Hunting Security Breaches in the Modern Threat Landscape...Use Case: Threat Hunting with a Generic IOC Event Can begin search using any data from the IOC Event –SHA, URL, IP Address

Hunting Security Breaches in the Modern Threat Landscape Session ID 1.2

Lewis Tan CISSP, OPST

AMP Specialist, APJC

Advance Threat Solution, GSSO

Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public

Industrialization of Hacking There is a multi-billion dollar global industry targeting your prized assets

$450 Billion

to

$1 Trillion Social

Security $1

Mobile Malware

$150

$ Bank

Account Info >$1000 depending

on account type and balance

Facebook Accounts $1 for an

account with 15 friends

Credit Card Data

$0.25-$60

Malware Development

$2500 (commercial

malware)

DDoS

DDoS as A Service ~$7/hour

Spam $50/500K

emails Medical

Records >$50

Exploits $1000- $300K

© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3

Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public 4

Minutes to compromise, Months to discover & remediate

Source: Verizon http://www.wired.com/images_blogs/threatlevel/2012/03/Verizon-Data-Breach-Report-2012.pdf

Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5

Not About Detections, But About Incident Response


Outwit Cyber Attackers

Assume Compromise

Improve Your Security Posture

Think like an Attacker


Think Like An Attacker


F/W, NIPS,

Proxies, AV

gateways, WAF

Hacker’s perspective


F/W, NIPS,

Proxies, AV

gateways, WAF

SSL, Port

Knocking,

Event/Tim

e Trigger

Hacker’s Perspective


APT / Advanced Malware

Is now a tool for financial gain

Uses formal Development Techniques • Sandbox aware

• Quality Assurance to evade detection

• 24/7 Tech support available

Has become a math problem • End Point AV Signatures ~20 Million

• Total KNOWN Malware Samples ~100 M

• AV Efficacy Rate ~50%


How do organizations address this?

11


How do organizations address this?

12

• Time

• Tools

• Expense

Effective Malware Protection Strategies


Network-Integrated,

Broad Sensor Base,

Context and

Automation

Continuous Advanced

Threat Protection, Big

Data Analytics

Security Intelligence

Agile and Open

Platforms,

Built for Scale,

Consistent Control,

Management

Strategic Imperatives

Network Endpoint Mobile Virtual Cloud

Visibility-Driven Threat-Focused Platform-Based


Where do I start?

How bad is the

situation?

What systems were

affected?

What did the threat

do?

How do we recover?

How do we keep it

from happening

again?

Confirm Infection

Analyze Malware

Malware Proliferation

Remediate

Search

Network

Traffic

Search

Device

Logs

Scan

Devices

Define

Rules

(from

profile)

Build Test

Bed

Static &

Dynamic

Analysis

Device

Analysis

Network

Analysis

Proliferatio

n Analysis

Notification Quarantine Triage

Malware

Profile

Stop

Search for Re-infection

Update Profile

Confirm

Infe

ctio

n Id

entifie

d

Cannot Identify Infection No

Infection

Addressing Malware Issues It’s how quickly you can detect the infection, understand scope, and remediate the problem


F/W, NIPS,

Proxies, AV

gateways, WAF

SSL, Port

Knocking,

Event/Tim

e Trigger

East – West

80%

North –

South

20%

50%

Effective solution = ROI


F/W, NIPS,

Proxies, AV

gateways, WAF

SSL, Port

Knocking,

Event/Tim

e Trigger

East – West

80%

North –

South

20%

50%

Effective solution = ROI


Plan B: Retrospection

– Track system behaviors regardless of disposition

– “In-flight” correction

– Contain & correct damage, expel embedded intruders

Reveals malicious activity

Mode: Incident Response

Plan A: Prevention

– Speed: Real-time, dynamic decisions trained on real-world data

– High accuracy, low false positives / negatives

Raise the bar, reduce attack surface

Mode: Security control

Do Security Different!


Desire to break the chain as far to the left as possible.

Page 19

Defensive/protective measures Clean-up costs

Long response time

Long

remediation

time Reduced

response time

Reduced

remediation time

through RCA

Indicators of Compromise

REACTIVE

SECURITY POSTURE PROACTIVE SECURITY

Device Trajectory &

Threat Root Cause

File Trajectory

& Outbreak

Control


Use Case: Threat Hunting with a Generic IOC Event

Can begin search using any data from the IOC Event – SHA, URL, IP Address

Device Trajectory can be used to determine host details – Link between processes, File name, Location on disk

File Trajectory can be used to focus on the threat – Malware Gateway, Threat Details, File Analysis

Custom Detection to control files – Remediate without escalation, Quickly quarantine files, Immediate protection across

all systems


Threat Hunting: Trajectory

21

Outlook.exe is running

Email drops photo.zip as an attachment

explorer.exe called to extract contents

photo.exe was executed photo.exe contacts

a website via http

photo.exe drops several additional components

Executes a file named csrss.exe in the Outlook TMP directory

Beacons to the site listed in our cracked DGA - IOC Events


These

applications

are affected What

The breach

affected

these areas Where

This is the

scope of

exposure over

time When

Here is the origin

and progression

of the threat How

Focus on these

users first Who

AMP Provides Contextual Awareness and Visibility That Allows You to Take Control of an Attack Before It Causes Damage


Cisco’s AMP Everywhere Strategy Means Protection Across the Extended Network

MAC

AMP for

Networks

PC

AMP for

Cloud Web

Security

& Hosted Email

CWS

Virtual

AMP on Web &

Email Security

Appliances

Mobile

AMP on ASA

Firewall with

FirePOWER

Services

AMP for Endpoints

AMP Private Cloud

Virtual Appliance AMP Threat Grid

Dynamic Malware Analysis +

Threat Intelligence Engine


Cisco AMP is Both Point-in-Time and Continuous

Retrospective Security

Continuous Analysis – PLAN B

0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110

1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00

0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00

Breadth and Control points:

File Fingerprint and

Metadata

File and Network I/O

Process Information

Telemetry

Stream

Continuous

feed

Web WWW

Endpoints

Network Email

Devices IPS

Point-in-Time Protection

File Reputation & Sandboxing – PLAN A

Dynamic

Analysis

Machine

Learning

Fuzzy

Finger-

printing

Advanced

Analytics

One-to-One

Signature


Conclusion The Malware Approach…

Attackers are determined and resourceful

– Malware still on devices, detection not 100%

– Point-in-time detection is not sufficient

– Attacks evolved over time

– Integrated response required to be effective

Cisco AMP solves business problems

– Where do I start?

– What is the scope and how bad is the situation?

– What was the point and method of entry?

– Can I control and remediate across the network and endpoints?

Computer

Virtual Machine

Mobile

Mobile

Virtual Machine Computer

Network

Collective

Security

Intelligence

Cloud

Mobile

Mobile

Documents

Hunting Security Breaches in the Modern Threat Landscape...Use Case: Threat Hunting with a Generic IOC Event Can begin search using any data from the IOC Event –SHA, URL, IP Address