Cisco Cyber Range
Paul Qiu
Senior Solutions Architect
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
“What I hear, I forget What I see, I remember What I do, I understand”
A platform to experience the intelligent Cyber Security for the real world
~ Confucius
Cyber Range Service
Cyber Range Overview
4
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Agenda
Cyber Range Journey
Cisco Cyber Security Overview
Cyber Range Overview & Architecture
Cyber Range APT Case Study
5
Cisco Cyber Range Journey
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
08/2014 - PACIFIC ENDEAVOR 2014 10 teams are doing Cyber Range Challenge
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
09/2014 - Cyber Range 5 Day Workshop – India Service Provider
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
01/2015 – Cyber Range 5 day Workshop – India Service Provider
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
10/2014 - Cyber Range 3 Day Workshop – Taiwan Manufacturer
Cisco Cyber Security Overview
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Breaches Happen in Hours …. But Go Undetected For Weeks/Months
Initial Compromise to
Data Exfiltration
Initial Attack to Initial
Compromise
Initial Compromise to
Discovery
Discovery to Containment/
Restoration
Seconds Minutes Hours Days Weeks Months Years
10%
8%
0%
0%
75%
38%
0%
1%
12%
14%
2%
9%
2%
25%
13%
32%
0%
8%
29%
38%
1%
8%
54%
17%
1%
0%
2%
4%
Timespan of events by percent of breaches
+
In 60% of
breaches, data is
stolen in hours.
85% of breaches
are not
discovered for
weeks.
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Anatomy of a Modern Threat
Campus
Advanced online threat
bypasses perimeter defence
Perimeter
Enterprise
Data Centre
Threat spreads and attempts
to exfiltrate valuable data
Public Network
Infection entry point occurs
outside of the enterprise
Internet and
Cloud Apps
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Cisco Cyber Security
VISIBILITY Deep Insight to Detect Advanced Threats
INTELLIGENCE Contextual Awareness to Pinpoint Attacks
CONTROL Ubiquitous Defence to Manage Threats
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Visibility
NetFlow Network-wide traffic
patterns
Identity User, device, access,
location, time
AVC Application
recognition and
identification
Security Firewall, intrusion,
web & email security
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Intelligence
Reputation Security Intelligence
Operations (SIO)
Analytics Stealthwatch,
Splunk
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Control
Security Firewall, intrusion,
web & email security
TrustSec Network flow tagging
and blocking
Cyber Range Overview
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Cyber Range Overview
A platform to experience the intelligent Cyber Security for the real world
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Cyber Range Remote Capabilities
Road Show
Partners
Campuses
Exhibition Centre
Customer Sites
Internet
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
•
•
•
•
•
•
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
•
•
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Cyber Range Capabilities
… can improve cyber defence operational capabilities, by way of:
• Architecture / Design validation
• Incident response playbook creation / validation
• War game exercises
• Hands-on training for individual technologies
• Threat mitigation process verification
• Simulating advanced threats (zero day / APT)
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Cisco Cyber Range Service Features
Infrastructure Attacks Visibility and Control
Wired, wireless, and remote access
Network and routing
Client simulator Server simulator Application
simulator Traffic generation
Day 0 Attack/New threats
DDoS Network reconnaissance Application attacks Data Loss Computer malware Mobile device malware Wireless Attacks Evasion techniques Botnet simulation Open source attack tools Virtual Network Attacks
Global Threat Intelligence(Cloud)
Firewall & IDS/IPS Signature based Detection Behaviour based Detection Data Loss Prevention Web & email Security Application Visibility & Control Wireless Security Identity & access management Security and event
management Event correlation Packet Capture and Analysis Virtual Network Security TrustSec-SGT Software Defined Network
Cyber Range Architecture
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Covering The Entire Attack Continuum
Visibility and Context
Firewall
NGFW
NAC + Identity Services
VPN
UTM
NGIPS
Web Security
Email Security
Advanced Malware Protection
Network Behaviour Analysis
BEFORE Discover
Enforce
Harden
AFTER Scope
Contain
Remediate
Attack Continuum
Detect
Block
Defend
DURING
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Foundation
Prevent
Firewall
Anti-Virus
Host IPS
Web proxy
Anti-Spam
Network IPS
Detect
Network IDS
NetFlow anomaly
Advanced Malware
Behavioural anomaly
Collect
NetFlow
Event logs
Web proxy logs
Web firewall
Mitigate
IP blackhole
account
disablement
scalable load balancer device monitoring
Analyse
NetFlow analysis
SIEM analysis
Malware analysis
Cisco CSIRT Protection Model
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Cyber Range Network Components Overview
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Cyber Range Splunk Architecture
2 x Search Heads
1 x Indexer Mirrored Dev
Servers
CyberRange
“Live” Inside
Network
Mail Logs
(ESA) Access Logs
(WSA) Syslog
(ASA, ISE, etc)
SDEE
(IPS)
Scripted Input HTTPS
Index Forwarding
syslog TCP/UDP
eStreamer
(sFIRE) WWW
Lancope
Cisco Cyber Range APT Case Study
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
APT - Kill Chain
Recon
• Harvest contact info from social media
Weaponize
• Couple exploit with backdoor to deliver payload
Deliver
• Deliver weaponized bundle to victim via email, web, USB
Exploit
• Leverage vulnerability to execute code on victim system
Install
• Install malware on asset
Control
• Use command channel to control victim remotely
Action on Objectives
• Steal information, exfiltrate, etc.
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
The Great Bank Robbery: the Carbanak APT
https://securelist.com/blog/research/68732/the-great-bank-robbery-the-carbanak-apt/
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Carbanak APT Case Study
Finance
Server
Attackers
Cyber Range “ The Defenders ”
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Cyber Range Network Components Overview
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Sourcefire Intrusion Events
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Sourcefire Intrusion Events Detail
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Sourcefire Intrusion Events Packet Capture
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
CTD Shows Data Loss
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
CTD Shows Data Loss Alarms
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
CTD Detail Flow
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Splunk Search
Q & A
Top Related