Upload
ngomien
View
218
Download
0
Embed Size (px)
Citation preview
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark
Questions? Use Cisco Spark to chat with the speaker after the session
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
How
Cisco Spark spaces will be available until July 3, 2017.
cs.co/ciscolivebot#BRKSEC-2047
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Definition – Advanced Adversary
• A step below government-sponsored attackers but much more wide spread
• Individuals or organized groups, not governments
• Going after a smaller amount of targets but higher profits per target
• Capable of steering infections individually
• Going after $$ - intellectual property, access and user data
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 5BRKSEC-2047
Sun Tzu, The Art of War
htt
p:/
/maxpix
el.fr
eegre
atp
ictu
re.c
om
/Museum
-Sta
tue-X
ian-O
ld-C
hin
a-W
arr
iors
-1445587“The art of war
teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him”
Motivation
Knowing the Enemy
Strategic Considerations
The Process
Putting It All Together
Wrap-up
Agenda
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 7BRKSEC-2047
Karel Simek – Technical Marketing Engineer
• Prague, Czech Republic
• CTA Scrum Product Owner, Security Research & Evangelist
• UI and Usability focus
• Came to Cisco from Cognitive Security
• 7 Years of experience
Motivation
Knowing the Enemy
Strategic Considerations
The Process
Putting It All Together
Wrap-up
Agenda
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Challenges Today
• Many discrete security products
• Information overload
• High cost of attacker attribution
• Inefficient breach mitigation process
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 10BRKSEC-2047
Limits Of Preventive Security – 10%
Source: AMP & Threat Grid Research and Efficacy Report 12/2016
0%
20%
40%
60%
80%
100%
2016-07 2016-08 2016-09 2016-10 2016-11 2016-12
Detection Retrospective Detection
Motivation
Knowing the Enemy
Strategic Considerations
The Process
Putting It All Together
Wrap-up
Agenda
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
From The Trenches
Attacker Entry Point Command and
control
Anti- techniques Mission/Capability
PowerDuke Spear-phishing Steganography (images)
Direct IP (no domain)
Long-lived
Anti-vm
Powershell
Complete compromise
Exfiltration
Lateral movement
Grizzly Streppe Spear-phishing
Weaponized docs
Layered infrastructure
Hacked servers
Direct IP (no domain)
HTTP/HTTPS
Anti-sandbox
Anti-analysis
Powershell
Strong Pitty Trojanized installers
Watering holes
Fake web sites
Domain based
Hard-coded
Stolen certificates
DarkHotel Phishing
Shortcut files
Use of legitimate sites
(Dropbox)
Anti-analysis tools
Powershell
Python
12BRKSEC-2047
BRKSEC-2047
Sandboxing & analysis evasion
Misuse of legitimate resources
Layers of functionality
No AV detection
Steganography
Stable C&C
Motivation
Knowing the Enemy
Strategic Considerations
The Process
Putting It All Together
Wrap-up
Agenda
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hinder In-Advance Attack Preparation
15BRKSEC-2047
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hinder In-Advance Attack Preparation
Cognitive Treat Analytics
• Internal state
• Passive
• No feeds
BRKSEC-2047 16
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hinder In-Advance Attack Preparation
StealthWatch
• Passive
• Lat. Movement
• Baselining
BRKSEC-2047 17
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Deploy Generic C&C Detectors
BRKSEC-2047 18
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Deploy Generic C&C Detectors
Umbrella Investigate
• Predictive algorithms
• Automatic takedown
• Co-occurrences
BRKSEC-2047 21
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Deploy Generic C&C Detectors
Cognitive Threat Analytics
• uncover entire infrastructure
• Behavior and context
• Including low & slow and steganography-based channels
BRKSEC-2047 22
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Deploy Generic C&C Detectors
TALOS
• Threat research
• Threat hunting
BRKSEC-2047 23
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Collect Endpoint and Network Level Traces
Because:
Do:
• Collect and have at hand endpoint and network activity logs
24BRKSEC-2047
Coding errors happen
Mistakes happen
Detection due to definition update happen
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Collect Endpoint and Network Level Traces
AMP for Endpoints
• Collects traces
• Retrospection
• Root cause analysis
BRKSEC-2047 25
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Collect Endpoint and Network Level Traces
StealthWatch
• NetFlow for security
BRKSEC-2047 26
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Collect Endpoint and Network Level Traces
Threat Grid
• Global database
• Indicators of compromise
• Pivoting and context
BRKSEC-2047 27
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Use Vendor with Large Threat Research Team
28BRKSEC-2047
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
250+Full Time Threat
Intel Researchers
MILLIONSOf Telemetry
Agents
1100+Threat Traps
100+Threat Intelligence
Partners
THREAT INTEL
1.5 MILLIONDaily Malware
Samples
600 BILLIONDaily Email
Messages
16 BILLIONDaily Web
Requests
Honeypots
Open Source
Communities
Vulnerability
Discovery (Internal)
Product
Telemetry
Internet-Wide
Scanning
20 BILLION
Threats Blocked
INTEL SHARING
Customer Data
Sharing
Programs
Service Provider
Coordination
Program
Open
Source
Intel
Sharing
3rd Party
Programs
(MAPP)
Industry
Sharing
Partnersh
ips
(ISACs)
500+
Participants
Use Vendor with Large Threat Research Team
TALOS
BRKSEC-2047 29
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Use Vendor with Large Threat Research Team
TALOS
BRKSEC-2047 30
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Deploy Full Detector Stack
More detectors
Complex malware
Bugs, Cost & Risk Increase
31BRKSEC-2047
FW/NGFW
NGIPS
Antivirus
Reputation/Rules
Policy/Patches
Content Filtering
Sandboxing
Anomaly
Machine Learning
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Detection Retrospective Security
3rd Party
ETHOS
SPERO
Clam AV
TALOS + Misc
Sandbox
Deploy Full Detector Stack
Sandbox Sandbox
TALOSTALOS
CLAM AV
3RD PARTY3RD PARTY
Cisco AMP and Threat Grid efficacy report of 12/2016
Noticed any
silver bullet?
Neither did we…
BRKSEC-2047 32
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Deploy Full Detector Stack
Detecting VM/Sandbox
VM Detector on
a physical box
VM Detector on
a sandbox
Sandbox
detection
detection
BRKSEC-2047 33
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Deploy Full Detector Stack
Pre infection
TALOS
AMP inline blocking
Post-infection
AMP retrospection
Threat Grid
CTA
Investigate
34BRKSEC-2047
Motivation
Knowing the Enemy
Strategic Considerations
The Process
Putting It All Together
Wrap-up
Agenda
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
CTA Cloud
Endpoints
HTTP, HTTPS HTTP, HTTPS, SSH
SIEM
HTTPS
Web Proxy
HTTPS SCP, HTTP, HTTPS
UI
TAXII
Logs upload service
AMP Cloud UI
AMP Conn
.
HTTP, HTTPS
TG Cloud
Security Analyst
AMP Conn
. AMP Conn
.
Internet via proxy
Everything is Deployed
• Minimalist Deployment example
BRKSEC-2047 36
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Everything is Configured…Now what?
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
30,000 Feet View
Full IR (optional)
Breach Detection
and Mitigation
Preventive Security
Dealing with
everyday infectionsDealing with
everyday attacks
Dealing with
critical infections
NEWBRKSEC-2047 38
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Breach Detection And Mitigation - Practically!
Breach Detection Immediate Reaction Final ReactionB
reach D
ete
ction Detecting a
breach
Establishing priority rating
Imm
edia
te R
eaction Following traces
from C&C to a file
Estimating spread on the endpoint and in the network
Reviewing related network activity
Fin
al R
eaction Finding additional
malicious activity on the endpoint
Analyzing the root cause
Reimaging the affected endpoints
Updating policies to prevent reinfection
BRKSEC-2047 39
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Breach Detection and Mitigation Process
• CTA detects C2 channel (or Investigate or IoC or Talos)
• TG provides global and local file behavior context (endpoint level details)
• AMP identifies files responsible for C&C activity and provides endpoint visibility
• AMP quarantines malicious executables and blocks their further reintroduction
• ISE quarantines the endpoint
• AMP is used for root cause analysis before endpoint is re-imaged
All steps need to be done within hours to prevent data leaks!
BRKSEC-2047 40
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
[Compare with] Preventive Security Process
• AV, IPS, Blacklist,… detect activity as malicious and blocks it (unattended)
• Reporting is reviewed and policies are updated accordingly (monthly)
Done!
BRKSEC-2047 41
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Notification About a Breach
Daily reports in CTA
Weekly reports in AMP
Too Slow!
BRKSEC-2047 42
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Notification About a Breach - Better!
• Subscribe to email alerts
• Use SIEM for a more granular control
BRKSEC-2047 43
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Separating Breach from Breach Attempt
Is that pre- or post-infection traffic?
• Stealthwatch: Separate category
• CTA: Always report compromises
• AMP: Separate category
Detection with Quarantine
Indication of Compromise
Retrospective Quarantine
Dirty Scan
Marked As
Compromised
BRKSEC-2047 44
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Establishing Priority Rating
AMP and Threat Grid Threat prioritization
BRKSEC-2047 45
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Establishing Priority Rating
CTA Threat prioritization
46
Low Risk
Network only
Try clean
If failed, monitor
Medium Risk
Light infection
Try clean
If failed, reimage
High Risk
Bad infection
Reimage
Critical Risk
Data damage
Quarantine
Reimage
BRKSEC-2047
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Establishing Priority Rating
BRKSEC-2047 47
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
UI or no UI – A Case for SIEM
50BRKSEC-2047
UI or SIEM?
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Use of Ticket Management System
• Both AMP for Endpoints and CTA offer distinct workflow support
52BRKSEC-2047
+ Textual comment
Motivation
Knowing the Enemy
Strategic Considerations
The Process
Putting It All Together
Wrap-up
Agenda
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Breach Detection And Mitigation - Practically!
Breach Detection Immediate Reaction Final ReactionB
reach D
ete
ction Detecting a
breach
Establishing priority rating
Imm
edia
te R
eaction Following traces
from C&C to a file
Estimating spread on the endpoint and in the network
Reviewing related network activity
Fin
al R
eaction Finding additional
malicious activity on the endpoint
Analyzing the root cause
Reimaging the affected endpoints
Updating policies to prevent reinfection
BRKSEC-2047 60
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Step 1:
Breach Detection
BRKSEC-2047 61
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 64BRKSEC-2444
Recap: CTA Threat prioritization
Low Risk
Network only
Try clean
If failed, monitor
Medium Risk
Light infection
Try clean
If failed, reimage
High Risk
Bad infection
Reimage
Critical Risk
Data damage
Quarantine
Reimage
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Step 2:
Immediate Reaction
BRKSEC-2047 65
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Step 3:
Final Reaction
BRKSEC-2047 67
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Complex Malware Revealed
Powershell
privilege
escalation
Browser
extension
installation
Stealing
browser
credentials
Malware
injection
path
Would be prevented by ISE quarantine
BRKSEC-2047 69
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Browser Exfiltration Module Revealed
C:/Users/Student1/AppData/Roaming/Mozilla/Firefox/Profiles/…/chrome/content/overlay.js
BRKSEC-2047 70
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
It Gets Better! Automatic ISE quarantine
71
CTA
IncidentISE
Device
HTTP(S)
Logs
STIX/TAXII
Quarantine
BRKSEC-2444
Motivation
Knowing the Enemy
Strategic Considerations
The Process
Putting It All Together
Wrap-up
Agenda
Takeaways and Action
• Know your enemy
• Know how to fight them
• Understand the process from top to bottom
• See it in action – breach mitigated within hours
• Go try AMP for Endpoints (includes Threat Grid and CTA integrations)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Technologies Used
AMP for Endpoints
• Cognitive Threat Analytics (integrated into AMP)
• Threat Grid (integrated into AMP)
StealthWatch (optional)
ISE (optional)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Other Analytics Talks
Introduction to
Security Analytics,
BRKSEC-1007Brian Ford, TME
Monday 4 PM
Deciphering Malwares Use of
TLS (without Encryption),
BRKSEC-2809Blake Anderson, Technical Leader
Thursday 10:30 AM
Detecting threats with
Advanced Analytics,
BRKSEC-3106Martin Rehak, Principal Engineer
Wednesday 1:30 PM
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Resources
http://www.cisco.com/c/en/us/products/security/solution-listing.html
http://blogs.cisco.com/security
https://github.com/kbandla/APTnotes
https://cognitive.cisco.com/
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 gift card.
• Complete your session surveys through the Cisco Live mobile app or on www.CiscoLive.com/us.
Complete Your Online Session Evaluation
Don’t forget: Cisco Live sessions will be available for viewing on demand after the event at www.CiscoLive.com/Online.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Cybersecurity Cisco Education OfferingsCourse Description Cisco Certification
Understanding Cisco Cybersecurity
Fundamentals (SFUND)
The SECFND course provides understanding of
cybersecurity’s basic principles, foundational knowledge, and
core skills needed to build a foundation for understanding
more advanced cybersecurity material & skills.
CCNA® Cyber Ops
Implementing Cisco Cybersecurity
Operations (SECOPS)
This course prepares candidates to begin a career within a
Security Operations Center (SOC), working with
Cybersecurity Analysts at the associate level.
CCNA® Cyber Ops
Securing Cisco Networks with Threat
Detection and Analysis (SCYBER)
Designed for security analysts who work in a Security
Operations Center, the course covers essential areas of
security operations competency, including SIEM, Event
monitoring, security event/alarm/traffic analysis (detection),
and incident response
Cisco Cybersecurity
Specialist
Cisco Security Product Training Courses Official deep-dive, hands-on product training on Cisco’s
latest security products, including NGFW, ASA, NGIPS,
AMP, Identity Services Engine, Email and Web Security
Appliances, and more.
For more details, please visit: www.cisco.com/go/securitytraining or http://learningnetwork.cisco.com
Questions? Visit the Learning@Cisco Booth
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cybersecurity Cisco Education OfferingsCourse Description Cisco Certification
New! CCIE Security 5.0 CCIE® Security
Implementing Cisco Edge Network Security
Solutions (SENSS)
Implementing Cisco Threat Control
Solutions (SITCS) v1.5
Implementing Cisco Secure Access
Solutions (SISAS)
Implementing Cisco Secure Mobility
Solutions (SIMOS)
Configure Cisco perimeter edge security solutions utilizing Cisco
Switches, Cisco Routers, and Cisco Adaptive Security Appliance
(ASA) Firewalls
Implement Cisco’s Next Generation Firewall (NGFW), FirePOWER
NGIPS (Next Generation IPS), Cisco AMP (Advanced Malware
Protection), as well as Web Security, Email Security and Cloud
Web Security
Deploy Cisco’s Identity Services Engine and 802.1X secure
network access
Protect data traversing a public or shared infrastructure such as the
Internet by implementing and maintaining Cisco VPN solutions
CCNP® Security
Implementing Cisco Network Security
(IINS 3.0)
Focuses on the design, implementation, and monitoring of a
comprehensive security policy, using Cisco IOS security features
CCNA® Security
For more details, please visit: www.cisco.com/go/securitytraining or http://learningnetwork.cisco.com
Questions? Visit the Learning@Cisco Booth
81