Brksec 1023

Download as pdf or txt
Download as pdf or txt
You are on page 1of 72

#CiscoLiveAPJC

Accelerate your SOC


With Cisco XDR
Aaron T. Woland, CCIE #20113
Distinguished Engineer, Threat Detection & Response
loxx@cisco.com | @aaronwoland
BRKSEC-1023

#CiscoLiveAPJC
$ whoami Cisco role: Distinguished Engineer,
Threat Detection & Response
Unofficial title:
“Cisco History Professor”
Experience: Old enough to wonder
how I have been doing this for ~30
years
Fun fact 1: Father of 5 daughters
Fun fact 2: Oldest works for Cisco
now! Youngest is 18 months!
Fun fact 3: Working through his
Cyber Security Master’s Degree
from SANS Institute (~04/24)

BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Sarcasm

“If we can’t laugh


at ourselves,
Then we cannot
laugh at anything
at all”

BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Cisco Webex App

Questions?
Use Cisco Webex App to chat
with the speaker after the session

How
1 Find this session in the Cisco Live Mobile App

2 Click “Join the Discussion”

3 Install the Webex App or go directly to the Webex space Enter your personal notes here

4 Enter messages/questions in the Webex space

Webex spaces will be moderated


by the speaker until December 22, 2023. https://ciscolive.ciscoevents.com/ciscolivebot/#BRKSEC-1023

#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Please fill out the survey

Drop your email in the comments – I WILL respond!

#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Agenda

• Intro to XDR
• Outcomes
• Features
• Resources

#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Intro to XDR
Protection isn’t
Enough

• The bad guys get through our defenses

• Require Detection & Response


• Endpoint Detection & Response
• Network Detection & Response
• Email Detection & Response
• Identity Threat Detection & Response

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
What is XDR?
Collection of telemetry
from multiple security tools

Application of analytics to the


collected and homogenized
data to arrive at a detection
of maliciousness

Response and remediation


of that maliciousness

#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
We Are Here

#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Is XDR different than all the other things?

XDR Shared use cases:


Threat Detection
NDR Threat Hunting
EDR Forensics
Response

*not to scale

#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Without XDR, how can we detect and respond to all of this?

Green Fill Secure Email Only


Purple Fill Secure Analytics Only
Red Fill Secure Endpoint Only
Gold Fill Email and Analytics
Gray Fill Email and Endpoint
Teal Fill Endpoint and Analytics
Black Fill Email, Analytics, and Endpoint
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Telemetry data source importance
The top six data sources that customers believe are essential for an XDR are
Endpoint, Network, Firewall, Identity, Email, and DNS
Essential
Count Share

Endpoint 255 85.0% Cisco Secure Cisco / Meraki


Client (Networking)
Network 226 75.3%

Firewall 207 69.0%

Identity 191 63.7% Firewall Threat Duo


Defense (FTD)
Email 179 59.7%

DNS 140 46.7%

Public Cloud 137 45.7%


Email Threat Umbrella
Non-Security Sources 36 12.0% Defense (ETD)

#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
The Cisco approach to XDR
Detect more, act faster, elevate productivity, build resilience

Detect
the most Act on
sophisticated what truly Elevate
threats matters, faster productivity Build resilience
• Multi-vector detection: • Prioritize threats by • Focus on what matters • Close security gaps
network, cloud, endpoint, greatest material risk and filter out the noise • Anticipate what’s next
email, and more • Unified context to • Boost limited resources through actionable intel
• Enriched incidents with streamline investigations for maximum value • Get stronger, everyday
asset insights, threat intel • Evidence-backed • Automate tasks and focus with continuous,
• Optimized for multi-vendor recommendations on, strategic tasks quantifiable improvement
environments

#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Investigation Timeline – what happened & when?
SOC / Admin

Responder typically
builds out a timeline
when investigation
Lateral
Movement
Initial Data
Probing Initial
Exfiltration
Compromise
Timeline
Pre-Exploitation Exploitation Post-Exploitation
?
IP Address
Mac Address
Failed Privilege
GUID(s) Activity
Exploit Escalation
Attempts

Starting Here, look forward & backwards for


correlation to build the timeline / attack graph
of “what happened”

#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
Outcomes
Detect sooner

• Leverage integrations for faster


detection and response
• Now including CrowdStrike and
SentinelOne

• Use intelligence from multiple


integrated products
• Correlate alerts to detect slow or
hidden attacks

BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
A vast ecosystem of integrations

Cisco XDR leverages multiple sources of telemetry


Telemetry and Detections and detections to achieve cross-product outcomes

Multiple types of response actions are available


Action and Response across products such as network, endpoint,
email, and others

Leverage integrations with existing products,


Cisco and Third Party whether they are from Cisco or from a third
party

#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Enhanced detections with diverse intelligence

• Use public and private sources of


intelligence to achieve better threat
identification
• Create and customize your own feeds
based on your environment and needs
Others…

Judgements Indicators Feeds Events

#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Prioritize by impact

• Single view for incidents from multiple


sources
• Enhanced incident view focused on
the most critical incidents
• Incidents prioritized by business
impact and asset value

BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Reduce
investigation time
• Interactive, visual representations of
incidents
• Event correlation and attack chaining
to group related intelligence
• Automated enrichment for the most
critical incidents, ensuring intelligence
is gathered immediately

BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
How true simplicity is experienced
Without XDR: 32 minutes With XDR: five minutes

1. IOC/alert Investigation is integrated


across your security
infrastructure

2. Investigate incidents in multiple consoles


Product Product Product Product
dashboard 1 dashboard 2 dashboard 3 dashboard 4
Email Malicious
Subject domain

Target endpoint SHA - 256


IP
3. Remediate by coordinating multiple teams
Product Product Product Product In one view
dashboard 1 dashboard 2 dashboard 3 dashboard 4
Query intel Quickly visualize Remediate
and telemetry the threat impact directly from
from multiple in your a single UI
integrated apps environment

#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Confirm attacks sooner with alert correlation
Correlate alerts through time

Automatically create new


incidents from correlated
alerts over time, reveal the
bigger picture of a multi-
stage attack

Mapping the Attack Chain

Using MITRE Tactics and


Techniques to connect and
reveal the attack chain

#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Accelerate
response
• Ability to respond throughout the
interface
• Simplified response workflows
available from within incidents
• Broad set of workflows to achieve a
variety of outcomes

BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Powerful, flexible automation

Response Automation rules And more…


Analyst triggers a An incident matches a Workflows triggered by
workflow from within the pre-defined rule and a users, APIs, webhooks,
incident manager or a workflow is triggered schedules, and more
pivot menu

#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Extend asset
context
• Detailed asset information aggregated
from multiple sources
• Combines asset inventory with
security context
• Allows for more accurate incident
prioritization based on asset value
• Distinguish between targets and
assets

BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Features
Timeline from multiple sources
XDR Should Build out the Timeline
AD

EDR

EVENT

IP Address
Credential Theft
Mac Address - AD Find
GUID(s) Activity - Rubeus
Vic0
1 Acti it
Random mac-address
DHCP Assigned IP
EDR Installed

1. EDR event, detects Kerberoast attack to harvest credentials.


Is this enough information to act?
#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
An XDR should be automagically looking for
how the event happened.. Stitching together
other key events that might not be as critical
to generate an Alert!

#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Timeline from multiple sources
XDR Should Build out the Timeline
AD AD
AD
Network Conn: 3
2
ldap://ad:389 AD
smb tcp/445
EVENT

Impact: Crypto
- ryuk.exe
starts encrypting

EDR NDR EDR

EVENT
Network Conn:
Vic01
Credential Theft ftp of harvested
- AD Find creds to C2
Activity - Rubeus
Vic0
1 Acti it
Random mac-address
DHCP Assigned IP
EDR Installed

2. NDR: Endpoint Vic01 connected via LDAP & SMB to the AD server for the kerberoast to be successful
3. NDR: Endpoint Vic01 sent the harvested creds out to the C2 server
4. EDR: First System (AD) was Ransomed! How did this happen?

#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Timeline from multiple sources

XDR Should Build out the Timeline


Vic0
1 Acti it
AD AD
AD
Discovery commands Network Conn: 3
- systeminfo.exe
2
- netstat.exe
ldap://ad:389 AD
smb tcp/445
- net.exe EVENT
- ipconfig.exe
- nltest.exe
Impact: Crypto
- whoami.exe
- ryuk.exe
starts encrypting
Executes
Bazar
ED ND EDR
EDR NDR EDR
R R NDR
EVENT
Open C2 Network Conn:
Vic01
Channel Credential Theft ftp of harvested
- AD Find creds to C2
Activity - Rubeus
Vic0
1 Acti it
Random mac-address
DHCP Assigned IP
EDR Installed

5. EDR: Endpoint Vic01 was sending out discovery commands previously, what else was seen for Vic01?
6. EDR: Endpoint Vic01 Executed an unknown binary before those commands were run
7. NDR / DNS / Proxy: XYZ on Vic01 was communicating encrypted TLS w/ a potentially risky site before the commands

#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Timeline from multiple sources
XDR Should Build out the Timeline
Vic0
1 Acti it
AD AD
AD
Discovery commands Network Conn: 3
- systeminfo.exe AD AD 2
- netstat.exe
ldap://ad:389
AD AD
- net.exe
smb tcp/445 2 2
EVENT
- ipconfig.exe Lateral Movement
- rdp tcp/3389 Lateral Movement
- nltest.exe
- smb tcp/445 Impact: Crypto
- whoami.exe
- ryuk.exe
Open C2 starts encrypting
Executes AD
Bazar Channel

ED ND EDR
EDR NDR NDR EDR
R R NDR
EVENT
Open C2 Network Conn:
Vic01
Channel Credential Theft ftp of harvested Lateral Movement
- AD Find creds to C2 - smb tcp/445
Activity - Rubeus
Vic0 Vic0
AD
Random mac-address
1 Acti it 1 Acti it
AD
3
DHCP Assigned IP
EDR Installed

8. NDR: Vic01 does first lateral move to AD via RDP


9. NDR: AD Establishes C2 channel
10. NDR: AD moves laterally to other AD servers via SMB

#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Timeline from multiple sources

XDR Should Build out the Timeline


Vic0
1 Acti it
AD AD
Email to Kevin Smith AD
Discovery commands Network Conn: 3
Contains Link to appIe.com/xyz.exe
- systeminfo.exe AD AD 2
a-p-p-i-e.com (looks alike)
- netstat.exe
ldap://ad:389
AD AD
- net.exe
smb tcp/445 2 2
EVENT
Downloads - ipconfig.exe Lateral Movement
xyz.exe - rdp tcp/3389 Lateral Movement
- nltest.exe
- smb tcp/445 Impact: Crypto
- whoami.exe
- ryuk.exe
Vic01 Roams Open C2 starts encrypting
Executes AD
Bazar & gets new IP Channel

Email EDR
NDR EDR NDR EDR NDR NDR EDR
Defense NDR
Opens email EVENT
Follows Link to Open C2 Network Conn:
Vic01 a-p-p-i-e.com Channel Credential Theft ftp of harvested Lateral Movement
- AD Find creds to C2 - smb tcp/445
Activity - Rubeus
Vic0 Vic0
AD
Random mac-address
1 Acti it 1 Acti it
AD
3
DHCP Assigned IP
EDR Installed

11. Vic01 had roamed & gotten a new IP Address (so much more important than you know)
12. Bazar executable XYZ was downloaded by Kevin Smith
13. Kevin Smith received an email w/ a look-alike domain in the URL & he clicked it to download that executable

#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Timeline in Cisco XDR

Interactive Graph
Interactive Graph displays
& groups the entities
involved in the incident

Timeline
Interactive: drag it, select a
portion, zoom in & out

#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Incident manager

BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Incident manager

Centralized incident management


Incidents from a wide portfolio of products, all in one place

Automated prioritization
Risk- and asset-based prioritization, so you know what to investigate first

Built-in response workflows


Automated actions that make resolving an incident simpler and faster

#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Walk through incidents step by step
Progressive disclosure

Looking into an incident is a progressive


experience where the relevant data is
revealed as needed without
overwhelming the SOC analyst

Rich incident details

Incidents are enriched with data gathered from


multiple sources including assets, indicators,
observables and others. Associated MITRE
ATT&CK tactics and techniques detailed with
risk scoring

#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Identify the most impactful incidents based on risk

736

Priority Score = Detection Risk x Asset Value


0-1000 0-100 0-10

The total priority Detection risk User-defined asset


score used to composed of multiple value represents the
prioritize incidents values: value of the assets
• MITRE TTP Financial Risk involved in the
• Number of MITRE TTPs
• Source Severity
incident
#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Incident response in four stages

Identify Contain Eradicate Recover

Review the Act against Remediate Validate


incident and impacted hosts, vulnerabilities remediation and
confirm the domains, files, and remove restore
findings etc. malicious impacted
content services

#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Investigate

BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Investigate

One place to investigate across products


Aggregated intelligence from all your integrated products

Interactive visualization of investigation elements


Drag, drop, and inspect the results of your investigation

Built-in response actions


Take action right from an investigation, no cross-launching into other products required

#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Automation

BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Automation

Drag and drop, ”no-to-low code” workflow builder


Simple workflow editor that works without writing a single line of code

Accelerates how you investigate and respond


Automate how your analysts investigate and respond

Out of the box workflows from Cisco


Popular use cases built in, more available for import from Cisco

#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Devices

BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Devices

Extensive visibility into your devices


Combined inventory from both security and device management products

Provides asset context to investigations


Differentiate between a generic target and an asset that belongs to you

Configuration and management of Cisco Secure Client


Cloud-based management of Secure Client profiles and deployments

#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Supported sources

M
Duo Access Secure Endpoint Umbrella (DNS) Meraki SM Secure Client Orbital
Duo Beyond Windows / macOS

Third Party

CrowdStrike SentinelOne Microsoft Intune Jamf Pro Ivanti Neurons VMware


(formerly MobileIron) Workspace ONE
(formerly Airwatch)

#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
One more
thing…
XDR has a robust set of APIs!
• We have APIs for:
• Threat intelligence
• Private and public databases of threat intel
• Investigation
• Inspect content for observables
• Enrich data using your integrated products
• Response
• Act on observables you know to be dangerous
• Automation
• Trigger workflows in XDR to do just about anything you want

#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
To summarize
Shift the focus to outcomes

XDR-driven outcomes

Detect Accelerate
sooner response
Where are we Prioritize Speed up How fast can we
most exposed by impact investigations confidently respond?
to risk?
Are we prioritizing How quickly are we able How much can
How good are we the attacks that to understand the full SecOps automate?
at detecting represent the largest scope and entry
attacks early? material impacts to vectors of attacks? Are we quantifiably
our business? getting better?

#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Stop advanced threats like ransomware
Most attacks use a sequence like this…

Email DNS

A well-tailored Which goes to Which leads to a That process will


and personalized a questionable strange process connect to
email causes a web site… being created another machine
user to click… locally on the or directly to
user’s device… their data
T1055: Process Injection
T1566: Spear phishing T1570: Lateral Tool Transfer
T1189: Drive-by Compromise
T1087: Account Discovery: Domain Account T1048: System Network Connections Discovery

Vendor A Vendor C Vendor E Vendor G Vendor D

#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Quickly position teams to achieve incremental
XDR milestones
Integrate
Orchestrate Optimize
Consolidate solutions
and technology with an Enable prioritized detection and Evolve, and fine tune security
integrated platform response using AI & ML by proactively executing against
that baseline

Unify Automate
Build an ecosystem that Automate detection and
aggregates, enriches data response workflows
and telemetry from all part that require minimal
of your environment human intervention

#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Resources
Other XDR sessions

Matthew Robertson Aaron Woland Aaron Woland


Distinguished TME Distinguished TME Distinguished TME

Extended Detection with Cisco's Unified Agent: Cisco XDR - Making sense
Cisco XDR: Security Cisco Secure Client. of the Solution and how it's
analytics across the Bringing AMP, a Security Productivity Tool
enterprise AnyConnect, Orbital &
Umbrella together

BRKSEC-2178 BRKSEC-2834 BRKSEC-2113


Wednesday @ 4:00 PM Thursday @ 9:00 AM Friday @ 1:30 PM

#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
https://cisco.com/go/xdr

#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Participating in user research gives you a
place to share your thoughts and
experiences to influence the future of
Cisco Secure products.
• You'll hear from us at most once every 90 days.
• Participation is completely optional, and you can
opt out at any time.
Session Surveys
We would love to know your feedback on this session!
• Complete a minimum of four session surveys and the overall event surveys to claim
a Cisco Live T-Shirt

#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
Getting started
Where can you learn more about Cisco XDR?
• Cisco XDR At a Glance
• An XDR Primer: The Promise of Simplifying
Security Operations Position Paper
• Cisco XDR: Security Operations Simplified eBook
• Five Ways to Experience XDR eBook
• Cisco XDR Overview Video
• XDR Bu er’s Guide

Cisco XDR on Cisco.com

#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Thank you

#CiscoLiveAPJC
#CiscoLiveAPJC
#CiscoLiveAPJC

You might also like