Module 5: Security Intelligence: Tracking a Global Threat (45 min) - Rush Carskadden Diversity of Attacks (0:15)

Transcription

1 Module 5: Security Intelligence: Tracking a Global Threat (45 min) - Rush Carskadden Diversity of Attacks (0:15) So again, starting off, just a little bit of background on Security Intelligence Operations and how that works. What we're witnessing in the threat environment over the past several years is that increasingly, threats are extremely diverse in their approaches, and, in fact, what we're seeing with the most recent threats is that not only do they have diverse implementations and vectors of attack. They actually also will exhibit multiple vectors of attack at the same time. So you'll have a single threat that represents multiple vectors of attack at-- throughout its life cycle, and that's what we really refer to as a blended threat-- so a blended threat that will attack via multiple vectors but also change over time. So that's--that's the sort of polymorphic nature of the threats that we're seeing now. In order to properly address those blended threats, we need to change the approach to gathering intelligence on those threats. So while historically we've looked at a threat as a single instantiation, a single element at a single point in time, a blended threat requires us to gather much more context. So while previously we were looking at the content of the threat, really kind of looking at what is-- for instance, if it's malware, what is this file? What is the content of the file? And then writing some sort of capability and algorithm that allows us to identify that particular content. With the content changing and the fact that all of these different threats, at any given point in the life cycle of the threat, could possibly be unique, sort of the metaphor being unique like a snowflake or unique as it evolves throughout its life cycle, that's where we're starting to focus more on the context. Comparing the Content and Context of a Threat (2:09) And this is something that you hear a lot from Cisco, and hopefully, I think you're hearing that from various companies throughout the security industry. There's really now a greater focus on the context. So you want to know all of the aspects of the threat above and beyond what that threat looks like as a particular piece of, for instance, malware at rest. You want to understand the behaviors of the threat. You also want to understand where it comes from, what it targets, and what types of-- what types of behaviors it-- a--an infection might be used to engage in. Cisco SIO Overview (3:03): So we'll talk a little bit about what that means, understanding that full context, but in order for us to know that context-- and that really is the goal of contemporary security and intelligence-- we have built this capability that we refer to as Cisco Security Intelligence Operations, and really the function, the goal of Security Intelligence Operations, is to understand the life cycle of all of the extant threats 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Page 1 of 13

2 on public and private networks throughout their life cycle, to have that holistic view of all of the potential sources of malicious activity, the different types of malicious activities, and the different types of malicious content. So combining all of that together is the goal of this Security Intelligence Operations, and it's really-- SIO is divided into three major areas of focus. There's SensorBase, which is the capability that enables us to gather information from the threat environment. In other words, that's the capability that enables us to gather information from deployment in all of the different global networks, but then there's the Threat Operations Center. That information by itself that we gather from SensorBase is not actionable in the sense that it clearly illustrates the threats and all of the different parameters associated with those threats. In order to pull out that information, we need to process that data that we gather in SensorBase, and we do that in the Threat Operations Center. This is where we turn all of that data into the intelligence that enables us to equip our security technologies to address the threats but also enables us to talk with you, as I am today, about the lessons that we have learned from Security Intelligence Operations. And then there are the Dynamic Updates. This is really kind of the area where we take what we learn in the Threat Operations Center and provide it back to you and provide it back to the security devices themselves. So whether it's a firewall or IPS, a web or security technology, those technologies need to learn from the information that we gather, and that's what the Dynamic Updates are really focused on doing. Detailed Explanation of SensorBase (5:20) So let's talk in a little bit more depth about each one of these categories. So again, we can kind of connect the dots from the data that comes in to the Threat Operation Centers every day all the way through to what it is that we have learned based off of the threats that we're tracking right now. So SensorBase, as I said before, is really kind of the open end of the funnel. SensorBase is where we gather all of the raw data. Today, that's over 4 terabytes of data that we receive every day, and that data, it comes in all different formats, and the reason why it comes in such a wide variety of formats is that the primary source of that information that we're gathering is Cisco security technologies. So what we have done is, we've enabled all of the different Cisco security technologies to provide information back to SIO. So each individual implementation, each individual customer and operator has the opportunity to opt in to sending information back to the global SIO network. That's anonymized information that is really focused on the parameters of the threats that those security technologies are witnessing. So we want to know who the attackers are, what the attacks are, and what the ensuing behaviors after, perhaps, a point of infection might be. So that information is really only collected effectively from live security deployments. While we do have honeypots, 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Page 2 of 13

3 honeynets, the wide variety of the threats that we see on a day-to-day basis really demand that we have-- cast a wider net, and that's the goal of using live deployments as the source of that information. We look at over 30 billion web requests a day. So that's--we're analyzing more web requests each day than Google, and the type of web requests that we look at run the entire spectrum from just a basic search request all the way through to all of the different content advertisements, files that are-- that are--compose-- that compose a web visit for a particular web request. All of that information is gathered and analyzed by us on a daily basis, and again, that's based off of live deployments. We have enormous visibility in the messages with security technologies, and that, in turn, gives us visibility into a large percentage of the worldwide traffic. While historically spam has represented a huge percentage of worldwide traffic and, hence, has represented the majority of worldwide traffic, with recent advances in spam and the work that we have been doing to be more effective in antispam, we've been able to sort of reduce the footprint of spam in the global traffic. That's good for us, because it helps us more precisely sort of zero in on that threat activity. But as important as the huge spectrum of threat information that we collect is-- and, you know, it's said often that nearly every packet that crosses the internet touches a piece of Cisco technology, and we have enabled-- increasingly enabled those Cisco technologies to provide that threat intelligence information-- it's important that we have the right type of information as well. You know, gathering intelligence from one type of security technology is not ever going to make that security technology more effective. Said differently, if we were just to take what an IPS knows is malicious activity up into the cloud, there's very little learning that we can do based off of that information that will enable an IPS to be more effective. This is really just sort of the circular nature of the data. You can't improve-- you can't get an IPS to find new things necessary-- or it's very difficult, I should say, to have an IPS find new things based off of data that is what IPS already finds. Where we are very effective is in combining the different types of security technologies together and using that to detect these new and emerging threats. So, for instance, if you have a threat where you are receiving , a spam, let's say, with a malicious attachment or a link to malicious content that would then direct you to a website that distributes malware. That malware-distributing site could then compromise an end point, and that end point would then turn around and start directing attacks at other entities across the LAN. While--if we were to look at this from the standpoint of any single security technology, we would see three different threats. Really it's one threat that has three different faces or three different points in its life cycle, but the threat itself is tied together Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Page 3 of 13

4 And so that's the goal of the intelligence that we gather, and the result of the-- the result of the research that we do on that data is that we're able to piece together the entire history of a threat from its point of origin through its propagation and all of its different vectors of attack as well as what happens after a point of infection and all of the resulting behaviors that are associated with that. That's important, as you might imagine, with threats like, for instance, a botnet where an infection is then used-- or a compromised host is then used for other tasks. So piecing that all together is the vision here, and it's interesting, because that's where we have learned the most. Let me give you an example there. An often quoted statistic on the part of Cisco is that, you know, 80% of the spam that is sent, it's sent by an infected host, right? I was just talking about botnets. That's the source of the majority of the spam that is sent today, the vast majority. But we're only able to identify that by knowing that an infection has taken place, seeing the evidence of that compromise, and also seeing that particular entity as an origin for spam. So that's interesting, because that a host has sent spam before is a good indicator that it will send spam again, but beyond that, it's also a good indicator that it will engage in other infectious activities or other malware-propagating activities, perhaps even Denial of Service. Another example would be that we've found great coincidence between certain types of web content or the categorization of a source of web content and its propensity for distributing malware. So certain types of content providers that have entities on the internet also have a high probability of hosting malware. An example that we have seen there is that websites that host advertisements for online gambling also frequently host malware or malicious content. Now, we can have a lot of theories about why that might happen, and, in fact, that's a lot of what-- the types of research that gets spun off of what we do in SIO, but the reality is, it's not important that we understand the details of why there is that coincidence. It's important that we monitor that coincidence itself. So we need to monitor there both of those parameters, look for a pattern, and then train our machine learning to then take advantage of that pattern for our security purposes. It doesn't require us to always know the motivations, though those motivations are interesting to us, but really, it's the pattern itself that drives the effectiveness. Threat Operations Center (14:02) Moving on, collecting all of that data is really a pretty daunting task when you think about the volume, but it's not the hard part, right? The challenge is actually doing something with that data that results in actionable intelligence. This is where we have placed an enormous investment in our research and development over the past couple of years. You can see here, we spent over $100 million in developing dynamic research and development capabilities within the Threat Operations Center. That's the machine learning. That's the ability of the systems themselves to identify those patterns and bring them to the forefront 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Page 4 of 13

5 of all of the data that we collect. The nature of that research is, by necessity, operations. This is around the clock. We have all of these algorithms working to identify these patterns and then establish whether or not-- whether or not they are conclusively malicious. So that's a marriage of algorithms and expertise in a sense because those algorithms do have to be developed by engineers, by experts in security intelligence, and obviously, there's always a portion of the problem set that needs to be addressed by human intelligence. This is the type of activity like reverse engineering malware or infiltrating a botnet to understand its command-andcontrol communications. That's where the 500 engineers, technicians, and researchers come in. Our approach to the Threat Operation Centers is somewhat familiar to many of Cisco's customers in a sense that if you're familiar with TAC and how we pursue our TAC-- the TAC services that we provide, it's very similar. So Threat Operation Centers are distributed around the globe, largely sort of time-divided throughout the day, and you'll see there that there's that even distribution that's similar to the "follow the sun" model, although, you know, the time frames that are most interesting for us in Threat Operation Centers' activities aren't necessarily the same as business hours, right? So we've joked before that instead of it being like "follow the sun," it's more like "follow the moon," but the important thing to note there is that those Threat Operation Centers are geolocated around the globe on a time basis but also that they're not necessarily geographically colocated with TAC. In fact, in no instance is there sort of a free access between TAC and Threat Operation Centers, and that's really driven by the privacy and security needs of the Threat Operations Center research. Dynamic Updates (17:05) Lastly, we'll talk about the Dynamic Updates. This is not an area that I'm going to go into a whole lot of depth, because we want to talk a lot about our lessons learned, what all of this data amounts to for us in our research, but I do want to touch on the idea that all of this research does result in intelligence rules and updates that can be provided to the security technologies themselves. So any Cisco security technology gets updates from SIO on an every three- to fiveminute basis, but, um--and that is the primary goal of security intelligence, right? So our mission, our philosophy is such that understanding the threat environment is just the first step in the battle. We haven't succeeded until we've been able to take that intelligence and put it to good use. In other words, knowing that there is a threat out there is not-- is not where we stop. We go beyond that to, "All right, now how can we address that threat across all the security technologies?" And do so in a very rapidly responsive manner. So that gives you a feel for Security Intelligence Operations Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Page 5 of 13

6 As I described it before, this is a--this is-- if you sort of imagine as a huge funnel, there's tons of data coming in one side, and there is a pretty precise signal and-- from-- that is extracted from that noise that comes out the other, and that signal is where we focus our efforts in understanding those threats. Let's talk a little bit here about what we have learned recently about the threats that we're witnessing. A couple of trends that are worth noting... External Threat Trends (19:00) One of the things that you'll hear from really any credible security vendor today is that the cybercrime ecosystem is extremely sophisticated. It is well developed from a-- both a technological and business perspective. This is really not anything that's, I think, all that surprising or should be all that surprising for most of the folks that are interested in this topic and engaged in security activities on a regular basis. What's interesting, though, to us is how that cybercrime ecosystem is changing the nature of the threats that we witness. So the ready availability of malware that can be customized to your purposes is changing those threats to be more customized as we see them going across the wire, and that's kind of the impact that we've already talked about in the beginning here of, you know, resulting in blended threats, resulting in polymorphic threats, things that we see change very rapidly. The customization aspect of it means that the content itself is widely varied. But also, it's interesting in a sense that it has focused the security industry on those items that are easiest to identify in terms of their homogenous nature. So when you have an installs market of that nature, you're going to look for malware that all looks the same-- if you're taking a content approach, you're gonna look for malware that all looks the same without necessarily knowing where it comes from or where it goes. This is what leads us to focus, I think, probably a little too much on things like, you know, large botnets. Large botnets are interesting, and we talk a lot about them because security-- players in the security industry generally are able to identify them. They're large, right? What we're looking at right now in SIO, though, are the smaller and more impactful threats, and to give you an example, if I can draw your attention to one of the things on this slide, it's actually a condition of the transaction that you engage in. You know, you can purchase custom malware, how to install-- you can purchase installs. And really for about $1,000 U.S., you can have a pretty comprehensive botnet at your disposal, but if you look at these conditions, the first line here says, "We don't pay for Russian installs." That's pretty interesting, because while recently-- or I would say in recent years, we have seen a huge, huge install base of malware and compromised devices in sort of what we would consider to be Russian or former Soviet territory geographically or geopolitically. What we're seeing now is a pretty aggressive move away from that on the part of the people that are engaging in the cybercrime ecosystem, and the reason for it is that it's easy to find. Many security researchers have sort of developed a comprehensive 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Page 6 of 13

7 understanding of where those areas of potential malware install are in those regions, and they're not looking-- or, I'm sorry, rather, the criminals that are engaging in this ecosystem are not looking for those installs because they're so easy to identify. They're also less reliable as a potential point of attack or spam or whatever type of behavior they then want to engage in. So that's pretty interesting. And what we're seeing as a replacement there is in-- perhaps very interesting for the people on the phone today-- what we're seeing as a replacement is an increase in the number of installs that we see in-- throughout Asia, right? So Asia-- Asia, in the larger sense, has become the broader sort of playing field for this type of install of malware, and the reason for that is, there are a large number of people who are participating in the economy in that region, and I think that this is something perhaps you've heard a little bit about. That's--that is a-- been a population explosion in terms of people who are participating in this ecosystem. New hackers, access to technology, real, real comprehensive understanding of the necessary topics to be effective-- on either side of the cybercrime or security coin, these things are leading to a lot of people who are participating in this activity, but the other side of that is that there is a broad spectrum of vulnerability within that region as well. Vulnerability Context (24:18) So if we were to associate where we see vulnerabilities geopolitically, there is an explosion of unlicensed software or unupdatable software that occurs in specific geopolitical locations, and it's probably not a huge assumption to then take a look at where we see dark net activity or where we see compromise, and it maps pretty clearly there to where those vulnerabilities exist. So, you know, you can see a very obvious correlation between these two diagrams that illustrates that where there are vast numbers throughout internet space or where there are vast numbers of machines that cannot be updated or have not been updated, for whatever reason, to minimize vulnerability, where that attack surface exists, we're also seeing that there's compromise and then, later, participation in the dark net. So there's a pretty clear indication there of correlation. Kind of another thing that I want to talk about, though, is, I'm talking a little bit about how big, loud, dumb threats are what everyone's moving away from in that cybercrime ecosystem, and I'm going to talk in some real specific detail here in just a moment of where we're seeing that focus replaced, but I just want to call out one other thing from the sort of terms and conditions that you see here for one of these cybercrime providers. Where I pointed out at the top, "Don't pay for Russian installs," skip down a little bit. What you'll see is, "You may install it by any means except spam," and on the bottom line, you'll see, "All spam is prohibited." 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Page 7 of 13

8 The reason for that is because a large number of people who are researching in the security industry are able to identify malware by combing through this malicious spam, by looking at spam that links to websites and then hitting those websites to look for malware, whether it's with a crawler or what have you, or if it's just pulling out the files that are attachments. That has been an incredibly effective way to identify or sort of source your understanding of what the malware environment looks like. That's something that Cisco pioneered, actually, in many ways, or rather, it was the IronPort which then was acquired by Cisco and has become part of this larger SensorBase effort on our part. We were, like, first to the market with that approach to identifying the malware via mining the spam. Interestingly, it's been effective enough that that's what everyone's moving away from now. In fact, it's difficult for you to sell a malware install if you have in any way installed a--spam. You might ask yourself, "How do people who participate in the cybercrime ecosystem "know that it was-- the install was distributed via spam?" The same way that security researchers do: the participants in the cybercrime ecosystem use the same approaches, the same technologies to mine spam for malware, and when they see it, they can identify whether that malware was distributed via spam and reject those types of installs. So moving on from that, if the-- what I described as the big, loud, dumb approach to distributing malware is on its way out, what are we seeing now? What's replacing that? Targeted Threat Vectors (28:00) Well, what we're seeing are targeted threat vectors. Now, "targeted" is somewhat of a loaded term, because, you know, you could say that "targeted" could be something that's just casting a little bit more precise net than, say, broad-based spam all the way down to "extremely targeted" could be like spear phishing. All of that spectrum is where we're seeing the threats in today, although we'll focus a little bit today on the areas where we're seeing targeted threats in sort of what we'll call sort of small groups, right? And we refer to this as demographic targeting, right? So this is targeting not just based off of, "For whom do I have an address?" But targeting more specifically on, "What do I know about the potential-- "the potential for infection and then manipulation of that compromised host?" We want to know that, for instance, that's a machine that has a high likelihood of an always-on internet connection, those types of things. So that demographic aspect is increasingly what we're seeing. There are really four areas of targeted threats that we want to talk about today. That's SEO poisoning, search engine optimization poisoning. There's infected legitimate sites. There's targeted , and then there's social networking. Those are really kind of the big four, and then we're gonna talk a little bit in more detail about a couple of these to give you a feel for what we're seeing as far as those threats and how they're implemented today Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Page 8 of 13

9 Search Engine Optimization (SEO) Poisoning (29:39) So let's start with search engine optimization poisoning. You know, as I mentioned earlier, I live in central Texas in the United States, and a popular food in this area is fajitas. Interestingly, if you go to Google and you do-- I'm sorry. It sounds like I might have my audio cut off. - We still hear you. - Oh, okay, excellent. So if you go to Google and you do a search for a fajita recipe, you'll get that first full page of results and all different types of recipes and all types of different content that you can click on there to find out how to make fajitas. Every single link on this first page of the Google search results will lead to malware. So no matter which of these you click on, it's going to lead to malware, and you can actually see that when you start to look here at the URLs, you know, there's this first one. Oh, this is in a dot CC, but it's in English. Well, what's that all about? That's actually just hosted malware out there, and it's--though it would look like a fajita recipe if you click on it, its main purpose is to distribute that malware, and it's repurposed content. In fact, if you look at a lot of these URLs, you'll see that there's something a little bit suspicious about the vast majority of them. Even the ones that look like legitimate URLs, I can tell you, are also links to malware. So what's happening here is that the malware distributors have engaged in search engine optimization techniques to look for popularly searched terms that are applicable in the-- in their target demographic, and then they've optimized so that their malware comes up on top of those results. So that's-- that's one interesting trend that we're seeing. So, you know, I'm talking about Google. You know, you might follow on there and say, "Well, if it's all-- if this is something "where search engine optimization is in play "and these are searchable, kind of public resources, "can't we use some sort of crawler or something to identify, though?" The answer is, that's one way that we can approach the problem, but it's not a very effective way to approach the problem, and the reason is that crawlers are easy to identify. Intelligence Evasion (32:18) For instance, if you use a Google crawler and you go to this site, the zinesecurity.com site, this is actually what it looks like. That's what the content looks like to that Google crawler. It's a blank page. You don't see anything, and that's because the site has been designed such that it will not actually redirect you to malicious content if you look like a Google crawler. In fact, it looks for a series of behaviors, almost similar to how ClickFrog prevention works today, and looks for a-- sort of a path of behaviors that indicate whether it's a actual live browser or it's--it's a crawler or a bot of some sort. Here's what this website looks like from just a regular browser, from someone just browsing to the website. You can see here that this is a pretty familiar view of a malware distribution kind of content, and you can see there that-- that it's, you know, faking the Windows and providing you with a whole bunch of things to click on, all of which are malware. So no matter what you click on here, you're going to 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Page 9 of 13

10 get that malware. That's, again, that same site, but it's what it looks like when it's a human browser as opposed to the Google crawler. So intelligence evasion is a major advance in web-born malware that we're seeing right now. Almost everything out there that is recent or contemporary, let's say, would be something that, you know, would engage in several evasion techniques. Infected Legitimate Sites (33:54) And again, that evasion is not-- the evasion is not just for a security technology but for security research as well. Another area where we're seeing more targeted or demographic targeting of malware and compromise is infected legitimate sites. So this-- in this example here, this is actually the website of a Canadian-- the Canadian government function that protects privacy and security. So that's the area of the Canadian government to focus on those topics, and you can see here, if we go to just a subdirectory off that same website, again, you have a malware distribution content page and, again, doesn't matter what you click on in this site. It's going to give you malware, right? So that's just a compromised source site, a legitimate website where someone has compromised it and established a subdomain. This is an effort to sort of hide something on a site that would be classified as a safe site and then, you know, use the positive reputation of that domain to then hide the distribution of the malware. Interestingly, this has led to some new advances in technology, and when I talked about earlier, the 30 billion requests that we look at in web security today, that--that is broken down by every object. Every piece of content that we see in that web transaction, we're gonna analyze. We're gonna look at the source of that content, and we're gonna evaluate whether or not it's malicious. And it's because of this exact approach right here. It's the fact that people are using legitimate sites to hide that malware. So then the other area that I want to talk about here-- and this one is one where we're seeing really just an explosion in incidents of malware-- is when you take a legitimate site and not even compromise that site but you take advantage of the fact that so many sites nowadays are sharing user-generated content, and you tailor that user-generated content to provide malware, either provide malware directly or provide a link to malware or provide content that exploits a browser or exploits a client application, such as a PDF reader, and then takes advantage of that to further spread the malicious activity. This one here is just a support website for Siemens, and one of the most common sites you can hit on any support website, regardless of what the technology is or the service or the company or the business, is going to be the login failure page. That's generally the most visited site on any of these public forums, and on this one, you can see that there are some topics there that users can log in and place a comment or question in the queue, and the frequently asked questions will bump to the top and display right there on that login help 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Page 10 of 13

11 page. The idea is, users can kind of help each other, right? This is just another example of, like I said, a very common trend that's user-generated content. But in this case, each one of these links that say something that looks legitimate if you're having trouble logging in, they're all malicious. So each one of these links, then, goes to malware, and you can actually see that again. If you look here, you see some JavaScript, and if you'll see the multiple, multiple links to the same JavaScript, it's hosted there out of Russia. It is--it is malicious, and we were able to identify this one, again, because it falls in a pretty, um-- pretty identifiable sort of path of compromise, but certainly, you see that the legitimate sites that host user-generated content have become one of the battlegrounds of the distribution of this malware. Facebook Profile as an Attractive Target (38:39) So the last area that I want to talk about-- and I think this one is extremely interesting-- is a Facebook vector. Goes without saying that Facebook is an incredibly popular site, and Facebook represents a large amount of the day-today traffic of users, not just outside of the enterprise but within the enterprise as well, and, in fact, some recent research we were doing indicated that as much as 14% to 15% of the content-- that's like the total volume of content that we analyze on a supposedly secure enterprise installation-- was actually Facebook, so this is where-- this is an installation where Facebook was supposedly locked down and not accessible, and it still represented about 14% to 15% of the content that was going through the-- going through the web transactions there. So it's a very attractive vector for attack. I think most of us could probably say, if we have used Facebook or we know friends who use Facebook, we're probably aware that there has been some compromise out there, but what's particularly interesting about Facebook is that, again, going back to the concept of targeted threats, going back to the concept of demographic targeting, Facebook gives you all of the tools that you need to do that type of targeting. If you advertise on Facebook, when you design your advertisement, you have the ability to put whatever type of link you want in there and then, on top of that, provide the title and the body and put together something that will tailor to a specific demographic, and then Facebook will actually tell you how you're doing in tailoring to that demographic. So in this case, you know, just kind of going back to the Canadian example, we can put together a link that says, "Hey, here's something that would impact Canadian government employees." If we wanted-- if we were trying to compromise Canadian government resources, we'd put together this site, and it says, you know, "Canadian government to shed 33% of workers," right? Not true at all, but it's the sort of thing that we anticipate that government workers in Canada would click on, 'cause they'd want to know about that. And we, of course, would put in our URL here, which goes to a malicious site that provides malware. And over here, Facebook will tell us, "Hey, with this 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Page 11 of 13

12 advertisement, we anticipate that you'll go out "and put that in front of 18,540 people "and not just 18,540 random people "but people who specifically live in Canada. "They're age 18 or older, "and they work at the Canadian Forces or government of Canada." That enables us to be extremely specific with where we place our trolling for potential malware installs. And so Facebook is an incredible tool, and what we're seeing is just, again, not-- a great increase in the amount of threat that we see associated with that. So hopefully there are a couple of things that I would like for you to think about when we talk about all of the different lessons that we have learned. Summary (41:52) One, in order to be effective at understanding the threat environment, you have to look at live threats. You--lab work is great. Honeynets are fantastic, and, you know, that's the sort of standard duty of care that we engage in on a regular-- on a regular day-to-day basis, but to be effective, we have to look at the live threats in live deployments. That's the source of real, true security intelligence now, and I think that's where the security industry is going and, you know, as I've illustrated today, where we're focusing our efforts and investments. The second thing I want to hit on is, but once you have that data, combining it is all about comparing multiple types of data and parameterizing that information. So you want to look at all of the different vectors of a blended threat so that you can view the timeline of that threat. You know, we track for over 26 million public entities on the internet. We track the entire security history that we have seen associated with that entity, and that's a number that increases every day, but that's what's necessary to really understand, end to end, that threat history. And then the last thing that I want to touch on is, it's not about casting a broad net and looking for the biggest fish, because increasingly, that's a behavior that those engaged in a cybercrime economy have identified and are using those same approaches to make their threats fly under the radar, so moving away from what I was calling earlier sort of the big, dumb, loud activity and going to things that are a little bit more tailored, specifically tailoring those threats for the types of compromised host that you're looking for, right? You want to find those alwayson-- those always-on installs in specific areas with high bandwidth, so specific type of users, and if you're going to compromise them for the purposes of gathering information, you want to make sure that they have access to that information that you might like, as we were talking about earlier with the government employees targeted through Facebook. So that's given you a feel for how we gather our intelligence and some of the intelligence that we've gathered. This type of information, we provide over 20 publications throughout the year and also a number of different forums where we discuss these threats with you. We'll be talking here in, you know, various RSA discussions in more detail about some of these threats, so if you're interested in learning more, please reach out to us in those locations or, you know, reach out 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Page 12 of 13

13 to-- reach out to us within the Cisco Security Intelligence Operations organization, and we'd love to talk more Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Page 13 of 13