Operationalizing Advanced Threat Solutionsd2zmdbbm9feqrf.cloudfront.net/2017/usa/pdf/BRKSEC-2047.pdf · Definition –Advanced Adversary ... •UI and Usability focus ... Hard-coded

Operationalizing Advanced Threat Solutions

Karel Simek, Technical Marketing Engineer

BRKSEC-2047

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco Spark

Questions? Use Cisco Spark to chat with the speaker after the session

1. Find this session in the Cisco Live Mobile App

2. Click “Join the Discussion”

3. Install Spark or go directly to the space

4. Enter messages/questions in the space

How

Cisco Spark spaces will be available until July 3, 2017.

cs.co/ciscolivebot#BRKSEC-2047


Definition – Advanced Adversary

• A step below government-sponsored attackers but much more wide spread

• Individuals or organized groups, not governments

• Going after a smaller amount of targets but higher profits per target

• Capable of steering infections individually

• Going after $$ - intellectual property, access and user data

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 5BRKSEC-2047

Sun Tzu, The Art of War

htt

p:/

/maxpix

el.fr

eegre

atp

ictu

re.c

om

/Museum

-Sta

tue-X

ian-O

ld-C

hin

a-W

arr

iors

-1445587“The art of war

teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him”

Motivation

Knowing the Enemy

Strategic Considerations

The Process

Putting It All Together

Wrap-up

Agenda


Karel Simek – Technical Marketing Engineer

• [email protected]

• Prague, Czech Republic

• CTA Scrum Product Owner, Security Research & Evangelist

• UI and Usability focus

• Came to Cisco from Cognitive Security

• 7 Years of experience

mailto:[email protected]

Motivation

Knowing the Enemy


The Process


Wrap-up

Agenda


Challenges Today

• Many discrete security products

• Information overload

• High cost of attacker attribution

• Inefficient breach mitigation process


Limits Of Preventive Security – 10%

Source: AMP & Threat Grid Research and Efficacy Report 12/2016

0%

20%

40%

60%

80%

100%

2016-07 2016-08 2016-09 2016-10 2016-11 2016-12

Detection Retrospective Detection

Motivation

Knowing the Enemy


The Process


Wrap-up

Agenda


From The Trenches

Attacker Entry Point Command and

control

Anti- techniques Mission/Capability

PowerDuke Spear-phishing Steganography (images)

Direct IP (no domain)

Long-lived

Anti-vm

Powershell

Complete compromise

Exfiltration

Lateral movement

Grizzly Streppe Spear-phishing

Weaponized docs

Layered infrastructure

Hacked servers

Direct IP (no domain)

HTTP/HTTPS

Anti-sandbox

Anti-analysis

Powershell

Strong Pitty Trojanized installers

Watering holes

Fake web sites

Domain based

Hard-coded

Stolen certificates

DarkHotel Phishing

Shortcut files

Use of legitimate sites

(Dropbox)

Anti-analysis tools

Powershell

Python

12BRKSEC-2047

BRKSEC-2047

Sandboxing & analysis evasion

Misuse of legitimate resources

Layers of functionality

No AV detection

Steganography

Stable C&C

Motivation

Knowing the Enemy


The Process


Wrap-up

Agenda


Hinder In-Advance Attack Preparation

15BRKSEC-2047



Cognitive Treat Analytics

• Internal state

• Passive

• No feeds

BRKSEC-2047 16



StealthWatch

• Passive

• Lat. Movement

• Baselining

BRKSEC-2047 17


Deploy Generic C&C Detectors

BRKSEC-2047 18



Umbrella Investigate

• Predictive algorithms

• Automatic takedown

• Co-occurrences

BRKSEC-2047 21



Cognitive Threat Analytics

• uncover entire infrastructure

• Behavior and context

• Including low & slow and steganography-based channels

BRKSEC-2047 22



TALOS

• Threat research

• Threat hunting

BRKSEC-2047 23


Collect Endpoint and Network Level Traces

Because:

Do:

• Collect and have at hand endpoint and network activity logs

24BRKSEC-2047

Coding errors happen

Mistakes happen

Detection due to definition update happen



AMP for Endpoints

• Collects traces

• Retrospection

• Root cause analysis

BRKSEC-2047 25



StealthWatch

• NetFlow for security

BRKSEC-2047 26



Threat Grid

• Global database

• Indicators of compromise

• Pivoting and context

BRKSEC-2047 27


Use Vendor with Large Threat Research Team

28BRKSEC-2047


250+Full Time Threat

Intel Researchers

MILLIONSOf Telemetry

Agents

1100+Threat Traps

100+Threat Intelligence

Partners

THREAT INTEL

1.5 MILLIONDaily Malware

Samples

600 BILLIONDaily Email

Messages

16 BILLIONDaily Web

Requests

Honeypots

Open Source

Communities

Vulnerability

Discovery (Internal)

Product

Telemetry

Internet-Wide

Scanning

20 BILLION

Threats Blocked

INTEL SHARING

Customer Data

Sharing

Programs

Service Provider

Coordination

Program

Open

Source

Intel

Sharing

3rd Party

Programs

(MAPP)

Industry

Sharing

Partnersh

ips

(ISACs)

500+

Participants


TALOS

BRKSEC-2047 29



TALOS

BRKSEC-2047 30


Deploy Full Detector Stack

More detectors

Complex malware

Bugs, Cost & Risk Increase

31BRKSEC-2047

FW/NGFW

NGIPS

Antivirus

Reputation/Rules

Policy/Patches

Content Filtering

Sandboxing

Anomaly

Machine Learning


0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Detection Retrospective Security

3rd Party

ETHOS

SPERO

Clam AV

TALOS + Misc

Sandbox


Sandbox Sandbox

TALOSTALOS

CLAM AV

3RD PARTY3RD PARTY

Cisco AMP and Threat Grid efficacy report of 12/2016

Noticed any

silver bullet?

Neither did we…

BRKSEC-2047 32



Detecting VM/Sandbox

VM Detector on

a physical box

VM Detector on

a sandbox

Sandbox

detection

detection

BRKSEC-2047 33



Pre infection

TALOS

AMP inline blocking

Post-infection

AMP retrospection

Threat Grid

CTA

Investigate

34BRKSEC-2047

Motivation

Knowing the Enemy


The Process


Wrap-up

Agenda


CTA Cloud

Endpoints

HTTP, HTTPS HTTP, HTTPS, SSH

SIEM

HTTPS

Web Proxy

HTTPS SCP, HTTP, HTTPS

UI

TAXII

Logs upload service

AMP Cloud UI

AMP Conn

.

HTTP, HTTPS

TG Cloud

Security Analyst

AMP Conn

. AMP Conn

.

Internet via proxy

Everything is Deployed

• Minimalist Deployment example

BRKSEC-2047 36


Everything is Configured…Now what?


30,000 Feet View

Full IR (optional)

Breach Detection

and Mitigation

Preventive Security

Dealing with

everyday infectionsDealing with

everyday attacks

Dealing with

critical infections

NEWBRKSEC-2047 38


Breach Detection And Mitigation - Practically!

Breach Detection Immediate Reaction Final ReactionB

reach D

ete

ction Detecting a

breach

Establishing priority rating

Imm

edia

te R

eaction Following traces

from C&C to a file

Estimating spread on the endpoint and in the network

Reviewing related network activity

Fin

al R

eaction Finding additional

malicious activity on the endpoint

Analyzing the root cause

Reimaging the affected endpoints

Updating policies to prevent reinfection

BRKSEC-2047 39


Breach Detection and Mitigation Process

• CTA detects C2 channel (or Investigate or IoC or Talos)

• TG provides global and local file behavior context (endpoint level details)

• AMP identifies files responsible for C&C activity and provides endpoint visibility

• AMP quarantines malicious executables and blocks their further reintroduction

• ISE quarantines the endpoint

• AMP is used for root cause analysis before endpoint is re-imaged

All steps need to be done within hours to prevent data leaks!

BRKSEC-2047 40


[Compare with] Preventive Security Process

• AV, IPS, Blacklist,… detect activity as malicious and blocks it (unattended)

• Reporting is reviewed and policies are updated accordingly (monthly)

Done!

BRKSEC-2047 41


Notification About a Breach

Daily reports in CTA

Weekly reports in AMP

Too Slow!

BRKSEC-2047 42


Notification About a Breach - Better!

• Subscribe to email alerts

• Use SIEM for a more granular control

BRKSEC-2047 43


Separating Breach from Breach Attempt

Is that pre- or post-infection traffic?

• Stealthwatch: Separate category

• CTA: Always report compromises

• AMP: Separate category

Detection with Quarantine

Indication of Compromise

Retrospective Quarantine

Dirty Scan

Marked As

Compromised

BRKSEC-2047 44


Establishing Priority Rating

AMP and Threat Grid Threat prioritization

BRKSEC-2047 45



CTA Threat prioritization

46

Low Risk

Network only

Try clean

If failed, monitor

Medium Risk

Light infection

Try clean

If failed, reimage

High Risk

Bad infection

Reimage

Critical Risk

Data damage

Quarantine

Reimage

BRKSEC-2047



BRKSEC-2047 47


Demo: CTA Priority Rating


Demo: AMP Event Correlation


UI or no UI – A Case for SIEM

50BRKSEC-2047

UI or SIEM?

UI or no UI – A Case for SIEM

Demo: Threat Grid - CTA Integration


Use of Ticket Management System

• Both AMP for Endpoints and CTA offer distinct workflow support

52BRKSEC-2047

+ Textual comment

Demo: AMP and CTA Workflow support

Motivation

Knowing the Enemy


The Process


Wrap-up

Agenda


Breach Detection And Mitigation - Practically!

Breach Detection Immediate Reaction Final ReactionB

reach D

ete

ction Detecting a

breach

Establishing priority rating

Imm

edia

te R

eaction Following traces

from C&C to a file

Estimating spread on the endpoint and in the network

Reviewing related network activity

Fin

al R

eaction Finding additional

malicious activity on the endpoint

Analyzing the root cause

Reimaging the affected endpoints

Updating policies to prevent reinfection

BRKSEC-2047 60


Step 1:

Breach Detection

BRKSEC-2047 61

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 62

Demo: Breach Detection


Recap: CTA Threat prioritization

Low Risk

Network only

Try clean

If failed, monitor

Medium Risk

Light infection

Try clean

If failed, reimage

High Risk

Bad infection

Reimage

Critical Risk

Data damage

Quarantine

Reimage


Step 2:

Immediate Reaction

BRKSEC-2047 65

Demo: Immediate Reaction


Step 3:

Final Reaction

BRKSEC-2047 67

Demo: Final Reaction


Complex Malware Revealed

Powershell

privilege

escalation

Browser

extension

installation

Stealing

browser

credentials

Malware

injection

path

Would be prevented by ISE quarantine

BRKSEC-2047 69


Browser Exfiltration Module Revealed

C:/Users/Student1/AppData/Roaming/Mozilla/Firefox/Profiles/…/chrome/content/overlay.js

BRKSEC-2047 70


It Gets Better! Automatic ISE quarantine

71

CTA

IncidentISE

Device

HTTP(S)

Logs

STIX/TAXII

Quarantine

BRKSEC-2444

Motivation

Knowing the Enemy


The Process


Wrap-up

Agenda

Takeaways and Action

• Know your enemy

• Know how to fight them

• Understand the process from top to bottom

• See it in action – breach mitigated within hours

• Go try AMP for Endpoints (includes Threat Grid and CTA integrations)


Technologies Used

AMP for Endpoints

• Cognitive Threat Analytics (integrated into AMP)

• Threat Grid (integrated into AMP)

StealthWatch (optional)

ISE (optional)


Other Analytics Talks

Introduction to

Security Analytics,

BRKSEC-1007Brian Ford, TME

Monday 4 PM

Deciphering Malwares Use of

TLS (without Encryption),

BRKSEC-2809Blake Anderson, Technical Leader

Thursday 10:30 AM

Detecting threats with

Advanced Analytics,

BRKSEC-3106Martin Rehak, Principal Engineer

Wednesday 1:30 PM


Resources

http://www.cisco.com/c/en/us/products/security/solution-listing.html

http://blogs.cisco.com/security

https://github.com/kbandla/APTnotes

https://cognitive.cisco.com/

http://www.cisco.com/c/en/us/products/security/solution-listing.html

http://blogs.cisco.com/security

https://github.com/kbandla/APTnotes

https://cognitive.cisco.com/


• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 gift card.

• Complete your session surveys through the Cisco Live mobile app or on www.CiscoLive.com/us.

Complete Your Online Session Evaluation

Don’t forget: Cisco Live sessions will be available for viewing on demand after the event at www.CiscoLive.com/Online.

http://www.ciscolive.com/us

http://ciscolive.com/Online

http://ciscolive.com/Online

http://www.ciscolive.com/Online

Thank you

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 80

Cybersecurity Cisco Education OfferingsCourse Description Cisco Certification

Understanding Cisco Cybersecurity

Fundamentals (SFUND)

The SECFND course provides understanding of

cybersecurity’s basic principles, foundational knowledge, and

core skills needed to build a foundation for understanding

more advanced cybersecurity material & skills.

CCNA® Cyber Ops

Implementing Cisco Cybersecurity

Operations (SECOPS)

This course prepares candidates to begin a career within a

Security Operations Center (SOC), working with

Cybersecurity Analysts at the associate level.

CCNA® Cyber Ops

Securing Cisco Networks with Threat

Detection and Analysis (SCYBER)

Designed for security analysts who work in a Security

Operations Center, the course covers essential areas of

security operations competency, including SIEM, Event

monitoring, security event/alarm/traffic analysis (detection),

and incident response

Cisco Cybersecurity

Specialist

Cisco Security Product Training Courses Official deep-dive, hands-on product training on Cisco’s

latest security products, including NGFW, ASA, NGIPS,

AMP, Identity Services Engine, Email and Web Security

Appliances, and more.

For more details, please visit: www.cisco.com/go/securitytraining or http://learningnetwork.cisco.com

Questions? Visit the Learning@Cisco Booth

http://www.cisco.com/go/securitytraining

http://learningnetwork.cisco.com/


Cybersecurity Cisco Education OfferingsCourse Description Cisco Certification

New! CCIE Security 5.0 CCIE® Security

Implementing Cisco Edge Network Security

Solutions (SENSS)

Implementing Cisco Threat Control

Solutions (SITCS) v1.5

Implementing Cisco Secure Access

Solutions (SISAS)

Implementing Cisco Secure Mobility

Solutions (SIMOS)

Configure Cisco perimeter edge security solutions utilizing Cisco

Switches, Cisco Routers, and Cisco Adaptive Security Appliance

(ASA) Firewalls

Implement Cisco’s Next Generation Firewall (NGFW), FirePOWER

NGIPS (Next Generation IPS), Cisco AMP (Advanced Malware

Protection), as well as Web Security, Email Security and Cloud

Web Security

Deploy Cisco’s Identity Services Engine and 802.1X secure

network access

Protect data traversing a public or shared infrastructure such as the

Internet by implementing and maintaining Cisco VPN solutions

CCNP® Security

Implementing Cisco Network Security

(IINS 3.0)

Focuses on the design, implementation, and monitoring of a

comprehensive security policy, using Cisco IOS security features

CCNA® Security

For more details, please visit: www.cisco.com/go/securitytraining or http://learningnetwork.cisco.com

Questions? Visit the Learning@Cisco Booth

81

http://www.cisco.com/go/securitytraining

http://learningnetwork.cisco.com/

Operationalizing Advanced Threat Solutionsd2zmdbbm9feqrf.cloudfront.net/2017/usa/pdf/BRKSEC-2047.pdf · Definition –Advanced Adversary ... •UI and Usability focus ... Hard-coded

Documents