Post on 31-Mar-2020
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
지능형 공격에는 지능형 보안 만이 답이다 김용호 부장(yonghkim@cisco.com)
Security Specialist
Mar 13, 2014
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Agenda
The New Security Model
샌드박싱, 그 이상의 지능화된 보안
클라우드기반 지능형 분석 보안
요약
1
2
3
5
개방형 어플리케이션 식별 4
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3 Cisco Confidential 3 © 2013 Cisco and/or its affiliates. All rights reserved.
The New Security Model
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 Cisco Confidential 4 © 2013 Cisco and/or its affiliates. All rights reserved.
Advanced
malware
in the
news
Source: Providence Journal
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
1. Somehow get into the network
2. Infect the PoS terminals themselves
3. Read/Dump memory/databases on the PoS terminal
4. Offload the data somewhere
5. Send the data back to a remote server
전형적인 지능형 지속 위협(APT) 공격
해킹된 내부서버
POS 단말
사설 WAN 구간
(trusted)
외부 기관
크레딧 카드
프로세서
Stores 데이터 센터 U
pd
ate
s f
rom
PO
S S
erv
er
H
TT
PS
HTTPS 를 이용한 크레딧
카드 프로세싱
인터넷
무선랜 AP
무선 POS 단말
인터넷 해킹된 외부
서버
명령 및 수집
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
POS 단말을 타겟으로 한 악성코드
• Dump Memory Grabber– Allegedly the malware used in the Target/Neiman Marcus attacks.
• 29420, 29421 MALWARE-CNC Win.Trojan.Reedum outbound FTP connection
BlackPOS (POSRAM)
• Malware that reads process memory, logs keystrokes and utilizes the TOR network to ship data back.
• 29440 MALWARE-CNC Win.Trojan.Chewbacca outbound communication attempt Chewbacca
• Locates, dumps and ships credit card track data in memory for potential cloning.
• Ships data back over HTTP. Coverage was shipped for this threat in Jan of 2013
• 25553 MALWARE-CNC Win.Trojan.Dexter variant outbound connection
Dexter
• Similar to Dexter, locates, dumps and ships credit card track data in memory.
• Ships data back over HTTP. Coverage was shipped for this threat in May of 2013.
• 26686 BLACKLIST User-Agent known malicious user agent - Alina
Trackr/Alina
• Sold as a successor to Dexter with more functionality. Ships data back over HTTP.
• 29415 BLACKLIST DNS request for known malware domain posterminalworld.
• 29416 MALWARE-CNC Win.Trojan.vSkimmer outbound connection
VSkimmer
알려진, 변형된, 외부와
연결된 악성코드
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
시스코 2014년 연례 보안보고서 : 2013년 주요 위협 및 보안 사고 분석 보고
신뢰성 있는 어플리케이션이 보안 경계 틈새 공격에 주로 이용됨
인터넷을 통한 인프라스트럭처 공격 증가, 중요한 자원을 주요 타겟으로 삼고 있음
실제 100% 악성 사이트 및 악성코드 호스트로의 접속 트래픽
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
당면한 보안 문제
변화하고 있는
비즈니스 모델
동적인
보안 위협 상황
복잡성 증가 및
조각화된 보안
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
THE New Security Model
BEFORE Discover
Enforce
Harden
AFTER Scope
Contain
Remediate
Attack Continuum
Network Endpoint Mobile Virtual Cloud
Detect
Block
Defend
DURING
Point in Time Continuous
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
통합된 네트워크,
광범위한 센서 기반,
상황 인식 및 수집 자동화
연속적인 지능형 위협에 대한
보호, 클라우드 기반
보안 위협 정보 연계
민첩하고 개방된 플랫폼,
확장성을 위한 설계,
지속적인 통제 및 관리
새로운 보안 모델 중점 전략
네트워크 엔드포인트 모바일 가상화 클라우드
가시성 확보 위협 집중 플랫폼 기반
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
가시성 확보: 효과적인 실시간 상황 인식
네트워크 서비스
운영체제
라우터 및 스위치
모바일단말
프린터
VoIP 단말
가상머신
클라이언트 어플리케이션
파일
사용자
웹어플리 케이션
어플리케이션 프로토콜
서비스
악성코드
악성외부 제어서버
취약점
넷플로우
네트워크 사용행위
프로세스
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
?
위협집중
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
탐지, 상황 식별 그리고 실질적인 위협 차단
?
Collective Security Intelligence
Threat Identified
Event History
How
What
Who
Where
When
Context
Recorded
Enforcement
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
지속적인 지능형 위협 차단
How
What
Who
Where
When
Collective Security Intelligence
Event History
Continuous Analysis Context Enforcement
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
플랫폼을 통한 복잡성 감소 및 보안 강화
Cloud Services Control Platform
Hosted
Collective Security Intelligence
중앙 관리
어플리안스, 가상화
네트워크 통제 플랫폼
단말 통제 플랫폼
클라우드 서비스 통제 플랫폼
어플리안스, 가상화 호스트, 모바일, 가상화 호스팅
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16 Cisco Confidential 16 © 2013 Cisco and/or its affiliates. All rights reserved.
샌드박싱, 그 이상의 지능화된 보안
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
기존 악성코드 차단 솔루션의 한계
BEFORE Discover
Enforce
Harden
AFTER Scope
Contain
Remediate
Attack Continuum
Detect
Block
Defend
DURING
허용된 접근을 통한 전파
100% 탐지 불가
감염 부족한 전문인력 환경, 장시간의 분석
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
샌드박싱 Only APT 방어 솔루션
http://www.networkworld.com/news/2013/032613-sandboxing-268108.html?page=1
"Sandboxing will get some of it…But since malware could bypass sandbox checks, it only makes sense to use other malware-detection methods as well.” Brad Stroeh Sr. Network Security Engineer First Financial Bank
By Ellen Messmer, Network World March 26, 2013
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
FireAMP 의 새로운 접근 방식
BEFORE Discover
Enforce
Harden
AFTER Scope
Contain
Remediate
Attack Continuum
Detect
Block
Defend
DURING
공격의 라이프 사이클 전반에 걸친 지속적인 보호 필요
– before, during and after an attack
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
1. Somehow get into the network
2. Infect the PoS terminals themselves
3. Read/Dump memory/databases on the PoS terminal
4. Offload the data somewhere
5. Send the data back to a remote server
Back to the incidents 전형적인 지능형 지속 위협(APT) 공격
해킹된 내부서버
POS 단말
사설 WAN 구간
(trusted)
외부 기관
크레딧 카드
프로세서
Stores 데이터 센터 U
pd
ate
s f
rom
PO
S S
erv
er
H
TT
PS
HTTPS 를 이용한 크레딧
카드 프로세싱
인터넷
무선랜 AP
무선 POS 단말
인터넷 해킹된 외부
서버
명령 및 수집
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
파일 전파 흔적 분석(File Trajectory) WHERE FROM, WHEN
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
단말 내에서의 파일 행위 추적(Device Trajectory) HOW WORKING
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
클라우드 기반 File Sandboxing WHAT
1) File Capture
Malware Alert!
2) File Storage
Execution Report
Available In Defense Center
Network Traffic
Collective Security Intelligence Sandbox
3) Send to Sandbox
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
지속적인 파일 분석 및 추적 탐지 (File Retrospection and Reputation)
WAHT
Antivirus
Sandboxing
초기 배치 = Clean
특정 시점 탐지
초기 배치 = Clean
AMP
Blind to scope
of compromise
실제 배치 = Bad = Too Late!!
Turns back time
Visibility and Control
are Key
Not 100% 분석중단
오래된 기법
알수없는 프로토콜
암호화
변형
실제 배치 = Bad = Blocked
지속적인 분석 및
추적 탐지
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
FireAMP 지원 방식 Complete solution suite to protect the extended network
FireAMP for 단독형 어플리안스
Network
Appliance FireAMP for NGIPS
Endpoint FireAMP for 호스트, 가상머신
및 모바일 단말
Secure
Gateway FireAMP for ESA 및 WSA
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
• Context and Control • Determine Scope:
• Trajectory: systems impacted, point of
entry, file type, protocol, direction, etc…
• Correlated context: Users, apps, threats, etc…
• Retrospective Detection
• IoC Determination
FireAMP for Network 및 Endpoint 동작방식
1
3
• AMP for Endpoints • Integrated or standalone
• PC, mobile & virtual
• Malware Detection
• Automated IoC detection
• Trajectory
• File Analysis
• Outbreak Control
4
• AMP for Networks
• Flexible deployment
• as part of NGIPS
• as part of NGFW
• AMP stand alone
• Malware detection/blocking
• File detection/blocking
• CNC detection/blocking
2
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Private Cloud for FireAMP 기업 Privacy 보호 목적의 사설 클라우드 구성 지원
• 모든 디바이스 및 파일 식별 정보는 기업내 구성한 프라이빗 클라우드에서만 유지
• 단독형 가상 어플리안스 형태로, 기업 경계 네트워크에 배치
• 빠른 설치 및 쉬운 운영 환경 제공
• Scalable up to 10,000 connectors
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
FireAMP for WSA
Senderbase
Reputation Filtering
File
Sandboxing
File
Reputation
Known File
Reputation
URL
Reputation
Collective Security Intelligence
Cloud (Sourcefire) Cisco SIO
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
FireAMP for ESA
Senderbase
Reputation
Filtering
Anti-Spam /
Anti-Virus
File
Sandboxing
File
Reputation
Known File
Reputation
Clean emails
delivered
Unknown files
are uploaded
for sandboxing
Mails with known bad
reputation attachments
dropped
Spam and
Infected mails
dropped
Bad senders
blocked
Cisco SIO Collective Security Intelligence
Cloud (Sourcefire)
Senderbase
Reputation
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
FireAMP 구성방식별 주요 기능 및 보호 영역 Secure Gateway Network Appliance Endpoint
BEFORE Block
File Reputation ✔ ✔ ✔
DURING Detect
File Sandboxing ✔ ✔ ✔
AFTER
Monitor
File Retrospection ✔ ✔ ✔
IoCs ✔ ✔
Investigate
File Analysis ✔ ✔
File Trajectory ✔ ✔
Device Trajectory ✔
Threat Hunting ✔
Control
Outbreak Control ✔ ✔
Public Cloud
Private Cloud
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
NEW!! FirePOWER™ 8300 Appliances
Same 2U Chassis as the 8200 Series
• Same stacking capabilities
• Same NetMods
• Can NOT mix-and-match
GA in March
• Limited Availability (LA) going on now
• Will support minimum software version 5.3
Transition new opportunities to 8300 Series where possible
New 8300 Offerings
8370
8360
8350
30 Gbps
15 Gbps
IPS Inspected
Throughput
60 Gbps
45 Gbps
8390
All appliances include:
• Integrated lights-out management
• Sourcefire acceleration technology
• LCD display
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32 Cisco Confidential 32 © 2013 Cisco and/or its affiliates. All rights reserved.
클라우드기반 지능형 분석 보안
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Cognitive 기업 내부 네크워크에 잠재한위협이 동작하는
것을 발견하는 시간을 줄이는 클라우드기반의 솔루션
Continuous Monitoring for Threats After an Attack
새로운
위협 식별
가시화로부터의
학습
즉시적인
적용
Licensed feature on Cisco Cloud Web Security
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
전통적인 위협 모니터링 방식의 문제점
Admin
정책기반
• 수작업 정책 설정의 복잡성에
따라 영향
• 복잡합 정책 설정
• 인간의 편견에 의한 한계
시간소모적
• 몇주 또는 몇 달에 걸친 설정
최적화 작업
• 상시적인 튜닝 필수
Security
Team
높은 복잡성
• 관리 및 수정, 운영을 위한
훈련된 전문가 또는 팀 필요
111010000 110 0111
최신의 위협에 대한
대비책을 유지할 수
없음
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
사람에 의한 작업 불필요
Cognitive는 스스로 정보를 수집/분석…해당 기능 활성화만
필요
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
학습에 의한 비정상여부 판단
Cognitive는 행위기반 비정상 탐지 알고리즘과 트러스트
모델링을 이용하여 감염 증상 자동 감지
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
학습 및 적용
Cognitive는 가시화된 정보를 머신기반으로 학습하고 학습된
결과에 따른 위협 탐지 정책을 자동으로 적용
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
가능성
있는 위협
행위분석
비정상
탐지
머신 학습
내부사용자
Cognitive Threat Analytics를 통한 위협 식별
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
라이센싱 및 출시 시기
시스코 Cloud Web Security(CWS) 의 추가 라이센싱 형태로 제공
또는 CWS에서 FireAMP를 포함하는 Premium license bundle 로 함께 제공
FCS by April 2014
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40 Cisco Confidential 40 © 2013 Cisco and/or its affiliates. All rights reserved.
개방형 어플리케이션 식별
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
OpenAppID Overview
What is OpenAppID?
An open source application-focused detection language that enables users to create, share and implement custom application detection.
Key Advantages
New simple language to detect apps
Reduces dependency on vendor release cycles
Build custom detections for new or specific (ex. Geo-based) app-based threats
Easily engage and strengthen detector solutions
Application-specific detail with security events
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
OpenAppID Deliverables at Launch
OpenAppID Language Documentation
A special Snort release engine with the OpenAppID preprocessor
• Detect apps on network
• Report usage stats
• Block apps by policy
• Snort rule language extensions to enable app specification
• Include ‘App Context’ to IPS events
• Will be included in a future main release of the Snort
Library of OpenAppID Detectors
• > 1000 detectors contributed by Cisco
• Extendable sample detectors
Available to community
at Snort.org
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43 Cisco Confidential 43 © 2013 Cisco and/or its affiliates. All rights reserved.
요약
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
APT 공격을 제대로 방어하기 위한 지능형 보안 혁신
The New Security Model 1
샌드박싱, 그 이상의 지능화된 보안 2
클라우드기반 지능형 분석 보안 3
개방형 어플리케이션 식별 4
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
Thank You