Cisco Cyber Range Paul Qiu Senior Solutions Architect June 2016
What I hear, I forget What I see, I remember What I do, I understand ~ Confucius
Agenda
Agenda Cyber Range Highlights Cyber Range Overview & Architecture Cyber Range Threat Response Exercise Cyber Range Further Investigation 4
Cyber Range Highlights
Cyber Range Highlights Defence Organisations Enterprise NOC/SOC Teams. Oil and Gas Sectors Government Regulatory authorities Consulting and Auditing firms Large Service Providers Cyber Emergency Response Teams Information Security and Surveillance teams Partners, distributors, value added resellers, and security system integrators
Workshops all over the world
Cyber Range Overview
Cyber Range Service Delivery Platform A Platform for Service Delivery and Learning Deeper understanding of leading security methodologies, operations, and procedures Empower customers with the architecture and capability to combat modern cyber threats Over 100 Attack Cases for 12 Technology Solutions 100+ applications simultaneously merged with 200-500 different Malware types Virtual environment accessible from any place in the world PEOPLE PROCESS DATA THINGS
Cisco Cyber Range Service Packages 3 or 5 day intensive real life experience reacting to and defending against rudimentary and Complex Cyber Attacks delivery to any location Cyber Range build on customer premise with updates via subscription Threat Intelligence Report Threat modelling for customers network environment and regular consulting on impact of latest threats to customer s security posture 3 or 5 day intensive real life experience, Rent Cyber Range Services Delivery Platform Including test engineer Local Cisco Services Lab
Cyber Range Capabilities can improve cyber defence operational capabilities, by way of: Architecture / Design validation Incident response playbook creation / validation War game exercises Hands-on training for individual technologies Threat mitigation process verification Simulating advanced threats (zero day / APT)
Cyber Range Architecture
Covering The Entire Attack Continuum Attack Continuum BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Firewall VPN NGIPS Advanced Malware Protection NGFW UTM Web Security Network Behaviour Analysis NAC + Identity Services Email Security Visibility and Context
Cisco CSIRT Protection Model Prevent Detect Network IPS Host IPS Network IDS Advanced Malware Firewall Anti-Virus Web proxy Anti-Spam Behavioural anomaly NetFlow anomaly Collect NetFlow Event logs Web proxy logs Web firewall Analyse SIEM analysis NetFlow analysis Malware analysis Mitigate IP blackhole account disablement Foundation scalable load balancer device monitoring
Cyber Range Network Components Overview StealthWatch Management SMC Internet Cisco Talos Flow Collector Identity Services Engine FC Web Security Appliance Email Security Appliance Sourcefire IPS Wireless Security ASAv N1KV Cyber Threat Defence NetFlow AVC TrustSec ASA NGFW Fire SIGHT Cisco Prime Splunk Virtual Security IXIA Breaking Point Open Source Attack Tools Inside Host Data Analytics
Cyber Range Network 1
Meet the Teams Red Team Blue Team Green Team AGENDA: Infiltrate networks to steal data and/or cause damage for publicity or gain. AGENDA: Monitor and defend attacks against CyberRange Networks and their clients. AGENDA: Enhance knowledge of attack and defence strategies. Hopes to one day join the red or blue teams. Skill Set: High Skill Set: High Skill Set: Varied LOCATION: Everywhere LOCATION: Security Operations Centre LOCATION: This room
Cyber Range Networks Biggest Threats?
Cyber Range Threat Response Exercise
Incident Categories by CERT Category Title Description CAT 0 Exercise / Network Defence Testing Known vulnerability assessments, audits, Q/C incident tests, table-top exercises, etc CAT 1 CAT 2 CAT 3 CAT 4 CAT 5 CAT 6 Unauthorised Access Denial of Service (DoS) Malicious Code Improper Usage Scans/Probes/Attempted Access Investigation Logical or physical access without permission (regardless of awareness) to a network, system, application, data, or other resource from internal to external An attack that successfully prevents or impairs the normal authorised functionality of networks, systems or applications by exhausting resources. This activity includes being the victim or participating in the DoS. Successful installation of malicious software (e.g., virus, worm, Trojan horse, or other code-based malicious entity) that infects an operating system or application. Any acceptable-use, lab, minimum host, general insecurity, or other policy violations, unscheduled vulnerability assessments, external vulnerability notification, etc. An employee violates acceptable computing use polices. This category includes any activity that seeks to access or identify a company asset, including computer, open ports, protocols, service, or any combination for later exploit. This activity does not directly result in a compromise or denial of service. Unconfirmed incidents where evidence is inconclusive, or when supporting another team s investigation. Potentially malicious or anomalous activity deemed by the reporting entity to warrant further review.
Cyber Range Further Investigation
Additional Resources
Additional Resources Service Overview: www.getcyberrange.com https://www.servicesdiscovery.com/en/article.php?idx=218 Sales Collateral: https://cisco.jiveon.com/groups/cisco-cyber-range Contact Us: Cyber-Range@cisco.com
What I hear, I forget What I see, I remember What I do, I understand ~ Confucius