Cisco Talos

BRKSEC-2010
Talos Insights: The State of Cyber Security
Martin LEE, Manager Talos Outreach EMEA & Asia

Agenda
• Fundamentals of the Threat Environment
• Hardware Engineering
• Software Engineering
• No Such Thing As A New Crime
• People
• The Threat Landscape in 2018
• Ransomware vs Crypto Mining
• Hitting the First Hop & VPN Filter
• Disrupting the Bad Guys
• Talos Overview
• Q&A
BRKSEC-2010 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Who Am I?
• Recycled human viral geneticist
• 23 years IT experience
• 16 years cyber security
• Chartered Engineer & CISSP
• Keen (if not very good) runner
What Is Cisco Talos?
• Cisco’s security research &

threat intelligence team.
• Focused on the threat
landscape & detecting threats
• Integral part of everything Cisco
Security.
What Is Cisco Talos?
A pan-European team.
Talos Threat Intelligence
The Backbone of Cisco Security Cloud Email
AMP for Security
Snort subscription NGFW Endpoints
AMP for AMP for
rule set Networks Cisco
Gateways Cloud Web Umbrella
NGIPS Security
FirePower
/ ASA
Web Security
Meraki Appliance
Email Security
Network Endpoint Appliance Cloud
• Talos creates the threat detection content in all

Cisco Security products, providing customers
with comprehensive solutions from cloud to
core.
Fundamentals of the
Threat Environment
Information Technology
Moore’s Law
Pi Zero €5
270M transistors
PC1640 €1100
29k transistors
Everything is Becoming Connected Physical World Web?
Office Security Miniaturizaton Everyday Objects Smart Cities
50
Number of connected devices in Billions
40
Transportation
30
Remote Cont. 20
Household
Mobile People
PC Printers Surveilance 10
1992 1997 2002 2007 2012 2017 2022
The Joy of Software
Engineering
Software Vulnerabilities
Total number of CVEs
Number of CVEs low
complexity
Number of CVEs
19.5%
Of CVEs in 2016 were
easily detected low-
complexity vulnerabilities
Year
Weak Software Engineering
One device, one engineer, 14 day study – how many vulnerabilities?
• Crypto error led to…

• Full console access, which led to…
• Remote code execution, which discovered…
• Hard-coded backdoor credentials.
7 new vulnerabilities identified

(plus susceptible to 4 known vulns)
Source: https://blog.talosintelligence.com/2017/04/moxa-box.html
We Can Always Patch
Right?
No Such Thing As A
New Crime
Threat Actors
Behind every attack is someone trying to achieve an objective.
Delinquents Criminals APT
Delinquents / Hacktivists
Loosely organized, common purpose, high profile disruption.
Anonymous
Lulzsec
Ghost Squad
Ayyildiz Tim
Criminals
Ransomware: Romantik Seehotel Jaegerwirt
“computer systems were locked by

ransomware, meaning new
keycards could not be programmed
until the ransom was paid. In total,
Brandstätter claims, €1,500
(£1,275) worth of bitcoin was paid
to the hackers”
Criminals
Ransomware: Romantik Seehotel Jaegerwirt
“computer systems were locked by

ransomware, meaning new
keycards could not be programmed
until the ransom was paid. In total,
Brandstätter claims, €1,500
(£1,275) worth of bitcoin was paid
to the hackers and it was the fourth
time it has happened.”
APT
Surveillance
What do you know?

Who are you talking to?
What are you talking about?
APT
Geopolitics
Targeted disruption of assets.
The Trouble With
People
The People Problem
People are much

more profitable to
exploit than software.
Human Error Is Predictable
Slips Attention failures

Unintended The right thing
Actions done wrong.
Lapses Memory failures
Human
Error
Mistakes Wrong decisions
Intended The wrong thing
Actions done right.
Violations Knowingly wrong
Don’t Click the Link
Oops!
Threat Landscape in
2018
The Commodity Malware Ecosystem
Malware Author
Miscreants
Command &
Malware Control Server (C
Email Web Exploitation
Victims (Customers)
Social Engineering Tools
• Phone Calls, Instant Messaging, Email
• Use Confidence & Smooth Talking
• Leveraged for Additional Access
Tactics
• Take Advantage of People
• Using Help for Malicious Purposes
• Almost Always Works
Description
• Attacking the User Instead of the Processes
system
• Users Don’t Always Report
• Typically Targeted
• Can Result in Compromise of Systems
• Requires Active User Participation or BEC
Sextortion Scam Tools
• Leveraged Old Data Breach Info
• Threatening Sextortion Emails
• Bitcoin for Payout
Tactics
• Take Advantage of Old Data
• Real credentials to Scare Users
• Threaten with Exposure, Profit
Description
• Leveraged Open Source Breach Data Processes
• Crafted Emails w/ real credentials • Used Freely Available Data
• Generated ~$150K in crypto • Played on Peoples Fear
currency • Generated Significant Profits
Ransomware Tools
• Emotet and various Loaders
• Docs, Exec, PDFs, RTFs
• RaaS
Tactics
• Spam with embedded files
• Link based Spam
• Tor and Bitcoin/Crypto currency
Description
• Lots of Individual Actors Processes
• Spray and Pray • Encrypts files.
• Disruptive Nuisance • Some contain lateral movement
functionality or share encryption
SamSam Tools
• Public Exploits & Brute Force tools
• Windows Utils PSEXEC & WMI
• Mimikatz and Credential stealers
Tactics
• Targets vertical and known vulns
• Custom ransomware for each attack
• Small ransoms for higher rates
Description
• SamSam is a Ransomware Actor Processes
• Focuses on Verticals • Steals credentials, moves laterally
• Has over 5 million in BTC • Works one “client” at a time, but
targets verticals in groups
Crypto Mining Tools
• Marcos, Docs, PDFS, and EXEs
• Also compiled for IoT devices
Tactics
• Default passwords
• Spam, Link Spam, and Phishing
• Coinhive & other embedded miners
Description
• Utilizes spare CPU to make Processes
money • Steals CPU time
• Wide and Common • Doesn’t cause problems, so users
• Low bar like Ransomware don’t report it.
One System Mining
125 Hashes $0.25 per

per Second day in XMR
Many Systems Mining
$500 per
2000
day in XMR
Crypto Miner Distribution
Emails Exploit Kits Unpatched

Vulnerabilities
Follow the Money
Coal not Diamonds
New driver
version
Fake Install driver Download and Bitvote miner

calculator and service parse (PE)
configuration
C2 DNS Records
Payback
Approx. 3000 infected devices, earned 4448 Bitvotes, ~1500 USD
Hitting the First Hop
Malicious
Infrastructure
Network infrastructure
offers opportunities to
bad guys.
Network
Infrastructure
Hostile Smart Install Client Scan
Publicity
Publicity Effects
Before After
65% Decrease in 7 Days!!!!
VPN Filter Tools
• Custom built bot framework
• Module architecture for updates
• Complex C2 & multi-stage platform
Tactics
• Targets edge devices
• Redirects and modifies network traff
• Pivot functionality
Description
• Edge Device BotNet Processes
• Attributed to Russia • Get everything, find interesting
• Infected over 500K devices • Pivot and hold
Infection Schema
Multi-layer modular
malware.
VPNFilter Capabilities
Scan internal network.

Look for Modbus traffic.
Downgrade https to http.
Steal credentials
Steal authentication tokens
Redirect traffic.
Create TOR network.
Working together to
disrupt the bad guys
Olympic Destroyer Tools
• PSEXEC / WMI / Creds stealer / Browser stealer
• Use windows systems tools for most actions
Tactics
• Supply chain attack methodology
• Lateral movement using WMI and PSEXEC
• Automated lateral movement using stolen creds
Description
• Targeted Korean Olympics Processes
• US attributes N Korea
• Steals credentials and moves laterally
• Attempted attribution misdirection
• Focused and targeted attack for political
gain
Disrupting the Bad Guys
Cycle of Innovation
Arrests,
Obsolete actors Attackers
improve
attacks
Threat Security
actors community
Defenders
improve
protection Breaches,
Obsolete technology
Decreasing the ROI for Bad Guys
Barrier to entry
APT
Superior detection
creates “barriers to
Criminals entry” for bad guys.
Script Kiddies
Sophistication
Empowering the Security Community
Open source tools for everyone
Do Your Bit
Defeating the bad guys together
Prevent Delivery
Detect & Block Exploitation
Detect & Block Installation
Recover Quickly
Talos Overview
Talos Website
https://www.talosintelligence.com
Our website
Our tools
Talos Website
Reputation centre
Talos Website
Reputation Centre
IP and Domain Reputation Center

IP & domain reputation + email volume
Contact reputation support – consider TAC first!
Talos File Reputation
SHA256 – hash look-up
IP Blacklist
Updated every 15 mins, but only 1% of total reputation system
Talos Website
Software
Talos Website
Software – Free security tools amongst many.
Snort – leading IPS/IDS solution
Immunet – free/home version of AMP
Pyrebox – reverse engineering framework
Talos Website
Support Communities
Talos Website
Support Communities – Get Involved!
Snort Community
Contribute rules, pcaps, train up others
ClamAV Community
Share samples, write rules, develop the software
Project ASPIS
Free community for Service Providers, share info on threat actors
Talos Website
Blog
Talos Website
Blog.talosintelligence.com
Our latest research
Q&A
• blog.talosintelligence.com
• @talossecurity
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
cs.co/ciscolivebot#BRKSEC-2010
Complete your online
session survey
• Please complete your Online Session
Survey after each session
• Complete 4 Session Surveys & the Overall
Conference Survey (available from
Thursday) to receive your Cisco Live T-
shirt
• All surveys can be completed via the Cisco
Events Mobile App or the Communication
Stations
Don’t forget: Cisco Live sessions will be available for viewing

on demand after the event at ciscolive.cisco.com
Continue Your Education
Demos in Meet the Related

Walk-in
the Cisco engineer sessions
self-paced
Showcase labs 1:1
meetings
Thank you

Cisco Talos

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cisco Talos

Uploaded by

Copyright:

Available Formats

BRKSEC-2010

Talos Insights: The State of Cyber Security

Martin LEE, Manager Talos Outreach EMEA & Asia

• Keen (if not very good) runner

• Cisco’s security research &

• Talos creates the threat detection content in all

1992 1997 2002 2007 2012 2017 2022

• Crypto error led to…

7 new vulnerabilities identified

Delinquents Criminals APT

“computer systems were locked by

“computer systems were locked by

What do you know?

Targeted disruption of assets.

People are much

Slips Attention failures

125 Hashes $0.25 per

Emails Exploit Kits Unpatched

Fake Install driver Download and Bitvote miner

Approx. 3000 infected devices, earned 4448 Bitvotes, ~1500 USD

65% Decrease in 7 Days!!!!

Scan internal network.

Detect & Block Exploitation

Detect & Block Installation

IP and Domain Reputation Center

Snort – leading IPS/IDS solution

Immunet – free/home version of AMP

Pyrebox – reverse engineering framework

Our latest research

Don’t forget: Cisco Live sessions will be available for viewing

Demos in Meet the Related

You might also like