New Horizons SCYBER Presentation

SCYBERAddress an urgent need.

Today’s Agenda

• State of Security Today

• Solutions to the Problem

• SCYBER• Key Differentiators• Course Details• Course Comparison

1994

2014

20 YEARS IN THE MAKING

AGENDA

A GLOBAL CHALLENGE.

The global economy loses up to $1 trillion per year

due to malicious cyber activity.

COMPLEX PROBLEMS, REAL COSTS

In 2013 alone, 552 million records were exposed due to data breaches.

The annual cost to an individual business due to cyber crime can range from $1M to $52M, on

average.

• Malicious traffic was visible on 100% of networks sampled

• Nearly 70% of respondents have been identified as issuing DNS queries for DDNS

• There is a need for visibility-driven, threat-focused, and platform-based security solutions

• Before• During• After

2014 Cisco Midyear Security Report: Threat Intelligence & Industry Trends

THREAT INTELLIGENCE

Method Threat Description Findings

DDNSDDNS is used by adversaries since it allows botnets and other attack infrastructure to be resilient against detection.

Nearly 70% of respondents issue DNS queries for DDNS.

MiTBPalevo, SpyEye, and Zeus are malware families that incorporate MiTB functionality. DNS lookups for hosts compromised by them are considered a high threat.

More than 90% of customer networks observed have traffic going to websites that host malware.

Java Java’s extensive attack surface and high ROI make it a primary target for exploitation.

Java exploits represented 93% of IOCs as of May 2014.

Source(s): Cisco 2014 Midyear Security Report

MALWARE ENCOUNTERS BY VERTICAL

Spending Priority RankMedia & Publishing 1Pharmaceutical & Chemical 2Aviation 3Transportation & Shipping 4Manufacturing 5Insurance 6Agriculture & Mining 7Professional Services 8Electronics 9Food & Beverage 10Retail & Wholesale 11Utilities 12

Source(s): Cisco 2014 Midyear Security Report

• The business community is increasingly reliant on the use of data.

• The need to secure critical data

is paramount to day-to-day operations.

• Regulations and penalties for security violations are increasing.

THE CURRENT THREAT LANDSCAPE IS LIMITING BUSINESS GROWTH

• Security is becoming a bigger concern in the boardroom• Identifying the personal and professional liability in

failing to secure networks

• As cyber threats become part of the business landscape, more will put an emphasis on sound security practices

• Organizations must align cyber security and business performance• Shift IT from facilitator to driver of business outcomes

THE VIEW FROM THE TOP

Source(s): EY, Beating Cybercrime (2013)

What measures are

in place?

SOLUTIONS TO THE PROBLEM

Hardware

Software

People

Process

Hardware

Software

People

Process

Hardware

Software

People

Process

BEFORE DURING AFTER

How are security events detected?

What is the cleanup process?

• Nearly 1M unfilled jobs in the field

• Critical in the SOC• Analyze network alerts and detect APTs• Characterize and analyze network traffic to identify

anomalies and potential network resource threats• Perform event correlation analysis to determine the

effectiveness of observed attacks

• Key areas of competency• Ability to identify security incident as it happens• Experience in implementing appropriate plan of

action quickly to minimize cost/damage

HELP WANTED: SECURITY ANALYSTS

HOW TRAINING IS FALLING SHORT

• Focused on building static defenses• No detection or response plan in place

• Few paths to train IT personnel to recognize security risks and respond

• Not enough hands-on practice to implement the theory being taught

• No ability to practice responding to actual, real-life attacks on real-life equipment

SCYBER addresses this issue.

Designed to develop the skills necessary to proactively detect

and combat cyber threats

4 Major Competencies

1. Monitor security events

2. Configure and tune security event detection and alarming

3. Analyze traffic for security threats

4. Respond appropriately to security incidents

5 Key Differentiators

1. System Agnostic

2. Lab-Heavy

3. Inside-Out vs. Outside-In

4. Ease of Entry

5. Understand the “Why?”

SYSTEM AGNOSTIC

• Though training is provided by Cisco, course does not focus solely on Cisco products

• Prepares students to operate a variety of systems

• Can train security professionals to “guard the castle,” with no additional infrastructure investment

60%Of course time spent in a lab environment

Monitor, analyze,

and respond to actual

cyber attacks

• Train your SOC staff• Cross-train your IT staff on how to recognize

security incidents and how to work with the SOC team

• Great starting point for IT staff looking to migrate to security

Ease of Entry for Security Professionals

• Develops the skills necessary to effectively operate within an SOC

• Process• Hardware• Software

• Identify threats, but also understand why something

is a threat

Moving Beyond the “How”

SCYBER CCNA Sec. CCNP Sec. CCIE Sec. Security + CEH

Pre-Req. N/A IINS/CCENT CCNA Sec./CCIE N/A N/A N/A

Experience 0-2 Years 0-2 Years 4-6 Years 7+ Years 2-3 Years 2+ Years

Sample Job Security Analyst System Admin. Network

Security Eng.Network Security Eng. System Admin. Ethical Hacker

Focus Event Detection

SystemAdministration

Building Infrastructure Management System

AdministrationPenetration Testing

Instruction 1 Week 2 Weeks 4 Weeks Varied 1 Week 1 Week

Exam (s) 1 Exam 2 Exams 4 Exams 2 Exams 1 Exam 1 Exam

DoD 8570 Pending Yes No No Yes Yes

CERTIFICATION COMPARISON

SCYBER No Prerequisites

Understanding of TCP/IP and a working knowledge of

CCNA is highly recommended

TECHNICAL DETAILS

Prepares students to take the Cyber Security Specialist Certification Exam

600-199 SCYBER

ILT course covers 12 modules over 5 days

Day 1 Day 2 Day 3 Day 4 Day 5

Course Introduction

Module 1:Attacker

Methodology

Module 3:Defender Tools

Module 5: Network Log

Analysis

Module 7: Incidence Response

& Preparation

Module 8: Security Incident

Detection

Module 10: Mitigations & Best

Practices

Module 2: Defender

MethodologyModule 4:

Packet Analysis

Module 6: Baseline Network

Operations

Module 7: Incidence Response

Preparation

Module 8: Security Incident

Detection

Module 9: Investigations

Module 11: Communication

Module 12: Post-Event Activity

Course Schedule

AM

PM

Cyber Attack Model

OSI Model TCP/IP Model

7

6

5

4

3

2

1

Application

Presentation

Session

Transport

Network

Data Link

Physical

Network Interface

Application

Transport

Internet

MITM (Intercept, Modify),

DoS, RF (Jam, Replay)

Session Hijacking and Spoofing (Intercept, Modify, Bypass Network

Security), DoS

Malware, OS, and Application level; Remote and Privilege Escalation

exploits, Bots, Phishing

RF, Fiber, Copper

IP Transport Cyber Attack Vectors

Network and System Architecture- Centralized, Distributed, Redundant- Physical and Logical

Transport Network - RF, Fiber, Copper

Network Protocols- Routing, Switching, Redundancy- Apps, Client/Server

Client/Server Architecture

HW, SW, Apps, RDBMS- Open Source- Commercial

Trust Relationships- Network Management and Network

Devices- Billing, Middleware, Provisioning

Common HW/SW configuration settings

Transport Network Infrastructure Cyber Attack Tree

Network InfrastructureAttack Vectors

SNMP Community String Dictionary Attack

with Spoofing to Download Router\

Switch Configuration

Build New Router Configuration File to

enable further privilege escation

Upload New Configuration File

Using Comprimised SNMP RW String

UNIX NetMgt Server Running NIS v1

Ypcat -d <domain> <server IP> passwd Grab shadow file hashes

Crack Passwords

Access Server Directly

Exploit ACL Trust

RelationshipAttack SNMP\Telnet\SSH

Find NetMgt

passwords and SNMP config files

Discover Backup HW Configs

Crack Passwords

HP OpenView ServerEnumerate Oracle

TNS Listener to Identify Default SID’s

Further Enumerate Oracle SID’s to Identify Default

DBA System Level Accts\Passwords

Login to Oracle DB with Discovered DBA

Privilege Account

Run Oracle SQL CMDs

Execute OS CMDs Add New

Privileged OS Account

Crack Passwords

Further Enumerate Oracle SID’s to

Identify User Accts.

Perform Dictionary Attack

Execute OS CMDs from Oracle PL/SQL

Attack Network from DB

Run Oracle SQL CMDs Execute OS CMDs

Find NetMgt Passwords, SNMP info, OS password

files

Network Mgt Application

Attempt to Login Using Default Login\Password

Reconfigure Router or Switch

MITM ARP Poisoning

Sniffing

Capture SNMP Community Strings and Unencrypted

Login\Passwords, Protocol Passwords

Configure Device for

Further Privilege

Escalation

Telnet\SSHDictionary Attack Router\Switches\NetMgt Server

Inject New RoutesOr Bogus Protocol

Packets

Use New Privileged OS account to

Escalate Privileged Access to Network

Own Network Infrastructure






Build New Router Configuration File to

enable further privilege escation

Attack Vectors - Deny, Disrupt, Delay, Intercept, ExploitMan in the Middle Attacks (MITM) Network ProtocolsIP Spoofing Apps/RDBMS/NetMgt Traffic Analysis

In-Band Network Management

Network Management Protocols• SNMP• Telnet• HTTP/s - XML• TFTP• TL1• SSH

Users

NOC

Business and Network Management Traffic Uses Common Infrastructure

Network Management Security• Access List• Firewalls• VPN• IDS/IPS• AAA• Trust levels

Data Center Resources

User VLANs

VLAN Trunks

Trust Model – Defines Security Posture

- Network management features are vulnerabilities (provides configuration and access information)

- Security policies define trust model - Users access- Customer access- Vendor/Mfg local/remote tech support

access- NOC/Tech support staff- Secure visualization and

instrumentation - Internal, Customer, Management

operations in separate IP subnets/VLANs/PVCs, etc., over shared network infrastructure.

- Log everything- 2-Factor authentication

Management VLANM

M

M M

M M

M M

M

Utilize MPLS VPNs and VRFs for Management Network

Prevalent Layer 2 Security Issues

Routers

Rogue InsiderCrafted HSRP coup packet with

higher priority

• STP/BPDU• VTP• VLAN Hopping• ARP Poisoning• FHRP• Rogue DHCP Server• Horizontal and Vertical Pivoting

Common Issues Suggested Remediation

• BPDU and Root Guard• Secure VTP • Disable Dynamic Trunking• Dynamic ARP Inspection• Limit MACs per Port• Secure FHRP• DHCP Snooping, Disable DHCP Trust• PVLANs, VACLs, DHCP Option 82• L2 NetFlow• Secure Information Flow Trust

Relationships

Network Visualization and Instrumentation

Whitelist the Network Trust Relationships

Whitelist Trusted Information Flows in Monitoring

THANK YOU

New Horizons SCYBER Presentation

Education

Transcript of New Horizons SCYBER Presentation