© 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
See No Evil, Speak No Evil, Hear Plenty About Evil:Using Visibility and Intelligence to Secure your Business
Darren Anstee
Solutions Architect Team Leader, Arbor Networks
© 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Stuxnet (Cyberwar)
Flame
Sony
LulzSec
Anonymous
Banking Attacks
Aurora
Shamoon
The New Global & Advanced Threat Landscape
Advanced Security Threats
Multi-Stage Multi-Vector
© 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Advanced Threats – Overview
3
• What Are They?
‒ Target a specific organisation or vertical over a period of time to achieve a specific goal
‒ Co-ordinated activity & resources within the attacking entity
‒ Use new, modified and / or combinations of attack vectors & methodologies to avoid & evade detection and achieve goal
• Are They (Really) New?
‒ No, they are just focused & resourced hacking.
‒ Goals are varied but have not changed – service disruption, data or IP theft, fraud.
‒ Motivations include industrial or state sponsored espionage, organised crime, ideological hacktivism, competitive advantage
© 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Advanced Threats – DDoS is Just One Attack Vector
4
• Aimed at disrupting an organisations online presence or service
‒ Broad spread of organisations are reliant on the Internet to sell products, offer services or access cloud based data and applications.
• Common features
‒ Organized DDoS ‘campaigns
‒ No longer JUST packet blasts
‒ Combinations of sophisticated andunsophisticated attacks tools
• Goal can be disruption or distraction
‒ Wide range of motivations
Arbor Worldwide Infrastructure Security
Report, 8th annualP
oliti
cal/i
deol
ogic
al d
ispu
tes
Onl
ine
gam
ing-
rela
ted
Nih
ilism
/van
dalis
m
Unk
now
nD
emon
stra
ting
capa
bilit
yS
ocia
l net
wor
king
-rel
ated
In
ter-
pers
onal
/inte
r-gr
oup
r...
Mis
conf
igur
atio
n/ac
cide
ntal
Com
petit
ive
rival
ry
Div
ersi
onC
rimin
al E
xtor
tion
Atte
mpt
sF
lash
cro
wds
Fin
anci
al m
arke
t man
ipul
a...
Intr
a-cr
imin
al d
ispu
tes
DDoS Attack Motivations
© 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
2005 2006 2007 2008 2009 2010 2011 20121
10
100
1000
Advanced Threats – DDoS EvolutionAtt
ack ComplexityAtt
ack
Scal
e (G
bps)
Crafted StateExhaustion
Slowloris LOIC &Variants
ApacheKiller
RefRef
Multi-vector
HTTP GET / POSTFloods
Malformed HTTP
THC-SSL
DC++
Multi-vector ++
Kamikaze / Brobot /
Amos
RUDY
© 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Advanced Threats – DDoS Evolution
6
• Big rise in proportion of WISR respondents seeing multi-vector attacks
‒ Up from 27% (2011) to 45.8% (2012)
‒ Most effective attacks target limitations in network perimeter & cloud based defenses
‒ Hardest to mitigate and generally require layered defenses
Multi-Vector Attacks Observed By Respondent
Arbor World-Wide Infrastructure Security
Report, 8th annual
Yes
No
Don't Know
© 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Advanced Threats – Multi-Stage, Multi-Vector DDoS
• Izz ad-Din al-Qassam Cyber Fighters Attacks on US financial sector in Q4 2012
• Compromised PHP, WordPress, & Joomla servers
• Multiple concurrent attack vectors
‒ GET and POST app layer attacks on HTTP and HTTPS
‒ DNS query app layer attack
‒ Floods on UDP, TCP SYN floods, ICMP & other IP protocols
• Unique characteristics of the attacks
‒ Very high packet per second rates per individual source
‒ Attacks on multiple companies in same vertical
‒ Real-time monitoring of effectiveness
‒ Agility in modifying attack vectors when mitigated
© 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Advanced Threats – Advanced Persistent Threat (APTs)
• APT is the Hot Topic in Information Security
‒ Aurora (2009) brought the term into the mainstream
‒ They actually incorporate a number of threats
• APT have Common Features
‒ Defined goal, not opportunistic
‒ Stealthy infiltration, horizontal propagation
‒ Obfuscate trail, to ensure continued compromise
‒ Multiple tools / tactics used throughout campaign
‒ Significant resources required over an extended period
• APT Components Parts, Are They Advanced?
‒ Many are off the shelf malware dev kits, though some malware is built from the ground up
‒ Spear phishing & social engineering
‒ Drop an infected key in the car park / smoking area etc..
© 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
APT Attack Targets & Methodology
• Who are the targets?
‒ Governments
Economic offices, military, diplomatic corps, etc. – anyone working overseas. Outside government contractors, advisors (e.g. academic scholars)
‒ Private sector & commercial
Multinational businesses – aerospace, energy, pharmaceutical, finance, technology,
0.00%20.00%40.00%60.00%
Corporate Network Security Concerns‒ 21.7% of respondents
to the WISR survey experienced an APT of some kind on their non-service providing networks in 2012
‒ But, over 50% are concerned they might be targeted in the next 12 months
Arbor Worldwide Infrastructure Security
Report, 8th annual
© 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Recent APT Malware & Attack Examples
• Xtreme RAT – 2012
‒ Remote Access Trojan (RAT) that allowed remote users to remotely steal data from malware-infected machines. The spear phishing e-mails targeted US and Israeli government institutions.
• Shamoon – 2012
‒ Malware executable spread using network shared drives. Corrupts files and wipes device boot blocks at specified date.
‒ A group named "Cutting Sword of Justice" claimed responsibility for an attack on 30,000 Saudi Aramco workstations causing the company to spend a week restoring their services
© 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public 11
Advanced Threats – Multi-Stage, Multi-Vector Attack Example
LulzSec, an offshoot of the Anonymous collective, launched a DDoS attack using Low Orbit Ion Cannon (LOIC) that camouflaged a data breech of up to 100 million customers.
Sony estimates more than $170M (USD) in losses due to the attack while stock analysts expect losses greater than a $1B. Hackers were caught and plead guilty.
© 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
How Should We Defend Ourselves?
• Broad and deep visibility are needed to understand attack traffic and malware behaviors.
‒ We need to be able to SEE what is happening outside and inside our networks.
• Research based actionable intelligence and reputation information are needed.
‒ We need to HEAR about what is going on out there, so that we can leverage the research capabilities within the industry to protect ourselves.
• Intelligent, pinpoint mitigation and detailed forensics
‒ We need to stop threats to protect the availability of our on-line presence / access and ensure that entities within our networks cannot export data / contact known bad actors
© 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public 13
The Solution to Stop Advanced Threats
Internet & Enterprise Visibility
Security Intelligence
Threat Protection
A World-Class Research Team (ASERT) Analysing the World’s Internet Traffic (ATLAS) to Stop Emerging Advanced Threats
Know the Network Find the Threat Protect the Business
Built on Global Network Visibility & Security Intelligence
© 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Arbor’s Enterprise Solution Overview
Arbor Pravail Products
DDoS Protection & Cloud Signaling
Inbound Botnet Blocking (AIF)
Activity Based Detection (ATF)
Behavioral Based Detection
Identity Tracking & Forensics
Application Intelligence
Advanced Threat Landscape
DDoS
Botnets
Advanced Malware (0-Day, Stealthy)
Insider Threats to Steal Data
Mobile Devices & BYOD
Dynamic Applications
Availability Protection: Stop inbound DDoS attacks as well as botnets
Security Intelligence: Visibility and intelligence to monitor and identify misuse of critical applications and sensitive systems
Network Situational Awareness: Risk profiling of threats and alerts with intelligence to understand the context of the activity that created the alert
Arbor’s Enterprise Products are Designed for Today’s Advanced
Threat Landscape
Top Related