A cél: csökkentsük a támadható felületet

Transcription

1 A cél: csökkentsük a támadható felületet Csordás Szilárd konzultáns mérnök tanácsadó Október 14

2 The Security Problem Changing Business Models Dynamic Threat Landscape Complexity and Fragmentation 2

3 The Modern Security Model Attack Continuum BEFORE DURING AFTER Control Enforce Harden Detect Block Defend Scope Contain Remediate Network Endpoint Mobile Virtual Cloud Point in time Continuous 3 3

4 The Modern Security Model Attack Continuum BEFORE Control Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Firewall VPN NGIPS Advanced Malware Protection NGFW UTM Web + Security Network Behavior Analysis Identity Services + NAC pxgrid + TrustSec ISE Provides Visibility, Context, and Control Across the Entire Continuum

5 és WEB még mindig az elsődleges támadási vektor Cisco Security Cisco Advanced Malware Prevention (AMP) Cisco Web Security Efficient Multi-Scan Spam and virus protection Reputation Filtering Spam Image Analysis Encryption Robust DLP URL Scanning Class-leading Anti-malware solution File reputation and Sandboxing Malware Forensics reports Malware File Retrospection Cisco AMP Everywhere ensures pervasive coverage Safeguards every device, everywhere, all the time Acceptable Use Controls Web Reputation Application Visibility & Control Dynamic Content Analysis Actionable Reporting Threat Analytics AMP Everywhere Systems work together for blended attack protection 5 Flexible Deployment Client Appliance Virtual Cloud

6 Malwertising Használjuk az online hirdetési platformot malware terjesztésre. Nincs felhasználói interakció à hatékony Néhány perc alatt számtalan fertőzés 1. Fertőzött weboldal megnéz 2. Böngésző átirányítás a user agent alapján 3. Az végső célállomás elindítja a malware letöltését 6

7 Exploit Kit - pl. Blackhole, Glazunov, Neutrino 1. Felhasználó meglátogat egy weboldalt, amit előzőleg a támadó kompromittált 2. Az áldozat több átirányításon keresztül eljut, a támadó szerverére. I- frame (0 by 0), script tag 3. Infót gyűjtünk az áldozat gépéről, hogy melyik sérülékenységet használjuk ki 4. A támadás végrehajtódik 5. Sikeres támadás, a Malware - payload letöltődik az áldozat gépére és végrehajtódik (drive by download) 7

8 Nuklear Exploit Kit Hasonlít a többi exploit kit-hez Az utóbbi hetekben szokatlanul aktív o Aug 18 à szeptember különböző hoszt IP cím, 11x SP 1 IP max 1 nap dedikált szerverek (fix cím) Domain minta: véletlenszerű betű/szám + pseudo-world + uni.me Pl f0dhrhq6e.orlikineston.uni.me 59x legitim domain (ingyenes és dinamikus DNS) à sub-domain Forrás: talos/evolution-nuclear-ek/#mor 8

9 Nuklear Exploit Kit A támadó szervere jelentősen torzított javascript segítségével: OS, böngésző, verzió és a bővítmények (plugin) detektálása malwertising Komponens Flash Active X Internet Explorer Silverlight Java PDF Sérülékenység CVE CVE CVE CVE CVE CVE Forrás: talos/evolution-nuclear-ek/#mor 9

10 Context is Everything NetFlow Files Users Web Applications Application Protocols Services Malware Command and Control Servers Vulnerabilities Processes Network Servers Operating Systems Routers and Switches Mobile Devices Printers VoIP Phones Virtual Machines Client Applications Network Behavior 10

11 FireSight - Threat Focused Management Cisco FireSIGHT Visibility Demo NGFW/NGIPS Management Forensics / Log Management Network AMP / Trajectory Vulnerability Management Incident Control System Adaptive Security Policy Retrospective Analysis Correlated SIEM Eventing Network-Wide / Client Visibility Visibility Categories Threats Users Web Applications Application Protocols File Transfers Malware Command & Control Servers Client Applications Network Servers Operating Systems Routers & Switches Mobile Devices Printers VoIP Phones Virtual Machines 11

12 FireSight - Threat Focused Management 12

13 13

14 14

15 Cisco FireSight True Security Things that are important to a Threat-Centric Security System What is this attack? Malware (hostile file transfer and IP Call-back) records details of file transfer C&C indicator. Reputation based from Global Threat Awareness. Rule and Packet detail available Attack Specifics? How? Why? What may have changed on the endpoint? All attack information is known Packet(s) Available. Attack Detail and Remediation notes and References also available How was Hostility Determined? Detailed indicator of compromise confirms that file transfer was hostile with IP call back. Based on reputation or receiver, and packet detail What is this endpoint? It s OS? Server Running Windows Passively or Actively Discovered by FireSIGHT Is it vulnerable to this threat? Yes: Internal IP address, location, criticality, User, Potential and Active Vulnerabilities Has this host been compromised by this or other attacks? Yes. 3 related threats detected. Indicators of Compromise identified and verified as compound malware attack What other machines has this device contacted? 4 additional systems were identified as participants and/or targets If the disposition of this attack changes, can the system retrospectively go back and identify the scope of the outbreak? Yes Continuous analysis is used versus just point-in-time - Data collected and held long term allows retrospective analysis/action should a benign file begin acting hostile Can you remediate a threat that does get through? Yes. All information is recorded and tracked remediation is integrated What is the root cause? Local System Root Cause Determination available - 2 Malware files Can the system tell me immediately how many of my hosts or network devices may be vulnerable to this threat? Yes. The threat is currently seen on 4 clients If this attack is blocked, how can the system determine if it is a false-positive or true-positive? Complete context is maintained, indicator of compromise guarantees that the threat is real and the client is actually vulnerable dynamic policy used to prevent outbreak within enterprise 15

16 16

17 17

18 FireSight event correlation for SIEM rec_type=400 rec_type_simple="ips EVENT" event_sec= event_usec= sensor= event_id=47198 msg="malware- OTHER SQL Slammer worm propagation attempt inbound" sid=28555 gid=1 rev=1 class_desc="a Network Trojan was Detected" class=trojan- activity priority=high src_ip= dest_ip= src_port=10507 dest_port=1434 ip_proto=udp impact_flag=67 impact=1 blocked=no mpls_label=0 vlan_id=0 ids_policy="cisco CR IPS Policy" user=unknown web_app=unknown client_app="ms SQL client" app_proto="ms SQL" fw_rule="default Allow" fw_policy="default Access Control" iface_ingress=eth1 iface_egress=n/a sec_zone_ingress="physical LAN" sec_zone_egress=n/a connection_second= connection_instance_id=1 connection_counter=30151 src_ip_country="korea - north" dest_ip_country=australia Event Type Connec-on Details Geoloca-on Was is Blocked? Impact to Des-na-on Security Analyst: Impact 1 Intrusion that wasn't blocked, from North Korea on targedng a vulnerable host on which is in my physical LAN using the Inbound SQL Slammer propagadon amack. 18

19 19

20 Cisco Platform Exchange Grid (pxgrid) Accelerating Partner Solution Efficacy through Context Sharing For security, which is more useful information? The compromised device is OR - The compromised device is Szilard Csordas s ipad in Sas Torony, Level 4, Budapest Cisco ISE collects contextual big data from multiple sources across the network. Via Cisco pxgrid technology, this contextual data is shared with partners. With ISE contextual data, Partner Solutions can more accurately and more quickly identify, mitigate, and remediate security threats across the network. 20

21 Cisco ISE Ecosystem Partners Security Information and Event Management (SIEM) and Threat Defense Mobile Device Management 21

22 Ecosystem Partners Benefit from Contextual Data Cisco ISE with pxgrid Enables More Effective Partner Solutions Adaptive Authentication Ø Association of contextual data to user authentication & applications OT Access Policy for Control / SCADA Networks Ø Policy-defined segmentation with context and control of SCADA networks without disruption Ø Faster identification, isolation, and remediation of rogue devices Endpoint Vulnerability Prioritization Ø Identification and prioritization of network endpoint vulnerability report alarms Ø Faster time to investigate and take action on reporting to reduce potential attack vectors Packet Capture and Forensics Ø Association of contextual data of users/roles with packet capture data Ø Increases accuracy and speed in forensics investigation while eliminating manual process NEWEST SIEM / TD Partner to Join the ISE Partner Ecosystem 22

23 pxgrid Components Certificate Based Auth pxgrid Publisher IPS Threat Defense ASA-CX WWW pxgrid Controller ASA Cisco WSA IPAM 3rd party pxgrid Subscriber 23

24 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24