Embed Size (px)
Citation preview
June 2015
Product Manager
Harnessing the Power of the Cloud to Detect Advanced ThreatsCognitive Threat Analytics on Cloud Web Security
Petr Cernohorsky
2© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
There’s a new cyber-threat reality
Hackers will likelycommand and control
your environment via web
You’ll most likely be infected via email
Your environmentwill get breached
3© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Only Cisco Cloud Web Security Premium delivers full threat visibility
BEFOREDiscoverEnforceHarden
DURINGDetect Block Defend
AFTERScope
ContainRemediate
Network Endpoint Mobile Virtual Email & Web
ContinuousPoint-in-time
CloudStrengthen Threat Visibility in the After Phase
(continuous monitoring, analytics, statistical machine learning)
4© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Web Reputation
Web Filtering Application
Visibility & Control
Before
X X X
Cisco Cloud Web Security (CWS)Talos
www
Roaming User
Reporting
Log Extraction
Management
Branch Office
www www
Allow Warn Block Partial BlockCampus Office
ASA StandaloneWSA ISR G2 AnyConnect
AdminTraffic Redirections
www
HQ
STIX / TAXII (APIs)CTA
Cognitive Threat Analytics
Anti-Malware
File Reputation
WebpageOutbreak
Intelligence
AfterDuring
X
www.website.com
XX
File Sandboxing
File Retrospection
Layer 1
During After
Layer 2
AMP
CTA
CWS PREMIUM
AMP
CTALayer 3
File Reputation Anomaly detection
Trustmodeling
Event classification Entity modeling
File Analysis
File Retrospection
Relationship modeling
CTA
5© 20I5 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
0I000III0I 0I I00I0II0
0I0 I00I0IIII0I 000 0I000I II00I0I00I0 000 0II00 IIIII I 00I0I000III0II0II 00I 00II 0I0II0 0 0I I I00I
CWS Premium differentiators
AMP
Direct attackfrom the web
Infected email or USB stick
Threat campaignmalicious infrastructure
Admin
Enable continuous monitoring and retrospective securityAMP
STIX / TAXII (APIs)
Analyze every piece of traffic, delivering faster breach detection
CTA File rep
0I000III 0I00 II 0I I00I II 00 0I00 0II I0I000III 0I00I 0I0 0I000 0I0I00I0I I0 I00I 0I0 0I000 I00I 0I0
0I000III0I 0I I00I0II0
0I0 I00I0IIII0I 000 0I000I II00I0I00I0 000 0II00 IIIII I 00I0I000III0II0II 00I 00II 0I0II0 0 0I II I00I00II
0I000III0I 0I I00I0II0
0I0 I00I0IIII0I 000 0I000I II00I0I00I0 000 0II00 IIIII I 00I0I000III0II0II 00I 00II 0I0II0 0 0I II I00I00II
Web rep
Command & Control
Domain Generated Algorithm
CTA
Tunneling
0I000III 0I00 II 0I I0000 III000II0 0II0I 00I 0I00 00II 0000I
6© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Web Reputation
Web Filtering Application
Visibility & Control
Before
X X X
Cisco Cloud Web Security (CWS)Talos
www
Roaming UserBranch Office
www www
Allow Warn Block Partial BlockCampus Office
ASA StandaloneWSA ISR G2 AnyConnect
AdminTraffic Redirections
www
HQ
Reporting
Log Extraction
Management
STIX / TAXII (APIs)CTA
Anti-Malware
File Reputation
WebpageOutbreak
Intelligence
AfterDuring
X
www.website.com
XX
File Sandboxing
File Retrospection
CWS PREMIUMCTA Layered Detection Engine
Layer 1
CTA
Anomaly detection
Trustmodeling
Layer 2
Event classification
Entity modeling
CTALayer 3
Relationshipmodeling
CTA1K
incidentsper day
After
10Brequestsper day
Cognitive Threat Analytics
Recall Precision
AnomalousWeb requests (flows)
ThreatIncidents (aggregated events)
MaliciousEvents (flow sequences)
7© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Layer 1
During After
Layer 2
AMP
CTA
CWS PREMIUM
AMP
CTALayer 3
File Reputation Anomaly detection
Trustmodeling
Event classification Entity modeling
File Analysis
File Retrospection
Relationship modeling
CTA
Identify suspicious traffic with Anomaly Detection
Normal
Unknown
AnomalousHTTP(S)Request
HTTP(S)RequestHTTP(S)RequestHTTP(S)RequestHTTP(S)RequestHTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)RequestHTTP(S)RequestHTTP(S)RequestHTTP(S)RequestHTTP(S)RequestHTTP(S)RequestHTTP(S)RequestHTTP(S)RequestHTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
Anomaly Detection
10B+ requests are processed daily by 40+ detectors
Each detector provides its own anomaly score
Aggregated scores are used to segregate the normal traffic
8© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Layer 1
During After
Layer 2
AMP
CTA
CWS PREMIUM
AMP
CTALayer 3
File Reputation Anomaly detection
Trustmodeling
Event classification Entity modeling
File Analysis
File Retrospection
Relationship modeling
CTA
• Each HTTP(S) request is scanned by 40+ detectors, each with a unique algorithm
• Multiple detectors increase the statistical significance of the anomaly score, reducing the number of false negatives and false positives
Examples of Anomaly Detection output (HTTP, real and synthetic malware)
HTTP(S)Request
Trust Modeling with multiple detectors
Normal
Identified threat
0
1
2
3
4
5
7
6
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1.0
Dynamic threshold
False negative False
positives
# o
f flo
ws
or
we
b
req
ue
sts
Anomaly score
Normal
Identified threat
0
1
2
3
4
5
7
6
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1.0
False positives
Dynamic threshold
(later removed after further processing)
# o
f flo
ws
or
we
b
req
ue
sts
Anomaly score
Single detector
9© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Layer 1
During After
Layer 2
AMP
CTA
CWS PREMIUM
AMP
CTALayer 3
File Reputation Anomaly detection
Trustmodeling
Event classification Entity modeling
File Analysis
File Retrospection
Relationship modeling
CTA
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
Reduce false positives with Trust Modeling
Anomalous
Normal
Unknown
Unknown
Normal
Unknown
Unknown
Unknown
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)RequestHTTP(S)
Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request HTTP(S)
RequestHTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)RequestHTTP(S)
Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request HTTP(S)
Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
Trust Modeling
HTTP(S) requests with similar attributes are clustered together
Over time, the clusters adjust their overall anomaly score as new requests are added
10© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Layer 1
During After
Layer 2
AMP
CTA
CWS PREMIUM
AMP
CTALayer 3
File Reputation Anomaly detection
Trustmodeling
Event classification Entity modeling
File Analysis
File Retrospection
Relationship modeling
CTA
Categorize requests with Event Classification
Keep as Legitimate context
Alert as Malicious
Keep as Suspicious context
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
Media website
Software update
Certificate status check
Tunneling
Domain generatedalgorithm Command and control
Suspicious extension
Repetitive requests
Unexpected destination
Event Classification
100+ classifiers are applied to a small subset of the anomalous and unknown clusters
Requests’ anomaly scores update based on their classifications
11© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Layer 1
During After
Layer 2
AMP
CTA
CWS PREMIUM
AMP
CTALayer 3
File Reputation Anomaly detection
Trustmodeling
Event classification Entity modeling
File Analysis
File Retrospection
Relationship modeling
CTA
Attribute anomalous requests to endpoints and identify threats with Entity Modeling
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
THREAT
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
THREAT HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
THREAT
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
THREAT
HTTP(S)Request
THREAT
Entity Modeling
A threat is triggered when the significance threshold is reached
New threats are triggered as more evidence accumulates over time
12© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Layer 1
During After
Layer 2
AMP
CTA
CWS PREMIUM
AMP
CTALayer 3
File Reputation Anomaly detection
Trustmodeling
Event classification Entity modeling
File Analysis
File Retrospection
Relationship modeling
CTA
Company B
Company C
Determine if a threat is part of a threat campaign with Relationship Modeling
Attack Node 1
Attack Node 2
Company A Company A Company A
Phase 1 Phase 2 Phase 3
ThreatType 1
ThreatType 1
ThreatType 2
Incident
Incident
Incident
Incident
Similarity Correlation Infrastructure Correlation
Company B
Company C
Company B
Company C
Incident
Incident
Incident
Incident
Incident
Incident
Incident
Incident
Global behavioral similarity
Local behavioral similarity Local &
global behavioral similarity
Shared malicious infrastructure
13© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
CWS Proxy
How CTA analyzes a threat0
+
Webrep
AV
domain age: 2 weeks
0
domain age: 2 weeks-
domain age: 3 hours
-
domain age: 1 day
Domain Generation Algorithm (DGA)
Data tunneling via URL (C&C)
DGA
C&C
DGA
DGA
DGA
C&C
Attacker techniques:Active Channels
14© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Here’s an example of how it works
Near real-time processing
1K-50K incidents per day10B requests per day +/- 1% is anomalous 10M events per day
HTTP(S)Request
Classifier X
Classifier A
Classifier H
Classifier Z
Classifier K
Classifier M
Cluster 1
Cluster 2
Cluster 3
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request HTTP(S)
Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
Cluster 1
Cluster 2
Cluster 3
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)RequestHTTP(S)
Request
HTTP(S)Request
HTTP(S)RequestHTTP(S)
Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)RequestHTTP(S)
Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
Anomaly Detection Trust Modeling Classification Entity Modeling Relationship Modeling
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)RequestHTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
Global threats
One-off threats
15© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Only Cisco…
Unmatched experience in big data security for over a decade
Largest security database
Widest breadth in cyber-threat research
16© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Breach Detection: Ransomware1
Feb 25 Mar 1 Mar 21 Mar 24 Mar 25 Apr 4
Malware activity continuously detected by CTA !
CTA Detection
AV scan removing malware
AV removing worm&
signatures found outdated
AV removingtrojan
AV signatures updated
&trojan removed
Worm removed by daily scan
< Malware operational for more than 20 days >
CryptoLocker confirmed
&endpoint sent for
reimage
17© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
1
Local Context: First detected in your network on Mar 11, 2015 and last observed on Apr 14, 2015. Total of 3 users have shown threat behavior in last 45 days.
Global Context: Also detected in 5+ other companies affecting 10+ other users.
Threat related to the Zeus Trojan horse malware family which is persistent, may have rootkit capability to hide its presence, and employs various command-and-control mechanisms. Zeus malware is often used to track user activity and steal information by man-in-the-browser keystroke logging and form grabbing. Zeus malware can also be used to install CryptoLocker ransomware to steal user data and hold data hostage. Perform a full scan for the record and then reimage the infected device.
9 MALWARE 100% confidence AFFECTING 3 users
18© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
19 MALWARE 100% confidence AFFECTING winnt://emea\user1
Encrypted Command & Control
http://95.211.239.228/MG/6XYZCn5dkOpx7yzQbqbmefOBUM9H97ymDGPZ+X8inI56FK/
0XHGs6uRF5zaWKXZxmdVbs91AgesgFarBDRYRCqEi+a8roqlRl77ZucRB4sLOlkpoG5d44OZ95VO6pVjtKVAj0SIOXHGFTr7+w5jqe46Kz4//
NDHGJw6C2L2hCLEExuNJaeA9wtSRmOgxVg9NhpJXK7oD8dTDoGOD46zWaWDDpQ9zNdmhNtmOfeWA3xxgZ9KzDpd7SVUnzATdD3E1USpWmkpsYsGkTE8fVQ692WQd8
h2cRp+KHDg8F2ECZlcDXGOPQPU9TrWFw…
19© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Breach Detection: Malvertising BotNet2
Cisco security finds close to 2000 users affected & 4000+ add-on variants!Malvertising from Browser add-ons collects huge rewards
Sophisticated code paired with refined business model
20© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
26 MALWARE 100% confidence AFFECTING winnt://emea\user2
Encrypted Command & Control
hXXp://getjpi77.info/sync2/?q=hfZ9oeZHrjYMCyVUojC6qGhTB6lKDzt4ok8gtNtVh7n0rjnEpjwErjrGrHrEtMFHhd9Fqda4rjaFqTr6qjaMDMlGojUMAe4UojkFrdg5rjwEqjnGrTw5pjY4qHYMC6qUojk7pdn5rHY9pdUHqjwFrdUGqTCMWy4ZBek0nMlHDwmPC7qLDe49nfbEtMZPhd99qdg5qHn5q
Hk5rdUErjg4rHkGtM0HAen0qTaFtMVKC6n0rTwMgNr0rn%3D%3D&amse=hs18&xname=BestDiscountApp
hXXp://getjpi77.info/sync2/?q=ext=hs18&pid=777&country=MX®d=140910132330&lsd=140910163750&ver=9&ind=5106811054221898978&ssd=5684838489351109267&xname=BestDiscou
ntApp&hid=4468748758090169352&osid=601&inst=21&bs=1%3D%3D&amse=hs18&xname=BestDiscountApp
21© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Since 2011, taken down in 2014 to reemerge again
Constantly adapting TTP to avoid detection
500,000+ infected computers & significant profits from fraud
Steals user data, login credentials, may open a backdoor to track user activity or deliver additional malicious code
Rootkit capable to hide its presence, can spread through network shared drives and removable storage devices
3Breach Detection: Qakbot Worm
22© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
39 MALWARE 100% confidence AFFECTING winnt://emea\user3
23© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
4
Local Context: The threat was first detected in your network on Mar 15, 2015 and last observed on Apr 17, 2015. A total of 1 user have shown this threat behavior within the past 45 days. The threat was also detected in 5+ other companies affecting 5+ other users.
Global Context: Also detected in 5+ other companies affecting 5+ other users.
Threat related to Dridex. Typically spread through spam campaigns, Dridex is a banking trojan whose main goal is to steal confidential information from the user about online banking and other payment systems. Trojan communicates with the command-and-control server using HTTP, P2P, or I2P protocols. Perform a full scan of the infected device for the record, and then reimage the device.
9 MALWARE 100% confidence AFFECTING 1 user
24© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
49 MALWARE 100% confidence AFFECTING winnt://emea\user4
25© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
