Conférence CISCO ACSS 2018

Oran – 4 Avril 2018
Consultant Securite Afrique
Cisco 2018
Annual Cybersecurity Report
Tendances Chez les Attaquants et
chez les Defendants
Babacar Wagne

2018 Annual Cybersecurity Report
• Unprecedented levels of sophistication and impact
• Becoming more adept at evasion
• Exploiting new technology security gaps

• Visibilite – Traffic Encrypte

Malicious Binaries and Encryption
Increase
November 2016
Attackers embrace encryption to conceal their command-and-control activity
19%
12% Increase
268%70%
50%
38%
Global Encrypted Web Traffic Malicious Sandbox Binaries with Encryption
October 2017

• What files are being used in mails?

Malicious Documents in Email
January-May June-October
Compared usage of malicious attachments from first portion of 2017 to second
Office
55%
Archive
415%
PDF
255%

• Techniques d’evasion dans les Sandboxes

Sandbox Evasion Patterns
Attackers are constantly testing sandbox evasion techniques
Document Close
Doc Embedded
in PDF
Malicious Samples Total Samples
Oct 2016
Volume
Volume
Oct 2017 Oct 2016 Oct 2017

• Nouveaux Types de Malware

Network-based Ransomware
Network-Based
Ransomware
Worm
WannaCry and Nyetya: rapid-moving, self-propagating network-based attacks
With active, unpatched machines, these automated worms
will attack again. Have you secured your network?

• Utilisation du Cloud

53%
manage over half of
their infrastructure in
the cloud
Ease of use (46%)
Scalability (48%)
Lack of internal workforce (41%)
Better security (57%)
Appeal:
The Cloud
Organizations increase reliance on the cloud

Malicious Use of Legitimate Resources
Adaptability
Subverts Domain and
Certificate Intelligence
Easy Setup
Whitelisted
IP Address
Cybercriminals are adopting command-and-control channels that rely on legitimate
Internet services, making malware traffic almost impossible to shut down
Reduce Burning Infrastructure
Leverage
Encryption for C2
Source: Anomali

• DDoS

IoT and DDos
Application-layer attacks
are rising, network-layer
attacks are declining
Burst attacks are
increasing
Amplification attacks
• Complexity
• Frequency
• Duration
2/5of businesses experienced a
reflection amplification attack in
2017
of those organizations
mitigated the attacks2/3
Source: Radware

• Utilisation des Domaines

How Malicious Actors Leverage Domains
60%Spam
20%Malvertising
20%Other
Organizations need to minimize access to malicious domains
Type of Attack
RLD Registered
Times
New or Reused
Domains
80%
More than
1 week
20%
Less than
1 week
42%
New
58%
Reused

• Menace Interne

Insider Threat
Machine learning algorithms can greatly help detect internal malicious actors
62%
occur outside of
normal work hours
5200
docs per user /
1.5 months
PDFs
were the most
common file type
“Data”
was the most popular
keyword in doc titles
High*
accuracy of malicious activity
detection since June 2017

• IOT

IT/OT Attack Sentiment
69%
of organizations believe
OT is a viable attack
vector in 2018
• 20% believe it will be
eventually
• 10% believe it will remain
in IT alone

ICS Vulnerabilities
Being Connected
to the Internet
Known Vulnerabilities
Rarely Patched
Lack of
Knowledge
Too Specialized
USB or DVD as Entry Point
Threat actors are actively engaged in
researching pivot points to facilitate
future attacks
Source: TrapX

• Vulnerability Management

We need a better way to improve patch management processes
High Severity Vulnerabilities and Patch Management
High severity is driven by headlines
MS17-010 Detections
Patches double as organizations
realize potential threat
Exploited vulnerability
makes headlines
Microsoft warns
of vulnerability
NumberofDetections
Month Source: Qualys

• Gestion des alertes par les Defendants

Alerts
44%of Alerts are
NOT Investigated
8%
Experienced NO
Security Alert
56%
of Alerts are
Investigated
34%
of Investigated
Alerts are
Legitimate
51%
of Legitimate Alerts
are Remediated
93%
Experienced
Security Alert
Uninvestigated alerts still create huge business risk
49%of Legitimate Alerts are
NOT Remediated

• Orchestration

Orchestration Challenges
8% 10% 21% 43% 55%
1-5 6-10 11-20 21-50 50+
Very Challenging 17% 24% 16% 42% 14% 25% 19% 14% 12% 27%
Education
Financial
Services
Government Healthcare Manufacturing Pharma Retail Telecom Transportation
Utility/
Energy
As the number of vendors increases, orchestration challenges grow

• Defenders Still use Best of Breed Approach

Defenders Still Favor Best of Breed
72%use best-of-
breed
28%use single vendor
solution
vs.

• Defenders Approach

Strategic, Operational, and Tactical Issues
26%
can be addressed
by products alone
74%
might also require
people and/or
processes to address
People
Products Policies
An overemphasis on
product solutions can leave
openings for attackers

The Need for Outsourcing
In order to keep up, organizations are looking for outside help
54%
Consulting
(up 3%)
49%
Monitoring
(up 5%)
47%
Incident Response
(up 2%)
Most Frequently
Outsourced Services

Market Expectations: Threat Landscape
The threat landscape to remain complex and
challenging
• Few predict radically new threats on the horizon, but they
see more capable and more diabolical bad actors
• Believe they’ll need ever more sophisticated security
arsenals to keep they at bay

Market Expectations: Modern Workplace
The modern workplace will continue to create
conditions that favor the attackers
• The footprint security executives must secure continues to
expand
• Employees increasingly carry their work (and the
company’s data) with them wherever they go—a well-
documented source of exposure
• Clients, partners and suppliers all need secure access to
corporate resources
• With the increasing deployment of IoT sensors, etc.,
companies’ interfaces to the internet will multiply
dramatically

Market Expectations: Scrutiny
Additional scrutiny of their ability to secure
the organization
• Many expect they’ll be under additional scrutiny—from
regulators, executives, stakeholders, partners and clients
• Top scrutiny from Executive Leadership, Clients, and
Business Partners (76%, each)
• Several CISOs mention that the need to meet others’
expectations for accessibility puts increasing strains on staff
• Current and potential clients can be particularly demanding
of information regarding security processes and protocols

Market Expectations: Breaches Drive Budget
Budgets will remain stable, unless a security
breach drives unexpected investment
• 51%: Budgets based on previous year’s budget
• 51%: Organization’s security outcome objective
• 46%: Percent of revenue
• 47%: Breach drove improvements to a great extent
!

Market Expectations: AI and Machine Learning
More spending on AI/ML capabilities
• AI, ML and automation are all increasingly desired and
expected
• 83%: Reliant on automation to reduce the level of effort to
secure the organization
• 74%: Reliant on AI to reduce the level of effort to secure
the organization
• CISOs expect to take increasing advantage of AI and
robotics

Market Expectations: Outsourcing
More reliance on outsourcing services
• 53%: More cost efficient
• 52%: Desire for more unbiased insight
• 51%: More timely response to incidents

Observed Threats and TTD
Cloud-based security technology has been a key factor in helping Cisco
maintain a low median despite an increase in threat samples
Cisco Annual Median TTD
(Hours)
37.1
14
4.6
2015 2016 2017
Number of Observed Threat Samples
10x
Increase
2016 2017

Adversary tactics are continuously evolving, using encryption and legitimate Internet
services to conceal their activity and undermine traditional security technologies
Lead from the top: executives/board set the security tone, culture
Top 7 Actions:
. Educate by roles for maximum benefit
. Adhere to corporate policies, practices for application, system, and appliance patching
. Assume ownership of IoT device security and add scanning for these devices to security reviews
. Review, practice security response procedures
. Back up data often, test restoration procedures
. Review third-party efficacy testing of security technologies to reduce risk of supply chain attacks
. Conduct security scanning of micro-service, cloud service, and application administration systems
Conclusion/Recommendations

Download the Cisco 2018
Annual Cybersecurity Report
cisco.com/go/acr2018

Conférence CISCO ACSS 2018

More Related Content

What's hot (20)

Similar to Conférence CISCO ACSS 2018 (20)

More from African Cyber Security Summit (20)

Recently uploaded (20)

Conférence CISCO ACSS 2018