Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Hunting Security Breaches in the Modern Threat Landscape Session ID 1.2
Lewis Tan CISSP, OPST
AMP Specialist, APJC
Advance Threat Solution, GSSO
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Industrialization of Hacking There is a multi-billion dollar global industry targeting your prized assets
$450 Billion
to
$1 Trillion Social
Security $1
Mobile Malware
$150
$ Bank
Account Info >$1000 depending
on account type and balance
Facebook Accounts $1 for an
account with 15 friends
Credit Card Data
$0.25-$60
Malware Development
$2500 (commercial
malware)
DDoS
DDoS as A Service ~$7/hour
Spam $50/500K
emails Medical
Records >$50
Exploits $1000- $300K
© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public 4
Minutes to compromise, Months to discover & remediate
Source: Verizon http://www.wired.com/images_blogs/threatlevel/2012/03/Verizon-Data-Breach-Report-2012.pdf
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Not About Detections, But About Incident Response
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Outwit Cyber Attackers
Assume Compromise
Improve Your Security Posture
Think like an Attacker
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Think Like An Attacker
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
F/W, NIPS,
Proxies, AV
gateways, WAF
Hacker’s perspective
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
F/W, NIPS,
Proxies, AV
gateways, WAF
SSL, Port
Knocking,
Event/Tim
e Trigger
Hacker’s Perspective
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
APT / Advanced Malware
Is now a tool for financial gain
Uses formal Development Techniques • Sandbox aware
• Quality Assurance to evade detection
• 24/7 Tech support available
Has become a math problem • End Point AV Signatures ~20 Million
• Total KNOWN Malware Samples ~100 M
• AV Efficacy Rate ~50%
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
How do organizations address this?
11
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
How do organizations address this?
12
• Time
• Tools
• Expense
Effective Malware Protection Strategies
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Network-Integrated,
Broad Sensor Base,
Context and
Automation
Continuous Advanced
Threat Protection, Big
Data Analytics
Security Intelligence
Agile and Open
Platforms,
Built for Scale,
Consistent Control,
Management
Strategic Imperatives
Network Endpoint Mobile Virtual Cloud
Visibility-Driven Threat-Focused Platform-Based
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Where do I start?
How bad is the
situation?
What systems were
affected?
What did the threat
do?
How do we recover?
How do we keep it
from happening
again?
Confirm Infection
Analyze Malware
Malware Proliferation
Remediate
Search
Network
Traffic
Search
Device
Logs
Scan
Devices
Define
Rules
(from
profile)
Build Test
Bed
Static &
Dynamic
Analysis
Device
Analysis
Network
Analysis
Proliferatio
n Analysis
Notification Quarantine Triage
Malware
Profile
Stop
Search for Re-infection
Update Profile
Confirm
Infe
ctio
n Id
entifie
d
Cannot Identify Infection No
Infection
Addressing Malware Issues It’s how quickly you can detect the infection, understand scope, and remediate the problem
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
F/W, NIPS,
Proxies, AV
gateways, WAF
SSL, Port
Knocking,
Event/Tim
e Trigger
East – West
80%
North –
South
20%
50%
Effective solution = ROI
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
F/W, NIPS,
Proxies, AV
gateways, WAF
SSL, Port
Knocking,
Event/Tim
e Trigger
East – West
80%
North –
South
20%
50%
Effective solution = ROI
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Plan B: Retrospection
– Track system behaviors regardless of disposition
– “In-flight” correction
– Contain & correct damage, expel embedded intruders
Reveals malicious activity
Mode: Incident Response
Plan A: Prevention
– Speed: Real-time, dynamic decisions trained on real-world data
– High accuracy, low false positives / negatives
Raise the bar, reduce attack surface
Mode: Security control
Do Security Different!
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Desire to break the chain as far to the left as possible.
Page 19
Defensive/protective measures Clean-up costs
Long response time
Long
remediation
time Reduced
response time
Reduced
remediation time
through RCA
Indicators of Compromise
REACTIVE
SECURITY POSTURE PROACTIVE SECURITY
Device Trajectory &
Threat Root Cause
File Trajectory
& Outbreak
Control
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Use Case: Threat Hunting with a Generic IOC Event
Can begin search using any data from the IOC Event – SHA, URL, IP Address
Device Trajectory can be used to determine host details – Link between processes, File name, Location on disk
File Trajectory can be used to focus on the threat – Malware Gateway, Threat Details, File Analysis
Custom Detection to control files – Remediate without escalation, Quickly quarantine files, Immediate protection across
all systems
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Threat Hunting: Trajectory
21
Outlook.exe is running
Email drops photo.zip as an attachment
explorer.exe called to extract contents
photo.exe was executed photo.exe contacts
a website via http
photo.exe drops several additional components
Executes a file named csrss.exe in the Outlook TMP directory
Beacons to the site listed in our cracked DGA - IOC Events
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
These
applications
are affected What
The breach
affected
these areas Where
This is the
scope of
exposure over
time When
Here is the origin
and progression
of the threat How
Focus on these
users first Who
AMP Provides Contextual Awareness and Visibility That Allows You to Take Control of an Attack Before It Causes Damage
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Cisco’s AMP Everywhere Strategy Means Protection Across the Extended Network
MAC
AMP for
Networks
PC
AMP for
Cloud Web
Security
& Hosted Email
CWS
Virtual
AMP on Web &
Email Security
Appliances
Mobile
AMP on ASA
Firewall with
FirePOWER
Services
AMP for Endpoints
AMP Private Cloud
Virtual Appliance AMP Threat Grid
Dynamic Malware Analysis +
Threat Intelligence Engine
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Cisco AMP is Both Point-in-Time and Continuous
Retrospective Security
Continuous Analysis – PLAN B
0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110
1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00
Breadth and Control points:
File Fingerprint and
Metadata
File and Network I/O
Process Information
Telemetry
Stream
Continuous
feed
Web WWW
Endpoints
Network Email
Devices IPS
Point-in-Time Protection
File Reputation & Sandboxing – PLAN A
Dynamic
Analysis
Machine
Learning
Fuzzy
Finger-
printing
Advanced
Analytics
One-to-One
Signature
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Conclusion The Malware Approach…
Attackers are determined and resourceful
– Malware still on devices, detection not 100%
– Point-in-time detection is not sufficient
– Attacks evolved over time
– Integrated response required to be effective
Cisco AMP solves business problems
– Where do I start?
– What is the scope and how bad is the situation?
– What was the point and method of entry?
– Can I control and remediate across the network and endpoints?
Computer
Virtual Machine
Mobile
Mobile
Virtual Machine Computer
Network
Collective
Security
Intelligence
Cloud
Mobile
Mobile