Post on 08-Aug-2015
SCYBERAddress an urgent need.
Today’s Agenda
• State of Security Today
• Solutions to the Problem
• SCYBER• Key Differentiators• Course Details• Course Comparison
1994
2014
20 YEARS IN THE MAKING
AGENDA
A GLOBAL CHALLENGE.
The global economy loses up to $1 trillion per year
due to malicious cyber activity.
COMPLEX PROBLEMS, REAL COSTS
In 2013 alone, 552 million records were exposed due to data breaches.
The annual cost to an individual business due to cyber crime can range from $1M to $52M, on
average.
• Malicious traffic was visible on 100% of networks sampled
• Nearly 70% of respondents have been identified as issuing DNS queries for DDNS
• There is a need for visibility-driven, threat-focused, and platform-based security solutions
• Before• During• After
2014 Cisco Midyear Security Report: Threat Intelligence & Industry Trends
THREAT INTELLIGENCE
Method Threat Description Findings
DDNSDDNS is used by adversaries since it allows botnets and other attack infrastructure to be resilient against detection.
Nearly 70% of respondents issue DNS queries for DDNS.
MiTBPalevo, SpyEye, and Zeus are malware families that incorporate MiTB functionality. DNS lookups for hosts compromised by them are considered a high threat.
More than 90% of customer networks observed have traffic going to websites that host malware.
Java Java’s extensive attack surface and high ROI make it a primary target for exploitation.
Java exploits represented 93% of IOCs as of May 2014.
Source(s): Cisco 2014 Midyear Security Report
MALWARE ENCOUNTERS BY VERTICAL
Spending Priority RankMedia & Publishing 1Pharmaceutical & Chemical 2Aviation 3Transportation & Shipping 4Manufacturing 5Insurance 6Agriculture & Mining 7Professional Services 8Electronics 9Food & Beverage 10Retail & Wholesale 11Utilities 12
Source(s): Cisco 2014 Midyear Security Report
• The business community is increasingly reliant on the use of data.
• The need to secure critical data
is paramount to day-to-day operations.
• Regulations and penalties for security violations are increasing.
THE CURRENT THREAT LANDSCAPE IS LIMITING BUSINESS GROWTH
• Security is becoming a bigger concern in the boardroom• Identifying the personal and professional liability in
failing to secure networks
• As cyber threats become part of the business landscape, more will put an emphasis on sound security practices
• Organizations must align cyber security and business performance• Shift IT from facilitator to driver of business outcomes
THE VIEW FROM THE TOP
Source(s): EY, Beating Cybercrime (2013)
What measures are
in place?
SOLUTIONS TO THE PROBLEM
Hardware
Software
People
Process
Hardware
Software
People
Process
Hardware
Software
People
Process
BEFORE DURING AFTER
How are security events detected?
What is the cleanup process?
• Nearly 1M unfilled jobs in the field
• Critical in the SOC• Analyze network alerts and detect APTs• Characterize and analyze network traffic to identify
anomalies and potential network resource threats• Perform event correlation analysis to determine the
effectiveness of observed attacks
• Key areas of competency• Ability to identify security incident as it happens• Experience in implementing appropriate plan of
action quickly to minimize cost/damage
HELP WANTED: SECURITY ANALYSTS
HOW TRAINING IS FALLING SHORT
• Focused on building static defenses• No detection or response plan in place
• Few paths to train IT personnel to recognize security risks and respond
• Not enough hands-on practice to implement the theory being taught
• No ability to practice responding to actual, real-life attacks on real-life equipment
SCYBER addresses this issue.
Designed to develop the skills necessary to proactively detect
and combat cyber threats
4 Major Competencies
1. Monitor security events
2. Configure and tune security event detection and alarming
3. Analyze traffic for security threats
4. Respond appropriately to security incidents
5 Key Differentiators
1. System Agnostic
2. Lab-Heavy
3. Inside-Out vs. Outside-In
4. Ease of Entry
5. Understand the “Why?”
SYSTEM AGNOSTIC
• Though training is provided by Cisco, course does not focus solely on Cisco products
• Prepares students to operate a variety of systems
• Can train security professionals to “guard the castle,” with no additional infrastructure investment
60%Of course time spent in a lab environment
Monitor, analyze,
and respond to actual
cyber attacks
• Train your SOC staff• Cross-train your IT staff on how to recognize
security incidents and how to work with the SOC team
• Great starting point for IT staff looking to migrate to security
Ease of Entry for Security Professionals
• Develops the skills necessary to effectively operate within an SOC
• Process• Hardware• Software
• Identify threats, but also understand why something
is a threat
Moving Beyond the “How”
SCYBER CCNA Sec. CCNP Sec. CCIE Sec. Security + CEH
Pre-Req. N/A IINS/CCENT CCNA Sec./CCIE N/A N/A N/A
Experience 0-2 Years 0-2 Years 4-6 Years 7+ Years 2-3 Years 2+ Years
Sample Job Security Analyst System Admin. Network
Security Eng.Network Security Eng. System Admin. Ethical Hacker
Focus Event Detection
SystemAdministration
Building Infrastructure Management System
AdministrationPenetration Testing
Instruction 1 Week 2 Weeks 4 Weeks Varied 1 Week 1 Week
Exam (s) 1 Exam 2 Exams 4 Exams 2 Exams 1 Exam 1 Exam
DoD 8570 Pending Yes No No Yes Yes
CERTIFICATION COMPARISON
SCYBER No Prerequisites
Understanding of TCP/IP and a working knowledge of
CCNA is highly recommended
TECHNICAL DETAILS
Prepares students to take the Cyber Security Specialist Certification Exam
600-199 SCYBER
ILT course covers 12 modules over 5 days
Day 1 Day 2 Day 3 Day 4 Day 5
Course Introduction
Module 1:Attacker
Methodology
Module 3:Defender Tools
Module 5: Network Log
Analysis
Module 7: Incidence Response
& Preparation
Module 8: Security Incident
Detection
Module 10: Mitigations & Best
Practices
Module 2: Defender
MethodologyModule 4:
Packet Analysis
Module 6: Baseline Network
Operations
Module 7: Incidence Response
Preparation
Module 8: Security Incident
Detection
Module 9: Investigations
Module 11: Communication
Module 12: Post-Event Activity
Course Schedule
AM
PM
Cyber Attack Model
OSI Model TCP/IP Model
7
6
5
4
3
2
1
Application
Presentation
Session
Transport
Network
Data Link
Physical
Network Interface
Application
Transport
Internet
MITM (Intercept, Modify),
DoS, RF (Jam, Replay)
Session Hijacking and Spoofing (Intercept, Modify, Bypass Network
Security), DoS
Malware, OS, and Application level; Remote and Privilege Escalation
exploits, Bots, Phishing
RF, Fiber, Copper
IP Transport Cyber Attack Vectors
Network and System Architecture- Centralized, Distributed, Redundant- Physical and Logical
Transport Network - RF, Fiber, Copper
Network Protocols- Routing, Switching, Redundancy- Apps, Client/Server
Client/Server Architecture
HW, SW, Apps, RDBMS- Open Source- Commercial
Trust Relationships- Network Management and Network
Devices- Billing, Middleware, Provisioning
Common HW/SW configuration settings
Transport Network Infrastructure Cyber Attack Tree
Network InfrastructureAttack Vectors
SNMP Community String Dictionary Attack
with Spoofing to Download Router\
Switch Configuration
Build New Router Configuration File to
enable further privilege escation
Upload New Configuration File
Using Comprimised SNMP RW String
UNIX NetMgt Server Running NIS v1
Ypcat -d <domain> <server IP> passwd Grab shadow file hashes
Crack Passwords
Access Server Directly
Exploit ACL Trust
RelationshipAttack SNMP\Telnet\SSH
Find NetMgt
passwords and SNMP config files
Discover Backup HW Configs
Crack Passwords
HP OpenView ServerEnumerate Oracle
TNS Listener to Identify Default SID’s
Further Enumerate Oracle SID’s to Identify Default
DBA System Level Accts\Passwords
Login to Oracle DB with Discovered DBA
Privilege Account
Run Oracle SQL CMDs
Execute OS CMDs Add New
Privileged OS Account
Crack Passwords
Further Enumerate Oracle SID’s to
Identify User Accts.
Perform Dictionary Attack
Execute OS CMDs from Oracle PL/SQL
Attack Network from DB
Run Oracle SQL CMDs Execute OS CMDs
Find NetMgt Passwords, SNMP info, OS password
files
Network Mgt Application
Attempt to Login Using Default Login\Password
Reconfigure Router or Switch
MITM ARP Poisoning
Sniffing
Capture SNMP Community Strings and Unencrypted
Login\Passwords, Protocol Passwords
Configure Device for
Further Privilege
Escalation
Telnet\SSHDictionary Attack Router\Switches\NetMgt Server
Inject New RoutesOr Bogus Protocol
Packets
Use New Privileged OS account to
Escalate Privileged Access to Network
Own Network Infrastructure
Own Network Infrastructure
Own Network Infrastructure
Own Network Infrastructure
Own Network Infrastructure
Own Network Infrastructure
Build New Router Configuration File to
enable further privilege escation
Attack Vectors - Deny, Disrupt, Delay, Intercept, ExploitMan in the Middle Attacks (MITM) Network ProtocolsIP Spoofing Apps/RDBMS/NetMgt Traffic Analysis
In-Band Network Management
Network Management Protocols• SNMP• Telnet• HTTP/s - XML• TFTP• TL1• SSH
Users
NOC
Business and Network Management Traffic Uses Common Infrastructure
Network Management Security• Access List• Firewalls• VPN• IDS/IPS• AAA• Trust levels
Data Center Resources
User VLANs
VLAN Trunks
Trust Model – Defines Security Posture
- Network management features are vulnerabilities (provides configuration and access information)
- Security policies define trust model - Users access- Customer access- Vendor/Mfg local/remote tech support
access- NOC/Tech support staff- Secure visualization and
instrumentation - Internal, Customer, Management
operations in separate IP subnets/VLANs/PVCs, etc., over shared network infrastructure.
- Log everything- 2-Factor authentication
Management VLANM
M
M M
M M
M M
M
Utilize MPLS VPNs and VRFs for Management Network
Prevalent Layer 2 Security Issues
Routers
Rogue InsiderCrafted HSRP coup packet with
higher priority
• STP/BPDU• VTP• VLAN Hopping• ARP Poisoning• FHRP• Rogue DHCP Server• Horizontal and Vertical Pivoting
Common Issues Suggested Remediation
• BPDU and Root Guard• Secure VTP • Disable Dynamic Trunking• Dynamic ARP Inspection• Limit MACs per Port• Secure FHRP• DHCP Snooping, Disable DHCP Trust• PVLANs, VACLs, DHCP Option 82• L2 NetFlow• Secure Information Flow Trust
Relationships
Network Visualization and Instrumentation
Whitelist the Network Trust Relationships
Whitelist Trusted Information Flows in Monitoring
Q & A
THANK YOU