Advanced Threat Solution

tentokrát více o koncovém zařízení

Listopad 2018

Jiří Tesař
[email protected]

CSE Security, CCIE #14558, SFCE #124266, CEH

Security Strategy Overview
Digital Disruption Drives the Hacker Economy

Attack Surface Threat Actors Attack Sophistication

…Creating an ever-evolving, dynamic threat landscape

 DDoS Advanced Persistent Threats
Ransomware
Drive by Downloads Data Destruction
Malvertising
Data Manipulation Spyware/Malware
Data/IP Theft
Phishing Monetary Theft
Unpatched Software
Wiper Attacks Rogue Software

Botnets Man in the Middle

Trojans
Endpoint Branch Edge Campus Data Cloud Operational
Center Technology
We developed Cisco Talos: the largest non-
government threat intelligence organization on the
planet

250+ full-time threat Analyzing 1.5 million Blocking 20 billion

researchers and data unique malware threats daily. More than
scientists samples daily 20x any other vendor.

We see more so you can block more and respond faster to threats.
More threats blocked Proofpoint

daily than anyone else 1M

Zscaler
Fortinet
800K
972M

20B
Check Point
700K
Trend Micro

250M Symantec

4M
Palo Alto

1M
See it once, protect everywhere
NGIPS ISE Cloudlock Umbrella AMP

NGFW Threat Grid Meraki Network ISR/ASR Stealthwatch

Best news yet: Cisco Talos is free for customers

 Fo rc i n g t h e B a d G u ys to I n n o vate
Spreading security news,
updates, and other White papers, articles, & other information
information to the public talosintelligence.com

ThreatSource Newsletter
Talos Blog
cs.co/TalosUpdate
blog.talosintelligence.com

Social Media Posts

Facebook: TalosGroupatCisco Instructional Videos
Twitter: @talossecurity cs.co/talostube
AMP for Endpoints
 Monitor
+
Detect

Recording

Identify a See what it is

threat’s doing
point of origin

See where it's been

Track it’s rate of

progression and Surgically target
how it spread and remediate
 AMP for Endpoints Protection Lattice
shorter Time To Detection longer
 In Memory
Exploit Prevention
• excel.exe • firefox.exe • wscript.exe
§ Make the memory unpredictable by • winword.exe • chrome.exe • powershell.exe
changing its structure • powerpnt.exe • skype.exe • acrord32.exe
• outlook.exe • teamviewer.exe • rundll.exe
• iexplore.exe • vlc.exe • taskeng.exe
§ Make the app aware of legitimate memory
structure

§ Any code accessing the old structure is

malware

§ Currently protects 32-bit apps on 32/64-bit

OS! (64bit app protection coming in AMP Malicious Code
for Windows 6.2.x, check release notes) Injection Hitting
a Decoy
Trusted Code Decoy System
Original Resources
System Resources
§ No Audit mode & CVE agnostic
Alert!
 In Memory
Exploit Prevention: In Field Findings
CCleaner 0-day Flash IcedID Trojan

ExPrev Beta Test leads to 0-day Remote Code Execution Minimalist (evolutionary) code
backdoor discovery in vulnerability prevented, prevents injection technique prevented
CCleaner software from Avast exfiltration and remote admin by ExPrev technology
CCleaner: https://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
0-day Flash: http://blog.talosintelligence.com/2018/02/group-123-goes-wild.html
IcedID: Talos Analysis: https://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html
 In Memory
System Process Protection
• Session Manager Subsystem (smss.exe)
• Client/Server Runtime Subsystem (csrss.exe)
• Local Security Authority Subsystem (lsass.exe)
§ Protects Windows system processes • Windows Logon Application (winlogon.exe)
from being compromised through • Windows Start-up Application (wininit.exe)
memory injection attacks

§ Evaluates desired process/thread

access, truncates potentially dangerous
access

§ Protects against Mimikatz dumping

credentials from lsass.exe memory

Talos Analysis: https://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-over.html

 On Disk
Malicious Activity Protection
§ Detects abnormal behavior of a
running program, initially focused on
ransomware

§ Uses rules that monitor processes

reading, writing, and renaming or
deleting files within short span of
time

§ Modes of operation: audit, blocking,

quarantine

§ Process can be excluded from MAP

inspection
 On Disk
TETRA and AMP can use also local Update Server
TETRA definition
Updates

§ Offline AV engine for Windows

Customer
premises
§ On-prem server gets updates from AMP Public Cloud

TETRA
Update Server

§ Server FQDN configured per AMP Policy

Public Wi-Fi

§ Can make FQDN available publically for external updates

§ AMP Update Server runs on Windows or Linux, uses IIS /

Apache / nginx (currently TETRA updates only)

TETRA definitions Internal External

from cloud Updates Updates
 Post Infection
Cognitive Intelligence
§ Visibility into devices with or without AMP
Connector – cover unsupported OS and IoT devices

§ File-less malware and ~30% more detections

Data C&C
Exfiltration Communication
§ Correlation with AMP for Endpoints events and links
to files responsible for C2 communication

§ Priority rating and human readable threat

descriptions with course of action
DGAs Exploit Kits HTTP(S)
Tunneling
 New MDM/EMM vendor support:
One app, two layers of security

Control and visibility

• DNS-layer enforcement and encryption via net new iOS 11 functionality
• Customizable URL-based protection with intelligent proxy
• Available to Umbrella* customers at no extra charge
if subscription already covers iOS users

Visibility
• App-layer auditing and correlation via net new iOS 11 functionality
• Logs encrypted URL requests without SSL decryption
• Available to AMP for Endpoints customers at no extra charge
if subscription already covers iOS devices

* Professional, Insights and Platform packages

Demo
AMP4E
Threatgrid
Umbrella
Cisco Threat Response
AMP4E – Fetch the File for Analysis
AMP4E – Fetch the File and Send to Sandbox
Threat Grid
Threat Grid
Input
1. Sample submission Submit suspicious samples to Threat Grid
via Integration, API, or Portal

Process
Sample is executed and analyzed using
Analyze, Correlate, and multiple techniques
2. Enhance • Proprietary techniques for static and
dynamic analysis
• “Outside looking in” approach
• 1000+ Behavioral Indicators

Produce Intelligence & Output

3. Inform AMP Architecture • Behavioral Indicators & Threat Score
• Pokes AMP cloud, integrations will block
• Threat Intel Feeds & Global Intel
Threat Grid Integrations
Supported Integrations & Partners Select Recipe Integrations

Select Threat Feed Integrations

File Analysis: Static and Dynamic
• Dynamic Analysis
• Static Analysis
• Execution/Detonation
• File on disc
• Network Connections
• Header details
• File/System changes
• AV engines
• Function/Library calls
• What it is/contains
• What it does
Addressing the Challenges: Playbooks

• 9 Default Playbooks

+ • User Generated Playbooks

User Emulation Automation
• Dynamic Playbook Selection
Network, Web, Email Security AMP
Integrated File Analysis – On Premise Option Advanced Malware
Protection

AMP for Networks AMP File

AMP ThreatGrid
IDS / IPS Analysis Sandbox

AMP on Web
Security Appliance
AMP on Email AMP Private Cloud Threat Intelligence Engine

Security Appliance
Process names
AMP Endpoint Registry Keys
Agents IP Addresses
DNS Names

#WWST #CISCOVT #CISCOSE

Cisco Threat Reponse
Cisco Threat Response
Integrating security for faster defense

Key pillars of our integrated architecture

• Automates & Orchestrates

across security products

• Focuses on security operations

functions – Detection,
Investigation, and Remediation
 Contextual Analysis and Incident Response
(support will come also with NFGW and Content Gateways)
Cisco Threat Response
1 Get high fidelity IPS events 2 Investigate with automated enrichment 3 Remediate in AMP & Umbrella

FMC

Virus
NGFW TALOS ThreatGrid AMP Umbrella SMA
Total

• From FMC, pivot into • Have we seen these observables?

Threat Response via • What do you know about these (IP, • Which end-points reached out to the URL?
casebook browser plug-in Hash, URL, etc.) observables? • Etc.
Encrypted Traffic?
Encrypted Traffic

https inspection on gateways (resign, known keys)

• NGFW
• WSA
Leverage Endpoint Visibility
• AMP4E
• NVM AnyConnect
Behavior analysis of encrypted traffic
• ETA + Stealthwatch
Telemetry sources that Collect and store at Analyze and automate. Security Outcomes
instrument the digital scale.
business.

Stealthwatch Cryptographic
Catalyst Stealthwatch Custom Security Audit
9000 Enterprise Event

Cognitive Malware
Intelligence Detection
ETA data

Sequence of packet
Initial Data Packet Global Risk Map
lengths and times

C2 Message
Data Exfiltration
Self-Signed Certificate

Make the most of Identify the content type through Know who’s who of the
unencrypted fields the size and timing of packets Internet’s dark side

© 2018 Cisco and/or its affiliates. All rights reserved. Global

Sales Training
Cryptographic Compliance

© 2018 Cisco and/or its affiliates. All rights reserved. Global

Sales Training
Identifying malicious Google Search Page Download

encrypted traffic
src dst

Model Initiate Command and Control

Sent
Packets
Client Received
Server src dst

Packets

Packet lengths, arrival times and

durations tend to be inherently different
Exfiltration and Keylogging
for malware than benign traffic

src dst

© 2018 Cisco and/or its affiliates. All rights reserved. Global

Sales Training
ETA Data Features, <= TLS 1.2
client_key
Application Information _exchange
change_ app_data
cipher_
spec
encrypted
_handshake
_message
client_
hello app_data

server_ cont. change_ app_data encrypted

hello cipher_ _alert
spec
certi-
ficate server_ encrypted
key_ _handshake
exchange _message

server_
hello_
Server Information done

Behavioral Information
© 2018 Cisco and/or its affiliates. All rights reserved. Global
Sales Training
ETA Data Features, TLS 1.3
app_data
Application Information
app_data

client_
hello

server_ app_data app_data app_data app_data

hello
app_data

app_data

Server Information

Behavioral Information
© 2018 Cisco and/or its affiliates. All rights reserved. Global
Sales Training
 ETA Topology

v Showcased in NOC & ThreatWall

v Monitored Public WiFi, Show floor networks
v 25,000+ Attendees
v 185+ Million Flows Analyzed
v 88% HTTPS vs 12% HTTP
v ~40K fps from Wireless Users

Threats Detected
v ~400 Detections using ETA
v Ransomware detected
v C&C and Data Exfiltration
v Multiple Critical, High- and Medium-risk Detections
v Numerous Malware Instances including Cryptomining & Botnet activities
v Several Applications using TLS 1.0
Security that works together

Global Public Secure External

Threat Packet Cloud data Web domain User, device and
Intelligence inspection monitoring center security lookups application info

Talos Cisco Stealthwatch Tetration WSA Umbrella ISE TrustSec AnyConnect

Security Cloud Analytics (Web Investigate PxGrid NVM
Stealthwatch Packet Security
Enterprise Analyzer Appliance)

© 2018 Cisco and/or its affiliates. All rights reserved. Global

Sales Training
Stealthwatch Endpoint Visibility Solution

ISE Threat Feed Cognitive

Management License Analytics
Console

nvzFlow
Attributing a flow to:
• Process name Endpoint Flow
• Process hash Concentrator Collector
• Process account AnyConnect with
• Parent process name Network Visibility Module
• Parent process hash
• Parent process account

© 2017 Cisco and/or its affiliates. All rights reserved.

Integrated Security
 Latest Announcements in the Cisco Security Technical
Alliances Ecosystem
• See 9/19 announcement: How Alliances Strengthen Your Cybersecurity
Defenses
• Introducing pxGrid 2.0 – evolving the bedrock of our policy ecosystem
• ISE & IoT – bringing IoT into mainstream network access policy
• New integrations and partners from network to endpoint to cloud…
• ISE
• Firepower
• AMP for Endpoints
• Cisco Cloud Security
• Threat Grid
• Cisco Security Connector
Appendix – Details on New Ecosystem Partners and Integrations
CSTA September Announcement Summary
57 new integrations from network to endpoint to cloud…

CISCO ISE
pxGrid Integrations for
IOT, Orchestration,
Deception, Endpoint,
Vulnerability
Management

CISCO Firepower
Threat Intelligence Director for
NGFW Enrichment, Firepower
integrations
CSTA September Announcement Summary
57 new integrations from network to endpoint to cloud…

CISCO AMP for Endpoints

Integrations provide analysts with
detailed information and actions on
endpoint events

CISCO Cloud Security

Threat Intelligence on Malicious
Domains and Threat Response
Enforcement & CASB

CISCO Threat Grid

Malware Intelligence Sharing and
Incident Response Integration
 Simplifying WSA Policies with SGTs
Who: Doctor ISE
What: Laptop Doctor
Where: Office
s
Internet
Enterprise W ww
Who: Doctor Backbone
What: iPad BYOD
Where: Office Web
Security
Appliance

Who: Guest Policies

What: iPad Guest
Where: Office Protocols and URL
Order Group Applications Objects Anti-Malware and Reputation
User Agents Filtering

Block: 10
(global policy) Block: 1
1 Doctors Monitor: (global policy) (global policy)
Monitor: 78
367

2 Doctors BYOD (global policy) Block: 1 Block: 10 (global policy) (global policy)
Monitor: 78 Monitor:
367

3 Guests (global policy) Block: 1 Block: 10 (global policy) (global policy)

Monitor: 78 Monitor:
367

Global Policies No blocked items Monitor: 79 Monitor: No Blocked Items Web Reputation: Enabled
367 Anti-Malware Scanning: Enabled
ISE as a source of Context • Live Sessions Table of ISE
• Device/User Authentication
• Device Profiling
Cisco ISE • NAD details

• Live Authentication Events

SMC
shown in SMC

• Maintain historical session table

• Correlate NetFlow to username
• Build User-centric reports

© 2018 Společnost Cisco a její pobočky.

FTD Policies Based on ISE Context and Sec Groups

PxGRID

NGIPS/ASA +
Firepower

© 2018 Společnost Cisco a její pobočky.

Vulnerability-Aware Cisco Security
Using Vulnerability to Drive Threat Response in Firepower & ISE

Drives Threat Scores in

Firepower MC
Rapid 7

Endpoint Vulnerability Scores

Qualys Tenable
Drives Threat-based
Network Policy in ISE
Use Cases – Host Input API
• Allows the import of Host and
Vulnerability Data
Vendor, Product,
Version, and
Mobile Device
Information

Server Applications
and Versions
FMC

Client Applications
and Version

Vulnerability
© 2018 Společnost Cisco a její pobočky.
Names and IDs
Qualys – ISE Integration
CTA/AMP – ISE Integration Difference: vulnerable (Qualys) vs
compromised (CTA/AMP) endpoints

Quarantine

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
What is Threat Centric NAC: Threat
Threat EndPoints based on Incidents and Indicators
 Incident Response: Rapid Threat Containment
Cisco AMP, Firepower, Stealthwatch, ISE & CSTA Partners

• “Rapid Threat Containment” – automatically or manually quarantine devices or spawn investigations

• Enlist other Cisco infrastructure in the network response – such as dynamic ACLs on switches and ASA
or increase IPS inspection levels

Cisco AMP, NGFW,

Stealthwatch Consoles
User/Device
ISE as unified Quarantine
policy point

A
Co
pxGrid ANC API Dynamic ACLs,
SG
T Increase Inspection

3rd Party Consoles like IBM, McAfee, Splunk,

Tanium, Exabeam, Infoblox, LogRhythm, Rapid 7
DUO
Duo’s Approach is Easy and Reduces Cost
1 Instantly integrates 2 Users self-enroll 3 Authenticate in
with all apps in minutes seconds
3 Key Points About Duo’s
Security Policies

1. Centrally build policies for all apps

2. Web based policy management
3. Customize for user groups & apps
Duo’s Platform
Devices
Personal Corporate
(Unmanaged) Devices (Managed) Devices Applications
Identity & Infrastructure
All Employees Cloud

Privileged Users On-premise

Contractors Datacenter
& Partners

Visibility Prevention Detection Remediation

Security & Access

Flexible
Authentication
Options for
your users
Push, soft token, SMS,
Phone Call, U2F, Wearables,
Biometrics, HW Tokens
Verify End User Devices
Allow only compliant devices to access work
applications

1. Mobile (iOS and Android)

a. Natively using Duo Mobile app. MDM alternative.
b. Integration with MDM platforms.

1. Non Mobile (Windows, Mac, Linux, ChromeOS)

a. Natively using browser data. No agents.
b. Integration with endpoint management platform.