Presenter: David De Lima, BE, BSc, CENG (IET), CCIE 7958, CISSP, CISA

dadelima@cisco.com

Title: Consulting Systems Engineer – Security, Cisco Systems

Date: May 2017

Cyber Security for an IoT World

IoT Growth - 1.5 Million Devices Per hour!!

20202017

• Compromised IoT Devices• Baby monitors, webcams• Home routers• DVRs, printers

• Massive DDoS Botnet (600Gb-1Tb)• DynDNS attack (Liberia, Deutsche Telekom)• DDoS as a service, DDoS for ransom• Source code released!!

• Challenges (why does it exist??)• Default Passwords, open ports, unmanaged• Vulnerabilities (slow to patch)• Low focus on security (time to market/cost)• Low resources (CPU/RAM/Storage/etc)

Mirai Botnet (IoT) Oct 2016

• Began on May 12 - spreads as a worm – 230,000 infections across 150 countries• OT Impact - Britain NHS (computers, MRI scanners, blood-storage refrigerators and theatre

equipment), Telefonica, Deutsche Bahn, Nissan (UK), Renault, ATMs, Parking Meters• Exploits windows (MS17-010) using tools leaked by Shadow Brokers – 1 month head start!!

• Not very sophisticated!! – Payment via 4 BTC wallets + AntiVM kill-switch + Direct Infection• Next one much worse (already new variants) - Mirai + Wannacry!! (DDOS kill-switch!!)

WannaCry (Worm – OT/IoT Impact)

How Malware Works–Most Variants Require All 5 Steps

Malware activates

Malware activatesEncryption Key C2

Infrastructure

User Clicks a Link or Malvertising

Malware Payload

MaliciousInfrastructure

Email w/ Malicious Attachment

Malware Payload

EMAIL-BASED INFECTION

WEB-BASED INFECTION

!

Encryption Key C2 Infrastructure

!

TARGET BREACHCOMPROMISE

DNS

DNS-Layer

Security

WebSecurity

EmailSecurity

NGIPS

LAUNCH

HostAnti-

Malware

INSTALL

NGIPS

NGFW

NetworkAnti-

Malware

EXPLOIT

DNS

DNS-Layer

Security

WebSecurity

NGIPS

CALLBACK

NGIPS

NGFW

RECON

FlowAnalytics

PERSIST

Threat Intelligence

STAGE

End-to-End “Kill Chain” Defense Infrastructure

File Trajectory

ATTACKER

INFRASTRUCTURE USED BY ATTACKER

FILES/PAYLOADSUSED BY ATTACKER

Site Business Planning and Logistics Network

BatchControl

DiscreteControl

SupervisoryControl

HybridControl

SupervisoryControl

Enterprise Network

Patch Mgmt

Web Services Operations

AV Server

Application Server

Email, Intranet, etc.

ProductionControl HistorianOptimizing

ControlEngineeringStation

ContinuousControl

Terminal Services

Historian (Mirror)

Site Operations and Control

Area Supervisory

Control

Basic Control

Process

Level 2

EnterpriseZone

DMZ

Level 3

Level 1

Level 0

L5

HMI HMI

OT Security Layers

Level 3

Sensors Drives Robots

Level 3

DMZ 3.5

Actuator

L4

ControlZone

Host Anti-Malware on Endpoint HMI + Key

Servers(AMP For Endpoints)

Netflow Anomaly Detection + Visibility(Stealthwatch)

Anti-Malwareon FW

+IPS+

VPNIdentity based Segmentation

(ISE)

Host Anti-Malware(AMP For Endpoints)

Web Proxy+

OpenDNS+ CTA

IDS

IDS + Pkgs

Industrial FW IDS for

critical PLCs

DNS = Domain Name Systemwww.google.com = 172.217.26.68 (IP Address)

www.evil.com = 66.96.146.129

CNC = C2 = Command and Control

yfrscsddkkdl.com (Initial)qgmcgoqeasgommee.org (2 hours later)

iyyxtyxdeypk.com (2 hours later)diiqngijkpop.ru (2 hours later)

66.96.146.129 (IP Address)

= 66.96.146.129 (2 hours later)

Monetise Malware (RAT, Banking Trojan, Ransomware, etc)

OpenDNSMALWAREC2/BOTNETSPHISHING

“OpenDNS FREE”

https://signup.opendns.com/homefree/

DGA – Domain Generation Algorithm

Fast Flux IP

OpenDNS – OT/IoT ProtectionLocky: Real World Example

Original Malware Domain (Command and Control)

Hash of the malicious file downloaded from these domains

Malware Download URLThese domains

co-occurr

These domains share the same infrastructure

Malware distribution Point

Infection Ingress Point

Next Malware Distribution Points

Easter Egg: expose the attackers’ infrastructure (nameservers and IPs) to predict the next moves

OpenDNS - Machine Learning on Massive DatasetLocky: Real World Example

Stealthwatch – OT/IoT Protection(Record all Conversations)

WhoWhoWhat

When

How

Where

Applied situational awareness

Flow Sensor

Threat Intelligence

Geo-IP mapping

Endpoint Visibility

Stealthwatch - Behavioral and Anomaly Detection Model

SECURITYEVENTS (94 +)

ALARMCATEGORY RESPONSE

Addr_Scan/tcpAddr_Scan/udpBad_Flag_ACK**Beaconing HostBot Command Control ServerBot Infected Host - Attempted Bot Infected Host - SuccessfulFlow_Denied..ICMP Flood..Max Flows InitiatedMax Flows Served.Suspect Long FlowSuspect UDP ActivitySYN Flood

Concern

Exfiltration

C&C

Recon

Data hoarding

Exploitation

DDoS target

Alarm table

Host snapshot

Email

Syslog / SIEM

Mitigation

COLLECT AND ANALYZE FLOWS

FLOWS

Anatomy of a Cyber Attack

https://www.youtube.com/watch?v=4gR562GW7TI

• Attackers are not necessarily nerds in hoodies sitting in the dark• Commercial enterprises – well resourced – run as 9-5

companies• Free wifi, public space

• (Spear) Phishing attack (email attack)• Social engineering• Qaullcart.com vs Qualicart.com• Email signature

• Ransomware (smokescreen)• Ransomware as a service (Ransom32)• Pyramid affiliate schemes• Very popular – crypto currencies + anonymous web

• Real target - gamed stock, customer information

What did you notice??

How can you help protect your organisation?

1. You are a target – be vigilant at all times (Social Engineering)2. Don’t open up unknown attachments!! (Emails!! + Personal)3. Understand what qualifies as sensitive data within your organisation (assets)4. Backup data (work and personal)5. Understand how to identify and avoid threats (skeptical mindset + phone)6. Understand your organisation’s acceptable use policies7. Understand your organisation’s security policies8. If you’re ever in doubt – ask for help!