Cisco Cyber Range Paul Qiu Senior Solutions Architect
Cyber Range Service A platform to experience the intelligent Cyber Security for the real world What I hear, I forget What I see, I remember What I do, I understand ~ Confucius
Cyber Range Overview 4
Agenda Cyber Range Journey Cisco Cyber Security Overview Cyber Range Overview & Architecture Cyber Range APT Case Study 5
Cisco Cyber Range Journey
08/2014 - PACIFIC ENDEAVOR 2014 10 teams are doing Cyber Range Challenge
09/2014 - Cyber Range 5 Day Workshop India Service Provider
01/2015 Cyber Range 5 day Workshop India Service Provider
10/2014 - Cyber Range 3 Day Workshop Taiwan Manufacturer
Cisco Cyber Security Overview
Breaches Happen in Hours. But Go Undetected For Weeks/Months Seconds Minutes Hours Days Weeks Months Years In 60% of breaches, data is stolen in hours. Initial Attack to Initial Compromise 10% 75% 12% 2% 0% 1% 1% Initial Compromise to Data Exfiltration 8% 38% 14% 25% 8% 8% 0% 85% of breaches are not discovered for weeks. Initial Compromise to Discovery Discovery to Containment/ Restoration 0% 0% 0% 1% 2% 9% 13% 32% 29% 38% 54% + 17% 2% 4% Timespan of events by percent of breaches
Anatomy of a Modern Threat Enterprise Internet and Cloud Apps Campus Public Network Perimeter Infection entry point occurs outside of the enterprise Advanced online threat bypasses perimeter defence Data Centre Threat spreads and attempts to exfiltrate valuable data
Cisco Cyber Security VISIBILITY Deep Insight to Detect Advanced Threats INTELLIGENCE Contextual Awareness to Pinpoint Attacks CONTROL Ubiquitous Defence to Manage Threats
Visibility Identity AVC NetFlow Security User, device, access, location, time Application recognition and identification Network-wide traffic patterns Firewall, intrusion, web & email security
Intelligence Analytics Stealthwatch, Splunk Reputation Security Intelligence Operations (SIO)
Control TrustSec Network flow tagging and blocking Security Firewall, intrusion, web & email security
Cyber Range Overview
Cyber Range Overview A platform to experience the intelligent Cyber Security for the real world
Cyber Range Remote Capabilities Road Show Internet Exhibition Centre Customer Sites Campuses Partners
Cyber Range Capabilities can improve cyber defence operational capabilities, by way of: Architecture / Design validation Incident response playbook creation / validation War game exercises Hands-on training for individual technologies Threat mitigation process verification Simulating advanced threats (zero day / APT)
Cisco Cyber Range Service Features Infrastructure Attacks Visibility and Control Wired, wireless, and remote access Network and routing Client simulator Server simulator Application simulator Traffic generation Day 0 Attack/New threats DDoS Network reconnaissance Application attacks Data Loss Computer malware Mobile device malware Wireless Attacks Evasion techniques Botnet simulation Open source attack tools Virtual Network Attacks Global Threat Intelligence(Cloud) Firewall & IDS/IPS Signature based Detection Behaviour based Detection Data Loss Prevention Web & email Security Application Visibility & Control Wireless Security Identity & access management Security and event management Event correlation Packet Capture and Analysis Virtual Network Security TrustSec-SGT Software Defined Network
Cyber Range Architecture
Covering The Entire Attack Continuum Attack Continuum BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Firewall VPN NGIPS Advanced Malware Protection NGFW UTM Web Security Network Behaviour Analysis NAC + Identity Services Email Security Visibility and Context
Cisco CSIRT Protection Model Prevent Detect Network IPS Host IPS Network IDS Advanced Malware Firewall Anti-Virus Web proxy Anti-Spam Behavioural anomaly NetFlow anomaly Collect NetFlow Event logs Web proxy logs Web firewall Analyse SIEM analysis NetFlow analysis Malware analysis Mitigate IP blackhole account disablement Foundation scalable load balancer device monitoring
Cyber Range Network Components Overview
Cyber Range Splunk Architecture 2 x Search Heads 1 x Indexer Index Forwarding Mirrored Dev Servers CyberRange Live Inside Network syslog TCP/UDP Scripted Input HTTPS Lancope Mail Logs (ESA) WWW Access Logs (WSA) Syslog (ASA, ISE, etc) SDEE (IPS) estreamer (sfire)
Cisco Cyber Range APT Case Study
APT - Kill Chain Recon Harvest contact info from social media Weaponize Couple exploit with backdoor to deliver payload Deliver Deliver weaponized bundle to victim via email, web, USB Exploit Leverage vulnerability to execute code on victim system Install Install malware on asset Control Use command channel to control victim remotely Action on Objectives Steal information, exfiltrate, etc.
The Great Bank Robbery: the Carbanak APT https://securelist.com/blog/research/68732/the-great-bank-robbery-the-carbanak-apt/
Carbanak APT Case Study Attackers Finance Server
Cyber Range The Defenders
Cyber Range Network Components Overview
Sourcefire Intrusion Events
Sourcefire Intrusion Events Detail
Sourcefire Intrusion Events Packet Capture
CTD Shows Data Loss
CTD Shows Data Loss Alarms
CTD Detail Flow
Splunk Search
Q & A