Malware Mega Threats
2700 W. Cypress Creek Rd. Suite C110, Fort Lauderdale, FL 33309
954-832-3601 ● Fax: 954-659-1610 ● www.greysontech.com
Who is Greyson Technologies?
www.greysontech.com
What We Do!
Greyson delivers measureable business outcomes
by architecting and implementing Unified
Communications, Security, Enterprise Networking,
Virtualization and Storage solutions in secure,
hybrid cloud environments.
www.greysontech.com
Why Greyson?
Named South Florida’s Fastest Growing IT Company
 Florida’s 13th fastest
Simply the Best Engineers – An Expert Team of A+ Players
 Local
 Certified
 Experienced w/Real World Expertise
 Professional
www.greysontech.com
Why We Are Here
CIO Roundtable – Security Presents a Major Concern!
Survey Data:
57% of respondents expect to experience a security breach within the next
year.
 Attack vectors changing: Silverlight attacks up 228% in Sept. 2014
 Phishing and SPAM: Up 250%
 Persistent state of infection: Malware infections 250% in Oct 2014
Only 20%
of respondents regularly communicate with management about threats.
1 month
The amount of time survey respondents say it took to investigate, restore
service and verify resolution of incidents.
www.greysontech.com
Intelligent Cybersecurity
for the Real World
Chris Robb
Advanced Malware Specialist, Cisco Security
chrrobb@cisco.com
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
6
The World Has Changed:
Any Device to Any Cloud
PUBLIC
CLOUD
HYBRID
CLOUD
PRIVATE
CLOUD
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
7
The World Has Changed:
The Industrialization of Hacking
Enterprise
Response
Intelligence and
Analytics
Anti-virus
IDS/IPS
Anti-malware
(Host)
(Network)
(Host+Network)
Viruses
Worms
Spyware &
Rootkits
APTs
Cyberware
2000
2005
2010
Today +
© 2014 Cisco and/or its affiliates. All rights reserved.
(Host+Network+Cloud)
Cisco Confidential
8
In the news…what do these all have in common?
Home
Depot
Florida bank notifies roughly 72,000 customers of breech
Russian PM’s Twitter hacked – “I resign”
Sony suffer DOS attack
25,000 Records of Homeland Security Employees Stolen
JP Morgan
$100,000 bitcoin loss due to hack
Teenager hacked in to Metropolitan Police’s computer
60k Tennessee works impacted by subcontractor breech
Los Angeles based health system breached
4.5M Records stolen from US Health Giant
Over 50 UPS Franchises hit by data breach
Saudi TV website hacked by Libyan
NRC Compturs hacked 3 times
Microsoft’s Twitter Account Hacked Goodwill
Sony’s Twitter Account Hacked
Insider breach at Las Vegas Brain and Spine Surgery Center
MeetMe Social Network User’s Passwords Stolen
Russian Hackers steal 4.5B records
Norwegian oil industry under attack
Ferguson police offices computers hacked
Albertson’s stores CC data hacked
Payment cards used on Wireless Emporium website compromised
Dairy Queen hacked
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
9
Customer Success Story: Large Financial Services Firm
Version of malware that took out Sony Pictures seen “in wild” in July
12/04/2014: What has happened at Sony Pictures
While the malware that took down computers at Sony Pictures
last week was
justreads
dayslike a blockbuster
Entertainment
over compiled
the past week
before it was triggered, an earlier version of the code used toscreenplay—or
unleash the adestructive
attack
may
chief executive’s
nightmare:
have been in use much earlier within Sony’s network. Malware
with target
the same
cryptographic
Hackers
a major
company, disabling its internal
systems
and
leaking
documents
revealing
signature and filename as the “Destover” malware was spotted by the security firm Packet
Ninjaslong-held
secrets, from coming products to executive pay.
in July.
That malware communicated with one of the same IP addresses and domain names as the final
“Destover” malware: a server at Thammasat University in Bangkok, Thailand. The malware, which
12/05/2014: The
Sony
data breach
continues to get worse.
was found in a Cisco Partner ThreatGrid repository, also communicated
with
a network
address
First, it was exposed budgets, layoffs and 3,800 SSNs,
assigned to a New York business customer of TimeWarner Cable.
then it was passwords. Now, it's way more social security
numbers—including Sly Stallone's.
Taken from article, http://arstechnica.com/security/2014/12/version-of-malware-that-took-outsony-pictures-seen-in-wild-in-july/
The Wall Street Journal reports that analysis of the
documents leaked so far included the Social Security
numbers of 47,000 current and former Sony Pictures
workers. That included Sylvester Stallone, Rebel Wilson,
and Anchorman director, Judd Apatow. The Journal reports
that the SSNs are found alongside salary information,
home addresses, and contract details.
© 2014 Cisco. CONFIDENTIAL.
www.ThreatGRID.com
The Silver Bullet Does Not Exist
Threat
Analytics
The Best Point in Time
Protection Protects
you 90 + % of the time
Sandboxing
Application
Control
“Detect the
Unknown”
“Fix the Firewall”
NAC
IDS/IPS
UTM
“Outside
looking in”
“Captive portal”
“No false positives,
no false negatives”
PKI
AV
FW/VPN
“No key, no access”
“It matches the pattern”
“Block or Allow”
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
11
Point-in-Time Detection
Analysis
Stops
Not
100%
Event Horizon
Antivirus
Sandboxing
Initial Disposition =
Clean
© 2014 Cisco and/or its affiliates. All rights reserved.
Sleep
Techniques
Unknown
Protocols
Encryption
Polymorphism
Blind to
scope
of
compromise
Actual Disposition =
Bad Too Late!!
12
AMP goes beyond point-in-time detection
Attack Continuum
BEFORE
DURING
AFTER
Discover
Enforce
Harden
Detect
Block
Defend
Scope
Contain
Remediate
Network
Endpoint
Mobile
Point-in-time
© 2014 Cisco and/or its affiliates. All rights reserved.
Virtual
Cloud Email & Web
Continuous
13
Continuous Protection when advanced malware evades
point-in-time detection
Analysis
Stops
Point-in-time
Detection
Antivirus
Not 100%
Sleep
Techniques
Unknown
Protocols
Encryption
Sandboxing
Initial Disposition = Clean
AMP
Initial Disposition = Clean
© 2014 Cisco and/or its affiliates. All rights reserved.
Polymorphism
Actual Disposition = Bad = Too
Late!!
Retrospective
Detection,
Analysis Continues
Actual Disposition = Bad =
Blocked
14
Sample of Traditional Point in Time Protection
© 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
15
AMP for Endpoint: Device Trajectory /
Incident Analysis
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
16
Reduce Attack Surface
Retrospective
detection and
protection
Ability to learn
and proactively
reduce your
attack Surface
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
17
Cisco Advanced Malware Protection
Built on unmatched collective security intelligence
Cisco®
Collective
Cisco Collective
1001
1101 1110011 0110011 101000 0110
00 1101 1110011 0110011 101000 0110 00
1001
Security
Security
101000
0110 00 0111000 111010011 101
1100001
101000
0110 110
00 0111000 111010011 101 1100001
110
Intelligen
1100001110001110 1001 1101 1110011 0110011
101000 0110
00 1101 1110011 0110011
1100001110001110
1001
101000 0110 Cloud
00
Intelligence
ce
WWW
Email Endpoints Web Networks IPS
1.6 million
global sensors
web requests
Intelligence
24x7x365
AMP Threat Grid
Dynamic Analysis
10 million files/month
100 TB
of data received per day
operations
150 million+
deployed endpoints
40+
languages
600+
engineers, technicians,
and researchers
180,000+ File Samples
per Day
35%
worldwide email traffic
© 2013 Cisco and/or its affiliates. All rights reserved.
Devices
Automatic
Updates
every 3-5
minutes
Advanced Microsoft
and Industry Disclosures
Snort and ClamAV Open
Source Communities
AMP Community
AEGIS™ Program
Private/Public Threat
Feeds
Cisco Confidential
18
Cisco AMP Solution Options
Customer Need
Feature
WSA, ESA,
CWS
Network
Endpoint
I want to be able to define policies for malware…
File Reputation
✔
✔
✔
I want to be able to isolate suspected malware for
threat analysis…
Sandboxing
✔
✔
✔
I want to be able to backtrack if malware makes it
into my system…
Retrospective Security
✔
✔
✔
I need to identify compromised devices on my
network…
Indications of
Compromise
✔
✔
I want to track how a file has been behaving…
File Analysis
✔
✔
I want to track how threats traverse the network…
File Trajectory
✔
✔
I want to see system activities, relationships and
events …
Device Trajectory
✔
I want to search large sets of data for
compromises…
Elastic Search
✔
I want to be able to stop the spread of malware
with custom tools…
© 2013 Cisco and/or its affiliates. All rights reserved.
Outbreak Control
✔
Cisco Confidential
19
Malware Analysis & Threat Intelligence
The First Unified Malware Analysis
& Threat Intelligence Solution
Be Proactive.
Recover Faster.
Defeat Advanced Threats.
Maximize Existing Investments.
ThreatGRID is revolutionizing how
organizations use accurate and
context-rich malware analysis and
threat intelligence to defend
against advanced cyber attacks.
© 2014 Cisco. All Rights Reserved. CONFIDENTIAL.
Some Cool Things We Do !!!
Allow you Interact with Malware
Prioritize threats
© 2014 Cisco. CONFIDENTIAL.
Outside Looking In approach
Context-driven Malware Analytics
21
www.ThreatGRID.com
Sample report from AMP integration
© 2014 Cisco. CONFIDENTIAL.
www.ThreatGRID.com
ThreatGRID Unique Value
SOC
Investigation &
Response
Threat Intelligence
Security
Infrastructure Eng.
Context-Driven
Malware Analytics
Simple & Custom
Feeds
Community
Power & Scale
2 way API
Integration
Easy to use
Adaptive
Analysis
ThreatGRID Portal
Defeat Advanced
Attacks
© 2014 Cisco. CONFIDENTIAL.
Recover Faster
Be Proactive
Multiple
Deployment
options
Maximize Existing
Investment
23
www.ThreatGRID.com
Cisco AMP Delivers Three Advantages
3
Address the
full attack
continuum
2
More
comprehensive
protection
BEFORE
DURING
AFTER
Network
Content
Point-in-Time Detection
Endpoint
Retrospective Security
Cisco® Collective Security Intelligence
1
A better
approach
C97-732872-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
24
Cisco Advanced Malware Protection (AMP)
TALOS
ThreatGrid
After
Web
Filtering and
Reputation
File Type
Blocking
Application
Visibility &
Control
Security
Intelligence
www.website.c
om
Indicators of
Compromise
File
Reputation
Traffic
Intelligence
Threats
File
Sandboxin
g
Cognitive
Threat
Analytics
File
Retrospection
X
Traffic
Redire
ctions
ASA/NSI
PS
X
WSA
X
AMP
Applianc
e
X
ESA
X
X
AnyConnect AMP for
Endpoint
Admin
HQ
Management
Reporting
Log Extraction
Main
Office
© 2014 Cisco. CONFIDENTIAL.
Branch Office
Roaming
User
Allow
Warn
Block
Partial
Block
www.ThreatGRID.com
AMP2012
Retrospective
Trajectory
Outbreak Control
AMP
Endpoint
PC
AMP
Network
Appliance
AMP
Endpoint
Mobile
2014
2013
AMP
Endpoint
Virtual
2013
2012
AMP
Network
AMP
Endpoint
Mac
AMP for
Content
2014
ThreatGRID
2014
2014
2013
Device
Trajectory
Flow
Correlation
AMP
Private
Cloud
AMP for
ASA
2014
2014
2014
Evolution of AMP
Everywhere
© 2014 Cisco and/or its affiliates. All rights reserved.
Security
Cisco Confidential
26
AMP for Endpoints Customer Testimonial…
https://www.youtube.com/watch?v=RjPB__9BIww
C97-732872-00 © 2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
27
Let’s Play Enterprise Feud
www.greysontech.com
Top 3 Answers on the Board
www.greysontech.com
Phishing Attack Example
www.greysontech.com
Phishing Attack Results
www.greysontech.com
Greyson Consulting Services
www.greysontech.com
How Greyson Works with Our Clients
 Local, personal relationships built on trust.
 Long term partnerships with consistency of engineering talent.
 Analysis, Architecture, Delivery and Management.
 Enterprise solutions:
Security infrastructure best practices assessment
Next generation firewalls and IPS
Advanced Malware Protection
Email and Web Content Security
Netflow based network behavior anomaly detection
Policy based security enforcement
www.greysontech.com
Questions?
www.greysontech.com