Cyb T er h Threat D f e ense S l o uti tion Moritz Wenz, Lancope 1

Transcription

1 C b Th Cyber Threatt Defense D f S Solution l ti Moritz Wenz, Lancope 1

2 The Threat Landscape is evolving Enterprise Response Antivirus (Host-Based) IDS/IPS (Network Perimeter) Reputation (Global) and Sandboxing Intelligence and Analytics (Cloud) Worms Spyware and Rootkits APTS Cyberware Increased Attack Surface Tomorrow 2

3 Kill Chain: Post Breach 1. Command and Control Threat Detection Switches Routers 2. Reconnaissance Firewall IPS N-AV Web Sec Sec 3.Propagation 4. Data Theft 3

4 Scalable Network Defense 1. Command and Control Threat Detection Switches Routers 2. Reconnaissance Firewall IPS N-AV Web Sec Sec 3.Propagation 4. Data Theft 4

5 The New Security Model BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Network Endpoint Mobile Virtual Cloud Point in Time Continuous 6

6 Cisco Solutions Covering the Entire Attack Continuum Attack Continuum BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Firewall NGFW ASA VPN NGIPS UTM Meraki FirePower Web Security NAC + Identity Services Security NW Infra +ISE WSA ESA Visibility and Context Advanced Malware Protection Network Behavior Analysis AMP (SF) Lancope 7

7 Visibility, Context, and Control WHERE WHAT WHEN Hardware-enabled NetFlow Switch WHO HOW Devices Internal Network Context Cisco ISE Cisco ASA + NSEL Use NetFlow Data to Extend Visibility to the Access Layer Cisco ISR G2 + NBAR Enrich Flow Data With Identity, Events and Application to Create Context Unify Into a Single Pane of Glass for Detection, Investigation and Reporting 11

8 NetFlow Security Use Cases Detecting Sophisticated and Persistent Threats. Malware that makes it past perimeter security can remain in the enterprise waiting to strike as lurking threats. These may be zero dayy threats that do not yyet have an antivirus signature or be hard to detect for other g reasons. Identifying BotNet Command & Control Activity. BotNets are implanted in the enterprise to execute commands from their Bot herders to send SPAM, Denial of Service attacks, or other malicious acts. Uncovering Network Reconnaissance. Some attacks will probe the network looking for attack vectors to be utilized by custom-crafted cyber threats. Finding Internally Spread Malware. Network interior malware proliferation can occur across hosts for the purpose gathering security reconnaissance data, data exfiltration or network backdoors. Revealing Data Loss. Code can be hidden in the enterprise to export of sensitive information back to the attacker. This Data Leakage may occur rapidly or over time. 12

9 StealthWatch Solution Components Other tools/collectors StealthWatch Management Console StealthWatch FlowReplicator StealthWatch FlowCollector Cisco ISE NetFlow NetFlow StealthWatch FlowSensor NBAR Cisco Network NSEL StealthWatch FlowSensor VE Users/Devices 13

10 Behaviour Based Attack Detection Behaviour-Based High Concern Index indicates a significant number of suspicious events that deviate from established baselines Host Groups Host CI CI% Alarms Alerts Desktops ,645,669 8,656% High Concern Index Ping, Ping_Scan, TCP_Scan 15

11 Detecting Command and Control Alarm indicating communication with known BotNet Controllers Source IP Address and username Target that trigged alarm Details Start Active Time Alarms Source User Name Source Source Host Groups Target Target Host Groups Details Dec 11, 2012 Bot Infected Host Attempted C&C Activity John Chambers Sales and Marketing, Atlanta, Marketing Atlanta Desktops node1.bytecluster.com ( ) ( ) Optima, United Kingdom Attempted communication was detected between this inside host and C&C server using port 80 and the TCP protocol 17

12 Identifying Reconnaissance Activity High Concern Index indicates a significant number of suspicious events that deviate from established baselines Host Groups Host CI CI% Alarms Alerts Desktops ,645,669 8,656% High Concern Index Ping, Ping_Scan, TCP_Scan 19

13 Infection Tracking Tertiary infection Secondary infection Initial infection 21

14 Detecting Suspect Data Loss Policy Inside Hosts Start Active Ti Time 8-Feb2012 Alarm Source Suspect Data Loss Source Source Target Host Username G Group Wired John Multiple Data Chambers Hosts Details Observed 4.08G bytes. Policy Maximum allows up to M 92M bytes. bytes 22

15 Flow-based Anomaly Detection 1 2 # Concurrent flows Packets per second Bits per second New flows created Number of SYNs sent Time of day received Rate of connection resets Duration of the flow Over 80+ other attributes Number of SYNs 3 Collect & Analyze Flows threshold Establish Baseline of Behaviors Anomaly detected in host behavior threshold threshold threshold Critical Servers Exchange Server Web Servers Marketing Alarm on Anomalies & Changes in Behavior 23

16 24