You are on page 1of 49

Emerging Threats

BRKSEC-2001

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 2

© 2008, Cisco Systems, Inc. All rights reserved. 1
14330_04_2008_c1.scr
Agenda

ƒ What? Where? Why?
ƒ Trends
ƒ Year in Review
ƒ Case Studies
ƒ Threats on the Horizon
ƒ Threat Containment

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 3

What?
Where?
Why?

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 4

© 2008, Cisco Systems, Inc. All rights reserved. 2
14330_04_2008_c1.scr
What? Where? Why?

ƒ What is a Threat?
A warning sign of possible trouble

ƒ Where are Threats?
Everywhere you can, and more importantly cannot, think of

ƒ Why are there Threats?
The almighty dollar (or euro, etc.), the underground cyber crime
industry is growing with each year

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 5

Examples of Attacks

ƒ Targeted Hacking
ƒ Malware Outbreaks
ƒ Economic Espionage
ƒ Intellectual Property Theft or Loss
ƒ Network Access Abuse
ƒ Theft of IT Resources

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 6

© 2008, Cisco Systems, Inc. All rights reserved. 3
14330_04_2008_c1.scr
Where Can I Get Attacked?
Operating System

Network Services

Applications

Users

Attack Attack

Anywhere Everywhere
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 7

Operational Evolution of Threats
Emerging Threat
Threat Evolution Unresolved Threat
Nuisance Threat

Policy and
Reaction

Socialized Formalized
Process Reactive Process
Process Process
Definition
Operational

Mitigation
Burden

Human Automated
Technology Manual Process
“In the Loop” Response
Evolution

End-User
Support
Burden

End-User No End-User “Help-Desk” Aware—
Increasingly
Awareness Knowledge Know Enough to Call
Self-Reliant

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 8

© 2008, Cisco Systems, Inc. All rights reserved. 4
14330_04_2008_c1.scr
Operational Evolution of Threats
Emerging Threat
Threat Evolution Unresolved Threat
Nuisance Threat

Policy and

Reaction
Socialized Formalized
Process Reactive Process
Process Process
Definition Operational

Mitigation
Burden

Human Automated
Technology Manual Process
“In the Loop” Response
Evolution

End-User
Support
Burden

End-User No End-User “Help-Desk” Aware—
Increasingly
Awareness Knowledge Know Enough to Call
Self-Reliant
“New”, Unknown, or Largest Volume of Problems
Problems We Haven’t Focus of Most of Day to Day
Solved Yet Security Operations
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 9

Why?

ƒ Fame
Not so much anymore (more on this with Trends)

ƒ Money
The root of all evil…(more on this with the Year in Review)

ƒ War
A battlefront just as real as the air, land, and sea

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 10

© 2008, Cisco Systems, Inc. All rights reserved. 5
14330_04_2008_c1.scr
Trends

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 11

Trends

ƒ Evolution of Hacker Motivation
ƒ No longer the Lone Hacker
ƒ The Cybercrime Industry
ƒ Hosting Services
ƒ Designer Malcode
ƒ BotNets
ƒ Spyware
ƒ Phishing
ƒ Fast Flux
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 12

© 2008, Cisco Systems, Inc. All rights reserved. 6
14330_04_2008_c1.scr
Evolution of Motivation
2002 2003 2004 2005 2006 2007 2008

Fame
SQL Slammer Netsky,
Bagle,
MyDoom Money

Zotob
Business

= Major Media Event

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 13

Evolution of Motivation

ƒ Fame is not all it’s cracked up to be
To make money effectively and without
detection you need to be unknown

ƒ People are prepared for what they know

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 14

© 2008, Cisco Systems, Inc. All rights reserved. 7
14330_04_2008_c1.scr
Operational Evolution of Threats
Emerging Threat
Threat Evolution Unresolved Threat
Nuisance Threat

Policy and

Reaction
Socialized Formalized
Process Reactive Process
Process Process
Definition Operational

Mitigation
Burden

Human Automated
Technology Manual Process
“In the Loop” Response
Evolution

End-User
Support
Burden

End-User No End-User “Help-Desk” Aware—
Increasingly
Awareness Knowledge Know Enough to Call
Self-Reliant
“New”, Unknown, or Largest Volume of Problems
Problems We Haven’t Focus of Most of Day to Day
Solved Yet Security Operations
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 15

No Longer the Lone Hacker

ƒ Hackers are forming development teams to work on
creating malicious code
ƒ Highly intelligent individuals are collaborating to create
new viruses and other malicious code
ƒ Software development tools for handling large projects
are being used
ƒ Development is not unlike normal software
development in the IT industry
ƒ The shared information and talents of many very skilled
hackers when working together can be worse than any
one working alone

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 16

© 2008, Cisco Systems, Inc. All rights reserved. 8
14330_04_2008_c1.scr
The Cybercrime Industry

ƒ Group develops custom malcode
ƒ Custom malcode is made available for purchase
ƒ ISP administrators are paid to host malicious code on
sites that they control
ƒ Malcode collects usernames and passwords as well as
credit card numbers
ƒ Credit card numbers and usernames and passwords
are for sale

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 17

Cybercrime Industry: In the Past

Writers Asset End Value

Tool and Toolkit Compromise Fame
Writers Individual Host
or Application
Theft
Malware Writers

Worms Espionage
Compromise (Corporate/
Viruses Environment Government)

Trojans

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 18

© 2008, Cisco Systems, Inc. All rights reserved. 9
14330_04_2008_c1.scr
Cybercrime Industry: Today
First Stage Second Stage
Writers Abusers Middle Men Abusers End Value
Tool and Toolkit Hacker/Direct Fame
Writers Attack Compromised
Host and
Theft
Application

Malware Writers Espionage
Extortionist/ (Corporate/
Machine DDoS-for-Hire Government)
Harvesting Bot-Net Creation
Worms
Extorted Pay-Offs
Viruses Spammer
Bot-Net Management:
For Rent, for Lease, for Commercial Sales
Trojans Sale
Phisher
Fraudulent Sales
Information Personal
Spyware
Harvesting Information
Pharmer/DNS
Poisoning Click-Through
Revenue
Information
Brokerage
Internal Theft: Identity Theft Financial Fraud
Abuse of
Privilege Electronic IP
Leakage

$$$ Flow of Money $$$
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 19

Cybercrime Industry: Hosting Services

ƒ Hosting services are for sale as part of the total
package
ƒ Hosting sites can hold a database of collected
information
ƒ Hosting sites can serve as a sales portal for
individuals wishing to purchase stolen information
ƒ Standard rates for data sales are being established

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 20

© 2008, Cisco Systems, Inc. All rights reserved. 10
14330_04_2008_c1.scr
Designer Malcode

ƒ Malcode that is designed to bypass virus scanners
is made for sale
ƒ Malcode is designed to collect information and upload
it to a database
ƒ Backup malcode is also available to replace the
active malcode once it begins to be detected by
virus scanners
ƒ Malcode is designed to be very difficult to reverse
engineer, or determine its functionality making it
harder to detect and harder to trace where the
data is being sent

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 21

“Noise” Level

Large Scale Worms

Public
Awareness

Targeted Attacks

2000 2008
Time

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 22

© 2008, Cisco Systems, Inc. All rights reserved. 11
14330_04_2008_c1.scr
Cyber Crime Profit Level

Targeted Attacks

Illicit
Dollars
Gained

Large Scale Worms

2000 2008
Time

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 23

Botnets
ƒ Botnet: A collection of compromised machines running programs
under a common command and control infrastructure
ƒ Building the Botnet:
Viruses, worms; infected spam; drive-by downloads; etc.

ƒ Controlling the Botnet:
Covert-channel of some form; typically IRC or custom IRC-like channel
Historically have used free DNS hosting services to point bots to the IRC server
Recent attempts to sever the command infrastructure of botnets has resulted in
more sophisticated control systems
Control services increasingly placed on compromised high-speed machines
(e.g. in academic institutions)
Redundant systems and blind connects are implemented for resiliency

ƒ Further Example as a Case Study

Source: www.wikipedia.com
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 24

© 2008, Cisco Systems, Inc. All rights reserved. 12
14330_04_2008_c1.scr
Using a Botnet to Spend Spam
1. A botnet operator propagates
by viruses, worms, spam,
and malicious websites
2. The PCs log into an IRC
server or other
communications medium
3. A spammer purchases
access to the botnet from
the operator
4. The spammer sends
instructions via the IRC
server to the infected PCs—
5. …causing them to send
out spam messages to
mail servers

Source: www.wikipedia.com
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 25

What about Spyware?
ƒ Still a major threat
Drive-by downloads still a major source of infestation
ActiveX vulnerabilities in particular enable this
However, confusing or misleading EULAs still a problem

ƒ A Trojan by any other name—
Spyware is increasingly indistinguishable from other forms of malware
Nasty race condition: sheer number of variants makes it very difficult
for technology solutions to hit 100% accuracy at a given moment

ƒ Rise of intelligent spyware
Directed advertising is more valuable than undirected
More sophisticated spyware matches user-gathered data with
directed advertising
Bot-based spyware is also more valuable, as it can be updated over time
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 26

© 2008, Cisco Systems, Inc. All rights reserved. 13
14330_04_2008_c1.scr
Phishing, Pharming, and Identity Theft
Phishing Pharming
MUNDO-BANK.COM MUNDO-BANK.COM

ited
olic S
Uns mail DN ning
E is o
Po
172.168.1.1 172.168.1.1
MUNDO- MUNDO-
MUNDO-BANK.COM BANK.COM BANK.COM

Come see us at
www.mundo-bank.com
ine
<172.168.254.254>
Onl
egular ing
172.168.254.254 R Bank 172.168.254.254
Hosts File:
mundo-bank.com = 172.168.254.254

ƒ Identity theft continues to be a problem If you’re a target:
ƒ Phishing scams growing in sophistication ƒ Consider “personalization” technologies
every day (e.g. user-chosen images on a webpage)
ƒ Protecting your users: implement some ƒ Support identified mail initiatives, like DKIM
technology, but don’t forget user education!!
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 27

Fast Flux

ƒ Malicious IP addresses are changing quickly
ƒ Botnets are the new DNS Servers
ƒ Very low time to live (TTL) in A Record
ƒ Infected hosts acting as DNS servers
ƒ Traditional DNS-based security measure not
longer effective

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 28

© 2008, Cisco Systems, Inc. All rights reserved. 14
14330_04_2008_c1.scr
What Does this Mean?

ƒ People utilizing the emerging threats of today want
them to stay unknown
ƒ What you don’t hear about is what you should be
concerned about
ƒ Intelligence is important

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 29

Operational Evolution of Threats
Emerging Threat
Threat Evolution Unresolved Threat
Nuisance Threat

Policy and
Reaction

Socialized Formalized
Process Reactive Process
Process Process
Definition
Operational

Mitigation
Burden

Human Automated
Technology Manual Process
“In the Loop” Response
Evolution

End-User
Support
Burden

End-User No End-User “Help-Desk” Aware—
Increasingly
Awareness Knowledge Know Enough to Call
Self-Reliant
“New”, Unknown, or Largest Volume of Problems
Problems We Haven’t Focus of Most of Day to Day
Solved Yet Security Operations
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 30

© 2008, Cisco Systems, Inc. All rights reserved. 15
14330_04_2008_c1.scr
Year in Review

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 31

2007 as a Year

ƒ Security fad: Month of Bugs
Fuzzers offer tremendous way to find vulnerabilities

ƒ Application vulnerabilities up 17% from 2006
According to the Cisco IntelliShield

ƒ Botnets control channels up 57% from 2006
According to ShadowServer.Org

ƒ 1,200 new websites per day hosting malware
According to MessageLabs

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 32

© 2008, Cisco Systems, Inc. All rights reserved. 16
14330_04_2008_c1.scr
2007 as a Year

ƒ Global spam up 50% from 2006, considerable up tick
in types of spam attachment
According to IronPort

ƒ One unique phishing scam every 2 minutes in 2007
According to the PhishTank

ƒ Over 10 targeted malcode attacks per day, up from
1 per day in 2006
According to MessageLabs

ƒ 163 million records with personal data compromised
in 2007—up from 48 million in 2006
According to Attrition.Org
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 33

Fuzzers in Action—Month of Bugs

ƒ Trend started in Mid 2006 with Month of Browser Bugs
ƒ Jan ’07—Month of Apple Bugs (MoAB)
ƒ Mar ’07—Month of PHP Bugs (MoPB)
ƒ April ’07—Month of MySpace Bugs (MoMYB)
ƒ May ’07—Month of ActiveX Bugs (MoAXB)
ƒ June ’07—Month of Search Engine Bugs (MoSEB)

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 34

© 2008, Cisco Systems, Inc. All rights reserved. 17
14330_04_2008_c1.scr
Stock Advice from Spam

ƒ Canadian company Diamant Art’s stock price tripled
in one day from .08 cents to .25 cents
ƒ No positive news released from the company
ƒ Spam touting the stock solely responsible for raise
in stock price
ƒ Most spam stock only increases stock price ~2%,
which is quickly lost

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 35

Stop Trading Spam Stocks

ƒ March 2007 US Securities and Exchange Commission
announced that 25 stocks were going to be suspended
from trading for 10 days
ƒ Not viewed as an effective way to stop stock spam
ƒ It is a start, government bodies are starting to wake up

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 36

© 2008, Cisco Systems, Inc. All rights reserved. 18
14330_04_2008_c1.scr
F.B.I. Nabs BotHerders

ƒ June 2007, the US F.B.I. announced the arrest of
3 different BotHerders who were responsible for over
1 million infected machines
ƒ Step in the right direction, even if it was relatively
small group
ƒ The real news: If the F.B.I. is on your trail then your
technology has matured

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 37

iPhone Releases, Gets Hacked

ƒ July 2007, less than one month
after the US release of Apple’s
highly anticipated iPhone a major
vulnerability was discovered
enabling a complete compromise
ƒ New vector, new attack
ƒ As other vendors scramble to
match the iPhone in functionality
similar attacks are likely

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 38

© 2008, Cisco Systems, Inc. All rights reserved. 19
14330_04_2008_c1.scr
Google Ads Link to Malicious Sites

ƒ December 2007, a security researcher discovers
that several sites using Google ads were linking to
malicious websites
ƒ Google swiftly reacted by shutting down the
ad providers
ƒ No way to know for certain how many users were
infected nor who was at fault

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 39

Radio Frequency ID (RFID) Cloning

ƒ Last 12 months has seen
several different
demonstrations highlighting
technology to clone RFID tags
ƒ Legal methods used to
suppress demonstrations
ƒ Current demonstrations are
more theoretical and not likely RFID is an automatic
to be easily carried out identification method, relying
on storing and remotely
retrieving data using devices
called RFID tags
- Wikipedia

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 40

© 2008, Cisco Systems, Inc. All rights reserved. 20
14330_04_2008_c1.scr
Pretexting Makes Headlines

ƒ Hewlett Packard admits using Pretexting is the act of
pretexting to investigate creating and using an
internal officers invented scenario (the
pretext) to persuade a
ƒ Xbox Live accounts suffer from target to release
information or perform
pretexting attacks an action and is usually
Group calling itself Clan Infamous done over the telephone
claimed to steal 10 accounts a day - Wikipedia

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 41

P2P Networks Used for DoS Attacks

ƒ Flaw in open source peer-to-peer hub software DC++
ƒ Allowed attacker to direct clients to any site resulting
in a DoS
ƒ Large amount of blackmail money demanded to
prevent attack

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 42

© 2008, Cisco Systems, Inc. All rights reserved. 21
14330_04_2008_c1.scr
Conclusions from 2007

ƒ Botnets have come into their own
ƒ Targeted attacks are increasingly the norm
ƒ Cybercrime industry pushing “innovation” in malware
ƒ Focus on applications

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 43

Case Studies

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 44

© 2008, Cisco Systems, Inc. All rights reserved. 22
14330_04_2008_c1.scr
Case Studies

ƒ Corporate Liability
TJX Company’s customer database compromised

ƒ Malware in Action
Storm worm analyzed

ƒ Malware Industry
Gozi worm’s cybercrime links

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 45

Corporate Liability—About the Company

ƒ TJX is the parent company for a family of
discount retailers
ƒ United States
Marshalls
TJ-Maxx
HomeGoods

ƒ Canada
Winners
HomeSense

ƒ UK, Ireland, Germany
TK-Maxx
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 46

© 2008, Cisco Systems, Inc. All rights reserved. 23
14330_04_2008_c1.scr
Corporate Liability—How it Happened

ƒ Attack originated at a Marshalls
store in St. Paul, Minnesota
ƒ Attackers used telescope-shaped
antenna to read WiFi signals

ƒ WiFi enabled price scanners targeted to get
network access info
ƒ Once on the network, database was targeted
ƒ Data harvesting started mid 2005 and carried
through end of 2006

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 47

Corporate Liability—What was Affected

ƒ Initially thought to be 45.6M credit
card numbers compromised, later
updated to 90M
ƒ Included “Track 2 Data”
ƒ Biggest credit card number heist
in history
ƒ Over 80 GB of network traffic send
to outside server

90,000,000
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 48

© 2008, Cisco Systems, Inc. All rights reserved. 24
14330_04_2008_c1.scr
Corporate Liability—Example of Use

ƒ Nov. ’06 Florida law enforcement claims at least 10
thieves used credit card data in a gift card scheme
ƒ Over $8M in gift cards purchased
ƒ 6 people tied to gift card scheme were arrested
ƒ Gift card scheme was carried out months before
TJX discovered the compromise

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 49

Corporate Liability—Aftermath

ƒ Believed to be responsible for between $68M and
$83M fraud in over 13 countries
ƒ Class-action consumer lawsuit settled
$20 store voucher
3 years credit monitoring
$20,000 ID Theft Coverage

ƒ Banks and financial institutions sued
Yet to be determined

ƒ Estimated costs to TJX are over $150M

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 50

© 2008, Cisco Systems, Inc. All rights reserved. 25
14330_04_2008_c1.scr
Corporate Liability—Conclusions

ƒ Every company needs to be concerned
ƒ Does not have to be credit cards
ƒ Governments creating laws requiring disclosure
ƒ One incident can cost much more than years of
a quality security infrastructure

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 51

Malware in Action—Storm Worm

ƒ Started as PDF spam in early 2007
ƒ Evolved to use e-card and YouTube invites
ƒ Uses spam with links to malicious sites as main vector
of propagation
ƒ Utilizes social engineering techniques to trick users
to malicious sites

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 52

© 2008, Cisco Systems, Inc. All rights reserved. 26
14330_04_2008_c1.scr
Malware in Action—Storm Worm

ƒ Email spam example:
To: Tony Hall
From: Dale Hammond
Subject: Dear Friend
Hi. Nice to meet u and my friend operates a company .i have got
something from him and i must say that the quality is so good .SO i tell u
the truth and hope u can connect him and welocme to his website
www.ouregoods.com. If u have any questions u can add
ouregoods@hotmail.com we are pleasure to help ,good luck to u!

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 53

Malware in Action—Storm Worm

Infected 1 BotHerder
Webserver

2

4
1. BotHerder updates
malcode on webtrap
2. Initiate new spam 3
pointing to webtrap
3. User reads the spam
and clicks link Infected
4. User machine
infected
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 54

© 2008, Cisco Systems, Inc. All rights reserved. 27
14330_04_2008_c1.scr
Malware in Action—Storm Worm

ƒ game0.exe—Backdoor/downloader
ƒ game1.exe—SMTP relay
ƒ game2.exe—Email address stealer
ƒ game3.exe—Email virus spreader
ƒ game4.exe—DDoS attack tool
ƒ game5.exe—Updated copy of Storm Worm dropper

Source: www.secureworks.com
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 55

Malware in Action—Storm Worm

ƒ 403014 Copy(c:\game0.exe->C:\WINDOWS\disnisa.exe)
ƒ 77e6bc59 WriteFile(h=7a0)
ƒ 403038 RegOpenKeyExA
(HKCU\Software\Microsoft\Windows\CurrentVersion\Run)
ƒ 40305f RegSetValueExA (disnisa)

Copies itself to C:\Windows\disnisa.exe
Set registry to run on startup

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 56

© 2008, Cisco Systems, Inc. All rights reserved. 28
14330_04_2008_c1.scr
Malware in Action—Storm Worm

ƒ 402ba0 WinExec(w32tm/config/syncfromflags:manual
/manualpeerlist:time.windows.com,time.nist.gov,100)
ƒ 77e7d0b7 WaitForSingleObject(788,64)
ƒ 40309b
CreateProcessA(C:\WINDOWS\disnisa.exe,(null),0,(null))
ƒ 4030df WinExec(netsh firewall set allowedprogram
"C:\WINDOWS\disnisa.exe" enable,100)
Sync with Microsoft Time Server
Start process
Edit firewall rules to allow network access

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 57

Malware in Action—Storm Worm

ƒ 77e7ac53 CreateRemoteThread(h=ffffffff,
start=404b05)
ƒ 40da1b bind(b8, port=7018)
ƒ 40d9c7 listen(h=b8 )
ƒ 40a262 WaitForSingleObject(d4,2710)

Connect with remote machine
Wait for a command

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 58

© 2008, Cisco Systems, Inc. All rights reserved. 29
14330_04_2008_c1.scr
Hub and Spoke Topology

ƒ Controller communicates
directly with bots
ƒ Simplest but limited ability
to scale
ƒ Single points of failure
BotHerder
DNS record to BotHerder

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 59

Peer To Peer (P2P) Topology

ƒ All bots perform
distribution
ƒ Multiple paths from
controller to bots
ƒ Scales well, very resilient
ƒ No single point of failure

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 60

© 2008, Cisco Systems, Inc. All rights reserved. 30
14330_04_2008_c1.scr
Storm Worm Conclusions

ƒ Very sophisticated
ƒ “Victim of its own success”, yet still difficult to
shut down
ƒ Just one example, there are others we don’t
know about

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 61

The Industry in Action: GOZI

ƒ GOZI was a custom made application designed
to harvest data
ƒ Went undetected for over 50 days
ƒ Collected at least 10,000 records belonging to
over 5,000 home users

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 62

© 2008, Cisco Systems, Inc. All rights reserved. 31
14330_04_2008_c1.scr
GOZI: The Discovery

ƒ Originally discovered because a user reported that
an account he accessed at work was compromised
ƒ Work computer was searched, suspicious malware
discovered
ƒ Not one of the 30 leading anti-virus companies
detected Gozi at the time

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 63

GOZI: The Highlights

ƒ Targeted SSL data
ƒ Modularized code (Professional grade)
ƒ Spread through iFrame IE browser vulnerability
ƒ No detection in anti-virus produces for weeks, months
ƒ Customized to target specific sensitive data
ƒ Posted on-line for “customer” purchases of stolen data
ƒ Home PCs largely infected
ƒ Accounts at top financial, retail, health care, and
government services affected
ƒ Estimated black market value of at least $2 million
Source: www.secureworks.com
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 64

© 2008, Cisco Systems, Inc. All rights reserved. 32
14330_04_2008_c1.scr
GOZI: The Investigation

ƒ Organization ready to code new undetectable malware
ƒ Willing to offer tech support
ƒ Others willing to help with infection
ƒ Gozi main server located in Russia

Source: www.secureworks.com
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 65

GOZI: Conclusions

ƒ Truly a new industry
ƒ Pushing the envelop, trying to stay undetected
ƒ Operating in countries where it is difficult to get
shut down

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 66

© 2008, Cisco Systems, Inc. All rights reserved. 33
14330_04_2008_c1.scr
Threats on the Horizon

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 67

Threats on the Horizon

ƒ Automated social engineering
ƒ Web 2.0
ƒ Voice over IP threats
ƒ Video files format vulnerabilities
ƒ Mobile devices
ƒ Data leakage
ƒ Outsourcing
ƒ Distributed workforce

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 68

© 2008, Cisco Systems, Inc. All rights reserved. 34
14330_04_2008_c1.scr
Automated Social Engineering

ƒ In an effort to convince users to “click here”, malware
will use collected data to enhance the veracity of
targeted spam
ƒ Malcode can scan previous emails in a person’s inbox
and send a “reply”
Simply adding:
Hey,
Forgot to tell you to check out this site:
http://bad.site.com

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 69

Web 2.0

ƒ Hugely popular social sites (MySpace, Facebook)
offer many potential victims for attackers
ƒ Data easy to gather to assist in targeted attacks
ƒ Very dynamic, big potential for buggy software to
be present
ƒ Attracts users who are not necessarily computer
proficient

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 70

© 2008, Cisco Systems, Inc. All rights reserved. 35
14330_04_2008_c1.scr
Voice over IP Threats

ƒ “Vishing”—voice way to attempt a phishing scheme
ƒ Well understood business risk is promoting integration
of security technologies in voice deployments
ƒ Limited pool of technical experts on voice within
attacker community
ƒ Follow the money: No well-established business model
driving financial incentives to attack

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 71

Voice Security Opportunities

ƒ Eavesdropping:
Earliest attacks focused on this (VOMIT); however, effective
deployment of secure voice makes this very difficult (easier to
use other means to access info)

ƒ SPIT: SPAM over internet telephony
Potential to be a serious annoyance, but significant barriers to
this being an effective source of profit (Vishing)
Some are technical, but most involve our current use patterns
for telephony (used on a per-phone basis, not in a “list” format)

ƒ Denial of service
Disgruntled employees or extortionists may target the voice
infrastructure by a variety of mechanisms

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 72

© 2008, Cisco Systems, Inc. All rights reserved. 36
14330_04_2008_c1.scr
Video File Format Vulnerabilities

ƒ Researchers in 2007 continued to uncovered many
important to critical video file format vulnerabilities in:
QuickTime
Real Player
Windows Media Player
Flash

ƒ Documented examples of video file attacks in 2007,
not yet mainstream
ƒ With rise of video it is only a matter of time
ƒ The next “hot” YouTube video just might be dangerous…

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 73

New Opportunity: Proliferation of Devices
The Challenge Opportunities for Attack

• New types of devices are • Attacks on the back-end
joining the network: All of these systems provides an
Hand-helds, smart phones, cameras, ingress point into some form of
tools, physical security systems, etc. back-end system
Both the method of communication
• Diversity of OSs: and the device itself are targets
More devices means more operating
systems and custom applications • Attacks on the device
Proliferation leaves many
• Embedded OSs opportunities for taking control
Process controllers, kiosks, ATMs, of a system
lab tools, etc.
• Attacks on data
IT department often not involved
in procurement—little attention paid Sensitive data is becoming
to security increasingly distributed
and uncontrolled
For example, one environment got
hacked from an oscilloscope

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 74

© 2008, Cisco Systems, Inc. All rights reserved. 37
14330_04_2008_c1.scr
Attacks on Data: Data Leakage
ƒ Still a hot topic this year
ƒ Broad term encompassing multiple
different challenges:
Security of Data at rest
Security of Data in motion
Identity-based access control
Both malicious and inadvertent disclosures

ƒ Issue has become topical typically for “Compliance” reasons
ƒ However, broader topic involves business risk management
How do I avoid inadvertent disclosures?
How do I protect my information assets from flowing to my competitors?
How do I avoid ending up in the news?
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 75

Architectural View of Data Leakage:
New Challenges
Server/Application Network Transit End Users Endpoint Systems
Systems

Endpoint
Enforcement Points Internal Consumers
Application
Front End

Endpoint Enforcement
Centralized Data Transit Enforcement Points
Stores: Points
Structured and
Unstructured External Consumers Decentralized Data
Stores

What’s Changed? Enforcement points Technical Translation Problem: How to
and data consumers are roughly reliably test a given data set for membership
the same; however, a new actor in a “unit of information” (e.g. how to
introduced: “Data” verifiably determine if a given mass of bits is
Quantization Problem: How to group “source code”)
data elements into units of information Policy Construction Problem: How to
relevant to the business? scalable build policy for data flows across a
large environment?
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 76

© 2008, Cisco Systems, Inc. All rights reserved. 38
14330_04_2008_c1.scr
Mobile Data Continues: PC on a Stick
ƒ New “smart drives” and other similar technology extending
the existing threats to data posed by portable storage
devices
ƒ Devices carry a virtual computing environment in a
secure storage, typically plugged in via USB to any
open computer
ƒ All workspace, preference, and data information is kept
within the device, but computing resources of the host
machine are used for manipulation and processing
Challenges:
ƒ Analogous to SSL VPN security challenges, only now you
can lose the device in a cab
ƒ Unknown endpoint environment challenges: keyboard
loggers and splicers, monitor taps, webcams
ƒ Malicious software embedded in data or documents
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 77

Trend: Outsourcing

ƒ Motivations: Outsourcers have all the potential to
be disgruntled employees in search of revenge, only
more so—outsourcers typically feel less loyalty to the
outsourcing organization
ƒ Opportunity: In many organizations, outsourcers are
given full intranet access
ƒ Considerations:
How do you balance the need to access required applications while
providing necessary controls to mitigate risk?
When negotiating contracts, are there any provisions for data security
and integrity? Are there any provisions to audit the security posture?
What legal recourses does the organization have in the event of
compromise? Jurisdictional issues, liability and responsibility, etc.

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 78

© 2008, Cisco Systems, Inc. All rights reserved. 39
14330_04_2008_c1.scr
Trend: Distributed Workforce

ƒ De-perimeterization is real
True “federated” security systems are a long ways off yet

ƒ Layers of defense and policy enforcement are critical
Drop bad traffic as close to the source as possible, but ensure
you’ve
got at least a couple of “last lines of defense”

ƒ Costs and risks to data integrity should be a part of any
calculation to adopt new business practices
There may be hidden costs that are not well understood

ƒ People and Processes Key to Mitigate Risk
User awareness and effective business processes are as
important to technology solutions
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 79

Coping with Threats

Conclusion and Recommendations

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 80

© 2008, Cisco Systems, Inc. All rights reserved. 40
14330_04_2008_c1.scr
What’s My Exposure?
Appropriate Risk Mitigation
ƒ Risk is at the core of all
security policy decisions
ƒ With emerging threats,

Level of Mitigation
there’s always something
out there that can affect Risk Averse
your business
ƒ Effective understanding Risk Tolerant
of business risk is critical
to determining priorities in
your response plan
Level of Risk Aversion
ƒ The Challenge: Every
application is business
critical to someone

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 81

Example: Network-Based
Structured Data Controls

Credit Card Credit Card
1234-5678-9012-3456 Mask XXXX-XXXX-XXXX-3456
Social Security Social Security
123-45-6789 Mask XXX-XX-XXXX
Driver’s License Driver’s License
A123456 Block A123456
Employee ID Employee ID
S-924600 Mask XXXX
Patient ID Patient ID
134-AR-627 Block 134-AR-627

Request

Response

Cisco AVS 3100

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 82

© 2008, Cisco Systems, Inc. All rights reserved. 41
14330_04_2008_c1.scr
Tackling Malware:
Solutions Across the Network
Remote/Branch Office
Data Center

Management
Network

Internet
Connections
Corporate Network
Internet

Corporate
LAN Business
Remote Access Partner
Systems Access
Extranet
Connections

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 83

Tackling Malware:
Solutions Across the Network
Remote/Branch Office
Data Center Endpoint Protection
ƒ Infection prevention:
STOP Cisco Security Agent
Management
ƒ Infection remediation:
Network GO desktop anti-virus;
Microsoft and other anti-
spyware SW

Internet
Connections
Corporate Network
Internet

STOP
Corporate Network-Based
LAN Business
Content Control
GO Remote Access Partner
ƒ Multi-function
Systems Access security devices
GO
ƒ Firewalls
STOP
Network Admission Extranet
Control ƒ Intrusion prevention
GO Connections
systems
ƒ Ensure endpoint
policy compliance ƒ Proxies

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 84

© 2008, Cisco Systems, Inc. All rights reserved. 42
14330_04_2008_c1.scr
Mitigating Risk of Data Leakage:
Basic Steps
1. Protect Non-managed Machines: Remote access (employee, partner,
and vendor) from non-managed machines pose a serious risk.
Deploy protection technology in your remote access systems such as
Cisco Secure Desktop in the Cisco ASA 5500
2. Deploy Network-based Structured Data Controls: Data elements
such as Credit Card numbers or SSNs can be monitored and
controlled in return traffic using application firewalls (such as AVS
3100)
3. Lockdown Managed Endpoints: Lock down removable media
systems, such as USB ports and CD burners, using Cisco
Security Agent
4. Application Access Control: Enforce “need to know” access control
policies in the network at transit control points (e.g. in firewalls)
5. Content Inspection Services: Build out a network-wide sensor grid for
visibility and audit. Primary focus areas: email; instant messaging
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 85

Incident Response Basics
Incident Response Life Cycle ƒ Most important step:
Step 1
Pre-Incident ƒ Second most important step:
Planning
Step 5
1
ƒ Most commonly skipped step:
Post-Incident Step 1
Policy and Detection
Process 5 2 and Analysis ƒ Second most commonly
Analysis skipped step:
Step 5

4 3
Containment
Recovery
and Control

Adapted from reports at www.gartner.com and www.securityfocus.com
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 86

© 2008, Cisco Systems, Inc. All rights reserved. 43
14330_04_2008_c1.scr
What Should I Do?

ƒ Process, process, process:
Implement strong processes up front, document them,
and use them

ƒ User education campaigns:
Ensure there is an end-user education component of your
broader information security strategy

ƒ Make effective use of technology:
Technology exists to mitigate much of your risk of exposure
to new threats—make sure you’re using what’s available

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 87

Technology Recommendations

ƒ Stay informed: Subscribe to a threat
information service
A cost effective way to stay on top of things

ƒ Stay informed: Actually read the information
coming from your threat information service
Summaries are quick

ƒ Utilize your infrastructure
Use tools that you already have available

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 88

© 2008, Cisco Systems, Inc. All rights reserved. 44
14330_04_2008_c1.scr
Technology Recommendations

ƒ Change the game: Deploy NAC
Raise the bar on the level of protection at the internal edge

ƒ Develop and implement a complete “incident
response system”
Include technologies like IPS that enable visibility and
protection; ensure you’ve got the tools to help (like MARS)
Get tested! Engage a reputable penetration testing firm

ƒ Deploy anomaly technologies
Anomaly detection technologies can catch some emerging
threats before they’re well known

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 89

Intelligence Service Example
Cisco IntelliShield Alert Manager
Threat and Vulnerability
Intelligence Alerting Service
Receive Vital Intelligence that
Is Relevant and Targeted to
Your Environment

ƒ Tactical, operational and strategic
intelligence
ƒ Vendor neutral
ƒ Life cycle reporting
ƒ Vulnerability workflow
management system
ƒ Comprehensive searchable
alert database

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 90

© 2008, Cisco Systems, Inc. All rights reserved. 45
14330_04_2008_c1.scr
Intelligence Summary Example
Cisco IntelliShield Cyber Risk Reports

A Strategic Intelligence Report
that Highlights Current Security
Activity and Mid-to Long-range
Perspectives

ƒ Addresses seven major risk
management categories:
vulnerability, physical, legal, trust,
identity, human, and geopolitical.
ƒ The PSARs are a result of
collaborative efforts, information
sharing, and collective security
expertise of senior analysts from
Cisco security services that
include the IntelliShield team

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 91

Utilize Your Infrastructure
Cisco Applied Intelligence Responses

Actionable Intelligence that
Can Be Used on Existing
Cisco Infrastructure

ƒ Vulnerability Characteristics
ƒ Mitigation Technique Overview
ƒ Risk Management
ƒ Device-Specific Mitigation
and Identification
Cisco IOS® Routers and Switches
Cisco IOS NetFlow
Cisco ASA, PIX®, and FWSM Firewalls
Cisco Intrusion Prevention System
Cisco Security Monitoring, Analysis,
and Response System
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 92

© 2008, Cisco Systems, Inc. All rights reserved. 46
14330_04_2008_c1.scr
Incident Response and Threat
Prevention Systems

Considerations for Building
CS-MARS CSM a System
Cisco Security Cisco Catalyst®
Agent (CSA) Cisco ASA 5500 Service ƒ Monitoring Console:
Adaptive Security Modules
Appliance
A strong monitoring console
Cisco ISR is essential—without that,
Routers
you’re blind
CSA Internet Intranet
ƒ Breadth of Network
Control Points:
Have IPS technology ready in
Integrated Data
Monitoring, as many locations as possible,
Branch Correlation, and even if you’re not using it—it’ll
Protection Center
Response
Protection be there when you need it
Day Zero Converged Security ƒ Fine-grained Endpoint Control:
Server
Endpoint Perimeter Management
Protection Protection
Protection Ensure your endpoint security
software provides granular use
control, in addition to protective
services

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 93

Some Closing Thoughts
ƒ Do not get overwhelmed
ƒ Small steps can make a
big difference
ƒ Remember, to survive a
bear attack, you don’t
have to be fastest
person…you just need
to be faster than the
next guy
ƒ Do not be the least
prepared

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 94

© 2008, Cisco Systems, Inc. All rights reserved. 47
14330_04_2008_c1.scr
Q and A

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 95

Recommended Reading

ƒ Continue your Cisco Live
learning experience with further
reading from Cisco Press
ƒ Check the Recommended
Reading flyer for suggested
books

Available Onsite at the Cisco Company Store
BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 96

© 2008, Cisco Systems, Inc. All rights reserved. 48
14330_04_2008_c1.scr
Complete Your Online
Session Evaluation
ƒ Give us your feedback and you could win Don’t forget to activate
fabulous prizes. Winners announced daily. your Cisco Live virtual
account for access to
ƒ Receive 20 Passport points for each session all session material
evaluation you complete. on-demand and return
for our live virtual event
ƒ Complete your session evaluation online now in October 2008.
(open a browser through our wireless network Go to the Collaboration
to access our portal) or visit one of the Internet Zone in World of
stations throughout the Convention Center. Solutions or visit
www.cisco-live.com.

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 97

BRKSEC-2001
14330_04_2008_c1 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 98

© 2008, Cisco Systems, Inc. All rights reserved. 49
14330_04_2008_c1.scr