Embed Size (px)
Citation preview
Listopad 2018
Advanced Threat Solution tentokrát více o koncovém zařízení
Jiří Tesař[email protected]
CSE Security, CCIE #14558, SFCE #124266, CEH
Security Strategy Overview
Digital Disruption Drives the Hacker Economy
Attack SophisticationThreat ActorsAttack Surface
…Creating an ever-evolving, dynamic threat landscape
DDoS
Data Destruction
Monetary TheftPhishing
Rogue Software
Man in the MiddleTrojans
Drive by Downloads
Data Manipulation
Wiper Attacks
Botnets
Ransomware Advanced Persistent Threats
Unpatched Software
Spyware/MalwareData/IP Theft
Malvertising
Branch CloudDataCenter
Endpoint CampusEdge OperationalTechnology
250+ full-time threat researchers and data
scientists
Analyzing 1.5 million unique malware samples daily
Blocking 20 billion threats daily. More than 20x any other vendor.
We developed Cisco Talos: the largest non-government threat intelligence organization on the planet
We see more so you can block more and respond faster to threats.
20B 250M Symantec
4MPalo Alto
1M
Check Point
700K
Fortinet Zscaler
800K972M
Trend Micro
Proofpoint
1MMore threats blocked daily than anyone else
See it once, protect everywhere
NGFW Threat Grid Meraki Network ISR/ASR Stealthwatch
NGIPS ISE Cloudlock Umbrella AMP
Best news yet: Cisco Talos is free for customers
Forc ing the Bad Guys to InnovateSpreading security news, updates, and other information to the public
ThreatSource Newslettercs.co/TalosUpdate
Social Media PostsFacebook: TalosGroupatCisco
Twitter: @talossecurity
White papers, articles, & other information talosintelligence.com
Talos Blogblog.talosintelligence.com
Instructional Videoscs.co/talostube
AMP for Endpoints
Recording
Identify a threat’s
point of origin
Track it’s rate of progression and
how it spread
See what it is doing
See where it's been
Surgically targetand remediate
Monitor +
Detect
Time To Detectionshorter longer
AMP for Endpoints Protection Lattice
In Memory
Decoy System Resources
Malicious Code
Injection Hitting a Decoy
• excel.exe• winword.exe• powerpnt.exe• outlook.exe• iexplore.exe
• firefox.exe• chrome.exe• skype.exe• teamviewer.exe• vlc.exe
• wscript.exe• powershell.exe• acrord32.exe• rundll.exe• taskeng.exe
Exploit Prevention
Alert!
Original System ResourcesTrusted Code
§ Make the memory unpredictable by changing its structure
§ Make the app aware of legitimate memory structure
§ Any code accessing the old structure is malware
§ Currently protects 32-bit apps on 32/64-bit OS! (64bit app protection coming in AMP for Windows 6.2.x, check release notes)
§ No Audit mode & CVE agnostic
In MemoryExploit Prevention: In Field Findings
CCleaner 0-day Flash IcedID Trojan
ExPrev Beta Test leads to backdoor discovery in CCleaner software from Avast
0-day Remote Code Execution vulnerability prevented, prevents exfiltration and remote admin
Minimalist (evolutionary) code injection technique prevented by ExPrev technology
CCleaner: https://blog.talosintelligence.com/2017/09/avast-distributes-malware.html0-day Flash: http://blog.talosintelligence.com/2018/02/group-123-goes-wild.htmlIcedID: Talos Analysis: https://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html
In Memory
• Session Manager Subsystem (smss.exe) • Client/Server Runtime Subsystem (csrss.exe) • Local Security Authority Subsystem (lsass.exe) • Windows Logon Application (winlogon.exe) • Windows Start-up Application (wininit.exe)
Talos Analysis: https://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-over.html
System Process Protection
§ Protects Windows system processes from being compromised through memory injection attacks
§ Evaluates desired process/thread access, truncates potentially dangerous access
§ Protects against Mimikatz dumping credentials from lsass.exe memory
On DiskMalicious Activity Protection
§ Detects abnormal behavior of a running program, initially focused on ransomware
§ Uses rules that monitor processes reading, writing, and renaming or deleting files within short span of time
§ Modes of operation: audit, blocking, quarantine
§ Process can be excluded from MAP inspection
TETRA definitionsfrom cloud
InternalUpdates
ExternalUpdates
Customer premises
TETRAUpdate Server
Public Wi-Fi
TETRA definitionUpdates
§ Offline AV engine for Windows
§ On-prem server gets updates from AMP Public Cloud
§ Server FQDN configured per AMP Policy
§ Can make FQDN available publically for external updates
§ AMP Update Server runs on Windows or Linux, uses IIS / Apache / nginx (currently TETRA updates only)
On DiskTETRA and AMP can use also local Update Server
Post Infection
Data Exfiltration
C&C Communication
HTTP(S) Tunneling
DGAs Exploit Kits
Cognitive Intelligence
§ Visibility into devices with or without AMP Connector – cover unsupported OS and IoT devices
§ File-less malware and ~30% more detections
§ Correlation with AMP for Endpoints events and links to files responsible for C2 communication
§ Priority rating and human readable threat descriptions with course of action
One app, two layers of security
Visibility
• App-layer auditing and correlation via net new iOS 11 functionality• Logs encrypted URL requests without SSL decryption• Available to AMP for Endpoints customers at no extra charge
if subscription already covers iOS devices
Control and visibility
• DNS-layer enforcement and encryption via net new iOS 11 functionality• Customizable URL-based protection with intelligent proxy• Available to Umbrella* customers at no extra charge
if subscription already covers iOS users
* Professional, Insights and Platform packages
New MDM/EMM vendor support:
Demo
AMP4EThreatgridUmbrellaCisco Threat Response
AMP4E – Fetch the File for Analysis
AMP4E – Fetch the File and Send to Sandbox
Threat Grid
Analyze, Correlate, and Enhance
Produce Intelligence & Inform AMP Architecture
Sample is executed and analyzed using multiple techniques
• Behavioral Indicators & Threat Score • Pokes AMP cloud, integrations will block• Threat Intel Feeds & Global Intel
• Proprietary techniques for static and dynamic analysis
• “Outside looking in” approach
• 1000+ Behavioral Indicators
Sample submissionInput
Process
Output
Submit suspicious samples to Threat Grid via Integration, API, or Portal
1.
2.
3.
Threat Grid
Supported Integrations & Partners Select Recipe Integrations
Select Threat Feed Integrations
Threat Grid Integrations
• Static Analysis• File on disc• Header details• AV engines
• What it is/contains
• Dynamic Analysis• Execution/Detonation
• Network Connections• File/System changes• Function/Library calls
• What it does
File Analysis: Static and Dynamic
Addressing the Challenges: Playbooks
• 9 Default Playbooks
• User Generated Playbooks
• Dynamic Playbook SelectionUser Emulation+
Automation
#WWST #CISCOVT #CISCOSE
Network, Web, Email SecurityIntegrated File Analysis – On Premise Option
AMP for NetworksIDS / IPS
AMP Private Cloud Threat Intelligence Engine
AMP File Analysis
AMP ThreatGrid Sandbox
AMP on Web Security Appliance
AMPAdvanced Malware
Protection
AMP on Email Security Appliance
Process namesRegistry KeysIP AddressesDNS Names
AMP Endpoint Agents
Cisco Threat Reponse
Cisco Threat Response
Key pillars of our integrated architecture
• Automates & Orchestrates across security products
• Focuses on security operations functions – Detection, Investigation, and Remediation
Integrating security for faster defense
Contextual Analysis and Incident Response (support will come also with NFGW and Content Gateways)
AMPThreatGrid Umbrella SMATALOSVirusTotal
• What do you know about these (IP, Hash, URL, etc.) observables?
• Have we seen these observables? • Which end-points reached out to the URL?• Etc.
NGFW
FMC
Cisco Threat ResponseGet high fidelity IPS events1 Investigate with automated enrichment2 Remediate in AMP & Umbrella3
• From FMC, pivot into Threat Response via casebook browser plug-in
Encrypted Traffic?
https inspection on gateways (resign, known keys)• NGFW
• WSA
Leverage Endpoint Visibility• AMP4E
• NVM AnyConnect
Behavior analysis of encrypted traffic• ETA + Stealthwatch
Encrypted Traffic
Telemetry sources that instrument the digital
business.
Collect and store at scale.
Analyze and automate. Security Outcomes
Catalyst9000
StealthwatchEnterprise
StealthwatchCustom Security
Event
CognitiveIntelligence
CryptographicAudit
MalwareDetection
© 2018 Cisco and/or its affiliates. All rights reserved. Globa lSa les Tra in ing
Initial Data Packet Sequence of packet lengths and times Global Risk Map
ETA data
Self-Signed Certificate
Data Exfiltration
C2 Message
Make the most of unencrypted fields
Identify the content type through the size and timing of packets
Know who’s who of the Internet’s dark side
© 2018 Cisco and/or its affiliates. All rights reserved. Globa lSa les Tra in ing
Cryptographic Compliance
© 2018 Cisco and/or its affiliates. All rights reserved. Globa lSa les Tra in ing
Identifying malicious encrypted traffic
Model
Google Search Page Download
src dst
Packet lengths, arrival times and durations tend to be inherently different
for malware than benign traffic
ClientSentPackets
ReceivedPackets
Server
Initiate Command and Control
src dst
Exfiltration and Keylogging
src dst
© 2018 Cisco and/or its affiliates. All rights reserved. Globa lSa les Tra in ing
ETA Data Features, <= TLS 1.2client_key_exchange
client_hello
server_hello
certi-ficate
cont.
server_key_
exchange
server_hello_
done
change_cipher_
spec
encrypted_handshake
_message
change_cipher_
spec
encrypted_handshake
_message
app_data
app_data
app_data
encrypted_alert
Application Information
Server Information
Behavioral Information
© 2018 Cisco and/or its affiliates. All rights reserved. Globa lSa les Tra in ing
ETA Data Features, TLS 1.3
client_hello
server_hello
app_data
app_data
app_data
app_data
app_data
Application Information
Server Information
Behavioral Information
app_data
app_data
app_data
v Showcased in NOC & ThreatWallv Monitored Public WiFi, Show floor networksv 25,000+ Attendeesv 185+ Million Flows Analyzedv 88% HTTPS vs 12% HTTPv ~40K fps from Wireless Users
v ~400 Detections using ETAv Ransomware detectedv C&C and Data Exfiltrationv Multiple Critical, High- and Medium-risk Detectionsv Numerous Malware Instances including Cryptomining & Botnet activitiesv Several Applications using TLS 1.0
Threats Detected
ETA Topology
© 2018 Cisco and/or its affiliates. All rights reserved. Globa lSa les Tra in ing
Security that works together
Packet inspection
Public Cloud
monitoring
Secure data
center
External domain lookups
Web security
User, device and application info
Cisco Security Packet
Analyzer
Stealthwatch Cloud
TetrationAnalytics
WSA (Web
Security Appliance)
ISE PxGrid
Umbrella Investigate
Global Threat
Intelligence
Talos TrustSec AnyConnect NVM
Stealthwatch Enterprise
© 2017 Cisco and/or its affiliates. All rights reserved.
AnyConnect with Network Visibility Module
nvzFlow
Attributing a flow to: • Process name• Process hash• Process account• Parent process name• Parent process hash• Parent process account
EndpointConcentrator
Stealthwatch Endpoint Visibility Solution
ISE
Flow Collector
Management Console
Threat Feed License
CognitiveAnalytics
Integrated Security
• See 9/19 announcement: How Alliances Strengthen Your Cybersecurity Defenses
• Introducing pxGrid 2.0 – evolving the bedrock of our policy ecosystem
• ISE & IoT – bringing IoT into mainstream network access policy
• New integrations and partners from network to endpoint to cloud… • ISE • Firepower• AMP for Endpoints• Cisco Cloud Security• Threat Grid• Cisco Security ConnectorAppendix – Details on New Ecosystem Partners and Integrations
Latest Announcements in the Cisco Security Technical Alliances Ecosystem
CSTA September Announcement Summary57 new integrations from network to endpoint to cloud…
CISCO FirepowerThreat Intelligence Director for NGFW Enrichment, Firepower integrations
CISCO ISEpxGrid Integrations for IOT, Orchestration, Deception, Endpoint, Vulnerability Management
CSTA September Announcement Summary57 new integrations from network to endpoint to cloud…
CISCO Cloud SecurityThreat Intelligence on Malicious Domains and Threat Response Enforcement & CASB
CISCO AMP for EndpointsIntegrations provide analysts with detailed information and actions on endpoint events
CISCO Threat GridMalware Intelligence Sharing and Incident Response Integration
Simplifying WSA Policies with SGTs
EnterpriseBackbone
Internet
W ww
Web Security
Appliance
ISE
Policies
Order Group Protocols and User Agents
URL Filtering Applications Objects Anti-Malware and Reputation
1 Doctors (global policy) Block: 1Monitor: 78
Block: 10Monitor: 367
(global policy) (global policy)
2 Doctors BYOD (global policy) Block: 1Monitor: 78
Block: 10Monitor: 367
(global policy) (global policy)
3 Guests (global policy) Block: 1Monitor: 78
Block: 10Monitor: 367
(global policy) (global policy)
Global Policies No blocked items Monitor: 79 Monitor: 367
No Blocked Items Web Reputation: EnabledAnti-Malware Scanning: Enabled
Who: GuestWhat: iPadWhere: Office
Who: DoctorWhat: LaptopWhere: Office
Who: DoctorWhat: iPadWhere: Office
Doctors
BYOD
Guest
© 2018 Společnost Cisco a její pobočky.
ISE as a source of Context
Cisco ISE
SMC
• Live Sessions Table of ISE• Device/User Authentication • Device Profiling• NAD details
• Live Authentication Events shown in SMC
• Maintain historical session table• Correlate NetFlow to username• Build User-centric reports
• Maintain historical session table• Correlate NetFlow to username• Build User-centric reports
© 2018 Společnost Cisco a její pobočky.
FTD Policies Based on ISE Context and Sec Groups
NGIPS/ASA + Firepower
PxG
RID
Vulnerability-Aware Cisco SecurityUsing Vulnerability to Drive Threat Response in Firepower & ISE
Rapid 7
Drives Threat Scores in Firepower MC
Drives Threat-based Network Policy in ISE
TenableQualys
Endpoint Vulnerability Scores
© 2018 Společnost Cisco a její pobočky.
Use Cases – Host Input API
• Allows the import of Host and Vulnerability Data
Vendor, Product, Version, and Mobile Device Information
Server Applications and Versions
Client Applications and Version
Vulnerability Names and IDs
FMC
Qualys – ISE Integration
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
CTA/AMP – ISE Integration
Quarantine
Difference: vulnerable (Qualys) vs compromised (CTA/AMP) endpoints
What is Threat Centric NAC: ThreatThreat EndPoints based on Incidents and Indicators
• “Rapid Threat Containment” – automatically or manually quarantine devices or spawn investigations
• Enlist other Cisco infrastructure in the network response – such as dynamic ACLs on switches and ASA or increase IPS inspection levels
Cisco AMP, NGFW, Stealthwatch Consoles
pxGrid ANC API
ISE as unifiedpolicy point
SGT
CoA
User/Device Quarantine
Dynamic ACLs, Increase Inspection
Incident Response: Rapid Threat Containment Cisco AMP, Firepower, Stealthwatch, ISE & CSTA Partners
3rd Party Consoles like IBM, McAfee, Splunk, Tanium, Exabeam, Infoblox, LogRhythm, Rapid 7
DUO
Duo’s Approach is Easy and Reduces Cost
1 Instantly integrates with all apps
2 Users self-enroll in minutes
3 Authenticate in seconds
3 Key Points About Duo’s Security Policies
1. Centrally build policies for all apps
2. Web based policy management
3. Customize for user groups & apps
Identity
DevicesApplications & Infrastructure
All Employees
Privileged Users
Contractors & Partners
Cloud
On-premise
Datacenter
Personal (Unmanaged) Devices
Corporate (Managed) Devices
Security & AccessVisibility Prevention Detection Remediation
Duo’s Platform
Flexible Authentication Options for your usersPush, soft token, SMS, Phone Call, U2F, Wearables, Biometrics, HW Tokens
1. Mobile (iOS and Android)a. Natively using Duo Mobile app. MDM alternative.b. Integration with MDM platforms.
1. Non Mobile (Windows, Mac, Linux, ChromeOS)a. Natively using browser data. No agents.b. Integration with endpoint management platform.
Verify End User DevicesAllow only compliant devices to access work applications
