Talos Insights: the State of Cyber Security

BRKSEC-2010

Talos Insights: The State of Cyber Security

Martin LEE, Manager Talos Outreach EMEA & Asia Agenda • Fundamentals of the Threat Environment • Hardware Engineering • Software Engineering • No Such Thing As A New Crime • People

• The Threat Landscape in 2018 • Ransomware vs Crypto Mining • Hitting the First Hop & VPN Filter • Disrupting the Bad Guys

• Talos Overview

• Q&A

• Recycled human viral geneticist

• 23 years IT experience

• 16 years cyber security

• Chartered Engineer & CISSP

• Keen (if not very good) runner

• Cisco’s security research & threat intelligence team.

• Focused on the threat landscape & detecting threats

• Integral part of everything Cisco Security.

A pan-European team.

The Backbone of Cisco Security Cloud Email AMP for Security Snort subscription NGFW Endpoints AMP for AMP for rule set Cisco Networks Gateways Cloud Web Umbrella NGIPS Security FirePower / ASA Web Security Meraki Appliance

Email Security Network Endpoint Appliance Cloud

• Talos creates the threat detection content in all Cisco Security products, providing customers with comprehensive solutions from cloud to core.

Pi Zero €5 270M transistors

PC1640 €1100 29k transistors

Transportation 30

Remote Cont. 20

Household Mobile People

PC Printers Surveilance 10 Number of connected devices in Billions in devices connected of Number

1992 1997 2002 2007 2012 2017 2022

Total number of CVEs Number of CVEs low complexity

Number of CVEs ofNumber 19.5% Of CVEs in 2016 were easily detected low- complexity vulnerabilities Year

• Crypto error led to…

• Full console access, which led to…

• Remote code execution, which discovered…

• Hard-coded backdoor credentials.

7 new vulnerabilities identified (plus susceptible to 4 known vulns)

Source: https://blog.talosintelligence.com/2017/04/moxa-box.html

Delinquents Criminals APT

Anonymous Lulzsec Ghost Squad Ayyildiz Tim

“computer systems were locked by ransomware, meaning new keycards could not be programmed until the ransom was paid. In total, Brandstätter claims, €1,500 (£1,275) worth of bitcoin was paid to the hackers”

What do you know? Who are you talking to? What are you talking about?

Targeted disruption of assets.

People are much more profitable to exploit than software.

Slips Attention failures Unintended The right thing Actions done wrong. Lapses Memory failures Human Error Mistakes Wrong decisions Intended The wrong thing Actions done right. Violations Knowingly wrong

Malware Author Miscreants

Command & Malware Control Server (C2) Email Web Exploitation

Victims (Customers)

BRKSEC-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 29 Social Engineering Tools • Phone Calls, Instant Messaging, Email • Use Confidence & Smooth Talking • Leveraged for Additional Access Tactics • Take Advantage of People • Using Help for Malicious Purposes Description • Almost Always Works • Attacking the User Instead of the Processes system • Users Don’t Always Report • Typically Targeted • Can Result in Compromise of Systems • Requires Active User Participation or BEC

BRKSEC-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 30 Sextortion Scam Tools • Leveraged Old Data Breach Info • Threatening Sextortion Emails • Bitcoin for Payout Tactics • Take Advantage of Old Data • Real credentials to Scare Users Description • Threaten with Exposure, Profit • Leveraged Open Source Breach Data Processes • Crafted Emails w/ real credentials • Used Freely Available Data • Generated ~$150K in crypto • Played on Peoples Fear currency • Generated Significant Profits

BRKSEC-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 31 Ransomware Tools • Emotet and various Loaders • Docs, Exec, PDFs, RTFs • RaaS Tactics • Spam with embedded files • Link based Spam Description • Tor and Bitcoin/Crypto currency • Lots of Individual Actors Processes • Spray and Pray • Encrypts files. • Disruptive Nuisance • Some contain lateral movement functionality or share encryption

BRKSEC-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 32 SamSam Tools • Public Exploits & Brute Force tools • Windows Utils PSEXEC & WMI • Mimikatz and Credential stealers Tactics • Targets vertical and known vulns • Custom ransomware for each attack Description • Small ransoms for higher rates • SamSam is a Ransomware Actor Processes • Focuses on Verticals • Steals credentials, moves laterally • Has over 5 million in BTC • Works one “client” at a time, but targets verticals in groups

BRKSEC-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 33 Crypto Mining Tools • Marcos, Docs, PDFS, and EXEs • Also compiled for IoT devices • Mimikatz and Credential stealers Tactics • Default passwords • Spam, Link Spam, and Phishing Description • Coinhive & other embedded miners • Utilizes spare CPU to make Processes money • Steals CPU time • Wide and Common • Doesn’t cause problems, so users • Low bar like Ransomware don’t report it.

125 Hashes $0.25 per per Second day in XMR

2000 $500 per day in XMR

Emails Exploit Kits Unpatched Vulnerabilities

New driver version

Fake Install driver Download and Bitvote miner calculator and service parse (PE) configuration

Approx. 3000 infected devices, earned 4448 Bitvotes, ~1500 USD

Malicious Infrastructure Network infrastructure offers opportunities to bad guys.

Network Infrastructure

65% Decrease in 7 Days!!!!

BRKSEC-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 45 VPN Filter Tools • Custom built bot framework • Module architecture for updates • Complex C2 & multi-stage platform Tactics • Targets edge devices • Redirects and modifies network traffic Description • Pivot functionality • Edge Device BotNet Processes • Attributed to Russia • Get everything, find interesting • Infected over 500K devices • Pivot and hold

Multi-layer modular malware.

Scan internal network. Look for Modbus traffic. Downgrade https to http. Steal credentials Steal authentication tokens Redirect traffic. Create TOR network.

BRKSEC-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 49 Olympic Destroyer Tools • PSEXEC / WMI / Creds stealer / Browser stealer • Use windows systems tools for most actions • Mimikatz and Credential stealers Tactics • Supply chain attack methodology • Lateral movement using WMI and PSEXEC • Automated lateral movement using stolen creds Description • Targeted Korean Olympics Processes • US attributes N Korea • Steals credentials and moves laterally • Attempted attribution misdirection • Focused and targeted attack for political gain

Arrests, Obsolete actors Attackers improve attacks Threat Security actors community

Defenders improve protection Breaches, Obsolete technology

Barrier to entry

APT Superior detection creates “barriers to Criminals entry” for bad guys.

Script Kiddies

Sophistication

Prevent Delivery

Detect & Block Exploitation

Detect & Block Installation

Recover Quickly

Reputation centre

IP and Domain Reputation Center IP & domain reputation + email volume Contact reputation support – consider TAC first! Talos File Reputation SHA256 – hash look-up IP Blacklist Updated every 15 mins, but only 1% of total reputation system

Software

Snort – leading IPS/IDS solution

Immunet – free/home version of AMP

Pyrebox – reverse engineering framework

Support Communities

Snort Community Contribute rules, pcaps, train up others

ClamAV Community Share samples, write rules, develop the software Project ASPIS Free community for Service Providers, share info on threat actors

Blog

Our latest research

• blog.talosintelligence.com

• @talossecurity Cisco Webex Teams

Questions? Use Cisco Webex Teams (formerly Cisco Spark) to chat with the speaker after the session How 1 Find this session in the Cisco Events Mobile App 2 Click “Join the Discussion” 3 Install Webex Teams or go directly to the team space 4 Enter messages/questions in the team space cs.co/ciscolivebot#BRKSEC-2010

• Please complete your Online Session Survey after each session

• Complete 4 Session Surveys & the Overall Conference Survey (available from Thursday) to receive your Cisco Live T- shirt

• All surveys can be completed via the Cisco Events Mobile App or the Communication Stations

Don’t forget: Cisco Live sessions will be available for viewing on demand after the event at ciscolive.cisco.com

Related Demos in Walk-in Meet the sessions the Cisco self-paced engineer Showcase labs 1:1 meetings