viruses (detected by Sophos)

With

ThreatSTOP

Without ThreatSTOP With

ThreatSTOP

19 9/17/2009

Blocked Traffic

Blocked Outbound (Trojans)

0

20

40

60

80

100

120

140

2/6/2008 2/7/2008 2/8/2008 2/9/2008 2/10/2008 2/11/2008 2/12/2008

Blocked Inbound

0

2000

4000

6000

8000

10000

12000

14000

16000

18000

20000

2/6/2008 2/7/2008 2/8/2008 2/9/2008 2/10/2008 2/11/2008 2/12/2008

We’re BACK! - ThreatSTOP | Operationalized Threat...

Documents

Transcript of We’re BACK! - ThreatSTOP | Operationalized Threat...