View
3
Download
0
Category
Preview:
Citation preview
Advanced Threat Detection
Szilard Csordas
IT Security Consultant
Cisco
Limits Of Preventive Security – 10%
Source: AMP & Threat Grid Research and Efficacy Report 12/2016
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
2016-07 2016-08 2016-09 2016-10 2016-11 2016-12
Detection Retrospective Detection
Encryption is changing the threat landscape
Percentage of the IT budget earmarked for encryption Source: Thales and VormetricExtensive deployment of encryption
Straight-lineprojection
16%
20% 19%22% 23% 23%
25%27%
30%
34%
41%
60%
50%
FY05 FY06 FY07 FY08 FY09 FY10 FY11 FY12 FY13 FY14 FY15 2016 2017
Based on Cisco Threat Grid analysis, 2017
Percentage of malware
Dec Jan Feb Mar Apr May
25%
10%
Gartner predicts that by 2019
80% of all traffic will be encrypted
https://www.nutech.net/assets/images/nutech-security-onion-3-2012x1146-99.jpg
https://cybersec.buzz/endpoint-security-sizzling-however/
AVG can sell your browsing and search history to advertisershttp://www.wired.co.uk/article/avg-privacy-policy-browser-search-data
Is security software becoming a security risk?
10
Prevent Detect RespondPrevent attacks and
block malware in real timeContinuously monitor for threats on your endpoints to decrease time to detection
Accelerate investigations and remediate faster and more effectively
AMP for Endpoints
AMP History
In 2011 acquired by
In 2014 acquired by
Founded in 2008
http://www.immunet.com
AMP for Endpointsmain features
• Prevention, Monitoring + Detection, Response
• Deep Visibility, Context, and Control if something gets in
• Continuous Analysis of File Behavior and Retrospective Security
• Built-in AV Detection Engine for customers that want to consolidate their antivirus and
advanced endpoint protection in one agent Next-gen EP (EDR+EPP)
• Containment and quarantine on endpoint
• Built-in sandbox powered by Threat Grid
• Open APIs for seamless integration
• Agentless protection via CTA
• AMP Visibility
• AMP Unity
• Protection Engines (exploit prevention, system process protection)
• Malicious Activity Protection (focusing on Ransomware)
PC
MobileLinux
Mac
Time To Detectionshorter longer
AMP for Endpoints
Classic AV
Exploit Prevention In Memory
Inside the Memory Space
Decoy System Resources
New System ResourcesTrusted Code
TrapMalicious
Code Injection
Make the memory unpredictable by changing the memory structure
Make the app aware of legitimate memory structure
Any code accessing the old memory structure is malware!
System Process Protection In Memory
• Session Manager Subsystem (smss.exe) • Client/Server Runtime Subsystem (csrss.exe) • Local Security Authority Subsystem (lsass.exe) • Windows Logon Application (winlogon.exe) • Windows Start-up Application (wininit.exe) Protects system processes from being compromised
through memory injection attacks by other processes
Evaluates desired process/thread access, truncates potentially dangerous access from the desired access list before invoking the original system call
Lsass
Netlogon Active Directory
LSA server SAM server
Msv1_0.dll
Kerberos.dll
Winlogon
LSA policy SAM
Active Directory
In Memory
• new exploit detection technology identified an executable triggering our advanced malware protection systems
• malicious payload featured a Domain Generation Algorithm (DGA) as well as hardcoded Command and Control (C2) functionality
Beta Testing New Engine
in AMP Leads to
Discovery – CCleaner
Serving Malware
In Memory
Malicious Activity Protection (beta)
20
• Cloud side Indicators of Compromise (IoC)’s• Defines a set of activities that when observed on an endpoint lead us to
believe the endpoint has been compromised/infected• There are run in the AMP cloud, currently
• We are copying a subset of the Cloud IoC’s into the endpoint• Monitor only in the beta release, beta will be coming soon• Will eventually move to blocking capability
• Tuned & focused on Ransomware initially• Looks for encryption behaviors, catching 80-90% in the labs so far• You have to see the encryption start, so will always lose a few files
• Would have stopped WannaCry in its tracks, when in blocking mode
On Disk
AcroRd32.exe [PE]
Device Trajectory in Action
(AMP for Endpoints)
?
IoC
Suspicious Behavior
IoC
Potential Dropper
Calc.exe [PE]
a.exe [PE]
Promotion.pdf.exe [PE]
4 [TXT]
Installer.exe [PE]
?
Create Connection Execute
2017-03-16 00:03:26 GST
Detected W32.Trojan.20ez.1201 as Promotion.pdf.exe
Downloaded from http://1.1.1.1
SHA256 Value (1f5a5..a41f03)
File was Quarantined Successfully.
File Path: C:\Users\Admin\My Documents\Promotion.pdf.exe
Detected by ETHOS
Clean
Unknown
Malicious
2017-03-15 11:03:26 GST
Outgoing connection from AcroRd32.exe
Adobe Reader 9.3.3.177 (825b7b2..2e4f82)
TCP Port 1067 to 64.59.140.93 port 80
Unknown Disposition
Post Infection
Advanced Malware Protection for Endpoints Post Infection
Post Infection
Complex Malware Revealed
24
Powershellprivilege
escalation
Browser extension installation
Stealing browser
credentialsMalware
injection path
Would be prevented by ISE quarantine
Post Infection
AMP Cloud
NGIPS NGFW
Network AppliancesEndpoints Content Appliances
WWW
WSA ESA/CES
Global Trajectory
Whitelists SimpleCustom
Detections
Common Objects
See once, protect everywhere (web proxy, firewall, email gateway, endpoint) Post Infection
See Everywhere That It Has Been
What happened?
Where did the malware come from?
Where has the malware been?
What is it doing?
How do we stop it?
Track infected areas in the system:
• Where is the attack now
• What other endpoints have seen it
• Where should I focus my response
• Where is still safe
Cognitive Threat Analytics Post Infection
Visibility into devices with or without AMP Connector – cover unsupported OS and IoT devices
File-less malware and ~30% more detections
Correlation with AMP for Endpoints events and links to files responsible for C2 communication
Priority rating and human readable threat descriptions with course of action
Data Exfiltration
C&C Communication
HTTP(S) Tunneling
DGAs Exploit Kits
Cognitive Threat Analytics
AMP 4 Endpoint~ +30% detection
Post InfectionStealthwatch NetFlow Telemetry
Cisco Stealthwatch with CTA
Extended Visibility and Behavioral Analytics
Advanced Threat Detection
Encrypted Traffic Analytics
Cognitive Analytics
StealthwatchManagement
Console
Stealthwatch
Flow Collector
Netflow exportinginfrastructure
Post Infection
AMP 4 Endpoint ~ +30% detection
Web
Proxy
What Metadata is sent to the cloud?
31
• Metadata sent from Stealthwatch to Cognitive: Initial Data Packet (IDP) and Sequence of Packet Lengths and Time. (SPLT)
• Metadata is sent only for traffic that crosses the perimeter (i.e. internet bound traffic) and DNS based traffic
• The connection from the Stealthwatch flow collector to Cognitive is TLS encrypted.
• Most of the data sent to Cognitive is deleted within 2-4 hours after the upload after analysis.
• Cognitive Analytics processes the ETA data (Enhanced NetFlow) in its production DC, with all production restrictions and security and privacy measures applied
• Deployment is aligned on the security and data governance principles applied in production
What Does CTA Typically Detect?
Sample report demonstrating an advanced threat visibility gap: http://cognitive.cisco.com/preview
Post Infection
Cognitive Analytics multi-layer machine learning
33
TALOS
• Generic – lengths, status codes, mime types
• HTTP – URLs, referrers, character distribution
• HTTPS – anomaly values, timings, context
• Global – domain/AS popularity
• External – whois, TLS certificates
~600 features per single web request
Automatic ISE quarantine
35BRKSEC-
2444
CTAIncident
ISE
Device
HTTP(S)
Logs
STIX/TAXII
Quarantine
Encrypted Traffic Analytics (ETA) – needs netflowVisibility and malware detection without decryption
Use case #2: Cryptographic compliance
Use case #1 : Malware in encrypted traffic
Is the payload within the TLSsession malicious?
• End to end confidentiality
• Channel integrity during inspection
• Adapts with encryption standards
How much of my digital business uses strong encryption?
• Audit for TLS policy violations
• Passive detection ofCiphersuite vulnerabilities
• Continuous monitoring of network opacity
• HTTPS header contains several information-rich fields.
• Server name provides domain information.
• Crypto information educates us on client and server behavior and application identity.
• Certificate information is similar to whoisinformation for a domain.
• And much more can be understood when we combine the information with global data.
Initial data packet
IP H
ead
er
TCP
He
ade
rTLS Header
TLS versionSNI (Server Name)
Ciphersuites
Certificate
Organization
Issuer
Issued
Expires
Initial data packet
Initial data packet
Initial data packet
38
Sequence of packet lengths and times
Sequence of packet lengths and times
Flow start Time
• Size and timing of the first packets allow us to estimate the type of data inside theencrypted channel.
• We can distinguish video, web, API calls, voice, and other data types from one another and characterize the source within the class.
40
Sequence of packet lengths and times
Cisco’s threat intelligence map
Image: http://census2012.sourceforge.net/images.html
• Who’s who of the internet’s dark side
• Models use up to 20 features of 150 million malicious, risky, or otherwise security-relevant endpoints on the internet.
• These data features include domain data, whois data, TLS certificate data, usage statistics, and behavioral data for each server.
Encryption Details on all Network Flows
Expanded CTA Dashboard View
Cognitive Analytics
44
Encrypted Traffic Analytics
BRKSEC-2809
45
46
Recommended