Transcription
Advanced Threat Solutiontentokrát více o koncovém zařízeníListopad 2018Jiří Tesařjitesar@cisco.comCSE Security, CCIE #14558, SFCE #124266, CEH
Security Strategy Overview
Digital Disruption Drives the Hacker EconomyAttack SurfaceThreat ActorsAttack Sophistication Creating an ever-evolving, dynamic threat landscape
RansomwareDDoSMalvertisingAdvanced Persistent ThreatsDrive by DownloadsData ManipulationSpyware/MalwarePhishingMonetary TheftWiper AttacksBotnetsRogue SoftwareMan in the MiddleData DestructionData/IP TheftUnpatched SoftwareTrojans
Technology
We developed Cisco Talos: the largest nongovernment threat intelligence organization on theplanet250 full-time threatresearchers and datascientistsAnalyzing 1.5 millionunique malwaresamples dailyBlocking 20 billionthreats daily. More than20x any other vendor.We see more so you can block more and respond faster to threats.
More threats blockeddaily than anyone elseProofpoint1MZscalerFortinet800K972M20BCheck Point700KTrend Micro250MSymantec4MPalo Alto1M
See it once, protect everywhereNGIPSNGFWISECloudlockUmbrellaAMPThreat GridMerakiNetwork ISR/ASRStealthwatchBest news yet: Cisco Talos is free for customers
Fo rc i n g t h e B a d G u ys to I n n o vateSpreading security news,updates, and otherinformation to the publicThreatSource Newslettercs.co/TalosUpdateSocial Media PostsFacebook: TalosGroupatCiscoTwitter: @talossecurityWhite papers, articles, & other informationtalosintelligence.comTalos Blogblog.talosintelligence.comInstructional Videoscs.co/talostube
AMP for Endpoints
Monitor DetectRecordingIdentify athreat’spoint of originSee what it isdoingSee where it's beenTrack it’s rate ofprogression andhow it spreadSurgically targetand remediate
AMP for Endpoints Protection LatticeshorterTime To Detectionlonger
In MemoryExploit Prevention§Make the memory unpredictable bychanging its structure§Make the app aware of legitimate memorystructure§Any code accessing the old structure ismalware§Currently protects 32-bit apps on 32/64-bitOS! (64bit app protection coming in AMPfor Windows 6.2.x, check release notes)§No Audit mode & CVE agnostic e.exe e keng.exeMalicious CodeInjection HittingTrusted Codea ert!
In MemoryExploit Prevention: In Field FindingsCCleaner0-day FlashExPrev Beta Test leads tobackdoor discovery inCCleaner software from Avast0-day Remote Code Executionvulnerability prevented, preventsexfiltration and remote adminIcedID TrojanMinimalist (evolutionary) codeinjection technique preventedby ExPrev technologyCCleaner: istributes-malware.html0-day Flash: 3-goes-wild.htmlIcedID: Talos Analysis: banking-trojan.html
In MemorySystem Process Protection§Protects Windows system processesfrom being compromised throughmemory injection attacks§Evaluates desired process/threadaccess, truncates potentially dangerousaccess§Protects against Mimikatz dumpingcredentials from lsass.exe memory Session Manager Subsystem (smss.exe)Client/Server Runtime Subsystem (csrss.exe)Local Security Authority Subsystem (lsass.exe)Windows Logon Application (winlogon.exe)Windows Start-up Application (wininit.exe)Talos Analysis: evolution-continues-netting-over.html
Malicious Activity Protection§Detects abnormal behavior of arunning program, initially focused onransomware§Uses rules that monitor processesreading, writing, and renaming ordeleting files within short span oftime§Modes of operation: audit, blocking,quarantine§Process can be excluded from MAPinspectionOn Disk
On DiskTETRA and AMP can use also local Update ServerTETRA definitionUpdates§ Offline AV engine for Windows§ On-prem server gets updates from AMP Public CloudCustomerpremisesTETRAUpdate Server§ Server FQDN configured per AMP PolicyPublic Wi-Fi§ Can make FQDN available publically for external updates§ AMP Update Server runs on Windows or Linux, uses IIS /Apache / nginx (currently TETRA updates only)TETRA definitionsfrom cloudInternalUpdatesExternalUpdates
Post InfectionCognitive Intelligence§ Visibility into devices with or without AMPConnector – cover unsupported OS and IoT devices§ File-less malware and 30% more detectionsDataExfiltration§ Correlation with AMP for Endpoints events and linksC&CCommunicationto files responsible for C2 communication§ Priority rating and human readable threatdescriptions with course of actionDGAsExploit KitsHTTP(S)Tunneling
New MDM/EMM vendor support:One app, two layers of securityControl and visibility DNS-layer enforcement and encryption via net new iOS 11 functionality Customizable URL-based protection with intelligent proxy Available to Umbrella* customers at no extra chargeif subscription already covers iOS usersVisibility App-layer auditing and correlation via net new iOS 11 functionality Logs encrypted URL requests without SSL decryption Available to AMP for Endpoints customers at no extra chargeif subscription already covers iOS devices* Professional, Insights and Platform packages
DemoAMP4EThreatgridUmbrellaCisco Threat Response
AMP4E – Fetch the File for Analysis
AMP4E – Fetch the File and Send to Sandbox
Threat Grid
Threat Grid1.Sample submissionInputSubmit suspicious samples to Threat Gridvia Integration, API, or PortalProcess2.Analyze, Correlate, andEnhanceSample is executed and analyzed usingmultiple techniques Proprietary techniques for static anddynamic analysis “Outside looking in” approach 1000 Behavioral Indicators3.Produce Intelligence &Inform AMP ArchitectureOutput Behavioral Indicators & Threat Score Pokes AMP cloud, integrations will block Threat Intel Feeds & Global Intel
Threat Grid IntegrationsSupported Integrations & PartnersSelect Recipe IntegrationsSelect Threat Feed Integrations
File Analysis: Static and Dynamic Static Analysis File on disc Header details AV enginesWhat it is/contains Dynamic Analysis Execution/Detonation Network Connections File/System changes Function/Library callsWhat it does
Addressing the Challenges: Playbooks User EmulationAutomation 9 Default Playbooks User Generated Playbooks Dynamic Playbook Selection
Network, Web, Email SecurityIntegrated File Analysis – On Premise OptionAMP for NetworksIDS / IPSAMP FileAnalysisAMPAdvanced MalwareProtectionAMP ThreatGridSandboxAMP on WebSecurity ApplianceAMP on EmailSecurity ApplianceAMP EndpointAgentsAMP Private CloudProcess namesRegistry KeysIP AddressesDNS Names#WWST #CISCOVT #CISCOSEThreat Intelligence Engine
Cisco Threat Reponse
Cisco Threat ResponseIntegrating security for faster defenseKey pillars of our integrated architecture Automates & Orchestratesacross security products Focuses on security operationsfunctions – Detection,Investigation, and Remediation
Contextual Analysis and Incident Response(support will come also with NFGW and Content Gateways)Cisco Threat Response1 Get high fidelity IPS events2 Investigate with automated enrichment3 Remediate in AMP & UmbrellaFMCNGFW From FMC, pivot intoThreat Response viacasebook browser plug-inVirusTotalTALOSThreatGrid What do you know about these (IP,Hash, URL, etc.) observables?AMPUmbrellaSMA Have we seen these observables? Which end-points reached out to the URL? Etc.
Encrypted Traffic?
Encrypted Traffichttps inspection on gateways (resign, known keys) NGFW WSALeverage Endpoint Visibility AMP4E NVM AnyConnectBehavior analysis of encrypted traffic ETA Stealthwatch
Telemetry sources thatinstrument the digitalbusiness.Catalyst9000Collect and store atscale.StealthwatchEnterpriseAnalyze and automate.Security OutcomesStealthwatchCustom ceMalwareDetection
ETA dataInitial Data PacketSequence of packetlengths and timesGlobal Risk MapC2 MessageData ExfiltrationSelf-Signed CertificateMake the most ofunencrypted fields 2018 Cisco and/or its affiliates. All rights reserved.Identify the content type throughthe size and timing of packetsKnow who’s who of theInternet’s dark sideGlobalSales Training
Cryptographic Compliance 2018 Cisco and/or its affiliates. All rights reserved.GlobalSales Training
Identifying maliciousencrypted trafficGoogle Search Page itiate Command and ControlServerPacket lengths, arrival times anddurations tend to be inherently differentfor malware than benign trafficsrcdstExfiltration and Keyloggingsrc 2018 Cisco and/or its affiliates. All rights reserved.dstdstGlobalSales Training
ETA Data Features, TLS 1.2client keyexchangeApplication Informationchangecipherspecapp dataencryptedhandshakemessageclienthelloapp dataserverhellocertificateServer ncryptedhandshakemessageapp dataencryptedalertserverhellodoneBehavioral Information 2018 Cisco and/or its affiliates. All rights reserved.GlobalSales Training
ETA Data Features, TLS 1.3app dataApplication Informationapp dataclienthelloserverhelloapp dataapp dataapp dataapp dataapp dataapp dataServer InformationBehavioral Information 2018 Cisco and/or its affiliates. All rights reserved.GlobalSales Training
ETA Topologyv Showcased in NOC & ThreatWallv Monitored Public WiFi, Show floor networksv 25,000 Attendeesv 185 Million Flows Analyzedv 88% HTTPS vs 12% HTTPv 40K fps from Wireless UsersThreats Detectedv 400 Detections using ETAv Ransomware detectedv C&C and Data Exfiltrationv Multiple Critical, High- and Medium-risk Detectionsv Numerous Malware Instances including Cryptomining & Botnet activitiesv Several Applications using TLS 1.0
Security that works losStealthwatchEnterprise 2018 Cisco and/or its affiliates. All rights aldomainlookupsUmbrellaInvestigateUser, device andapplication infoISEPxGridTrustSecAnyConnectNVMGlobalSales Training
Stealthwatch Endpoint Visibility SolutionManagementConsolenvzFlowAttributing a flow to: Process name Process hash Process account Parent process name Parent process hash Parent process account 2017 Cisco and/or its affiliates. All rights reserved.EndpointConcentratorAnyConnect withNetwork Visibility ModuleFlowCollectorISEThreat FeedLicenseCognitiveAnalytics
Integrated Security
Latest Announcements in the Cisco Security TechnicalAlliances Ecosystem See 9/19 announcement: How Alliances Strengthen Your CybersecurityDefenses Introducing pxGrid 2.0 – evolving the bedrock of our policy ecosystem ISE & IoT – bringing IoT into mainstream network access policy New integrations and partners from network to endpoint to cloud ISEFirepowerAMP for EndpointsCisco Cloud Security Threat Grid Cisco Security ConnectorAppendix – Details on New Ecosystem Partners and Integrations
CSTA September Announcement Summary57 new integrations from network to endpoint to cloud CISCO ISEpxGrid Integrations forIOT, Orchestration,Deception, Endpoint,VulnerabilityManagementCISCO FirepowerThreat Intelligence Director forNGFW Enrichment, Firepowerintegrations
CSTA September Announcement Summary57 new integrations from network to endpoint to cloud CISCO AMP for EndpointsIntegrations provide analysts withdetailed information and actions onendpoint eventsCISCO Cloud SecurityThreat Intelligence on MaliciousDomains and Threat ResponseEnforcement & CASBCISCO Threat GridMalware Intelligence Sharing andIncident Response Integration
Simplifying WSA Policies with SGTsWho: DoctorWhat: LaptopWhere: OfficeISEDoctorsInternetEnterpriseBackboneWho: DoctorWhat: iPadWhere: OfficeBYODWho: GuestWhat: iPadWhere: OfficeGuestW wwWebSecurityAppliancePoliciesOrderGroupProtocols andUser AgentsURLFiltering(global policy)Block: 1Monitor: 78Doctors BYOD(global policy)Block: 1Monitor: 78Guests(global policy)Global PoliciesNo blocked items1Doctors23ApplicationsBlock: 10Monitor:367ObjectsAnti-Malware and Reputation(global policy)(global policy)Block: 10Monitor:367(global policy)(global policy)Block: 1Monitor: 78Block: 10Monitor:367(global policy)(global policy)Monitor: 79Monitor:367No Blocked ItemsWeb Reputation: EnabledAnti-Malware Scanning: Enabled
ISE as a source of Context Cisco ISE SMC 2018 Společnost Cisco a její pobočky.Maintain historical session tableCorrelate NetFlow to usernameBuild User-centric reportsLive Sessions Table of ISEDevice/User AuthenticationDevice ProfilingNAD detailsLive Authentication Eventsshown in SMC
PxGRIDFTD Policies Based on ISE Context and Sec GroupsNGIPS/ASA Firepower 2018 Společnost Cisco a její pobočky.
Vulnerability-Aware Cisco SecurityUsing Vulnerability to Drive Threat Response in Firepower & ISEDrives Threat Scores inFirepower MCRapid 7Endpoint Vulnerability ScoresQualys TenableDrives Threat-basedNetwork Policy in ISE
Use Cases – Host Input API Allows the import of Host andVulnerability DataVendor, Product,Version, andMobile DeviceInformationServer Applicationsand VersionsFMCClient Applicationsand Version 2018 Společnost Cisco a její pobočky.VulnerabilityNames and IDs
Qualys – ISE Integration
CTA/AMP – ISE IntegrationDifference: vulnerable (Qualys) vscompromised (CTA/AMP) endpointsQuarantine 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
What is Threat Centric NAC: ThreatThreat EndPoints based on Incidents and Indicators
Incident Response: Rapid Threat ContainmentCisco AMP, Firepower, Stealthwatch, ISE & CSTA Partners “Rapid Threat Containment” – automatically or manually quarantine devices or spawn investigations Enlist other Cisco infrastructure in the network response – such as dynamic ACLs on switches and ASAor increase IPS inspection levelsCisco AMP, NGFW,Stealthwatch ConsolesUser/DeviceQuarantineISE as unifiedpolicy pointACopxGrid ANC API3rd Party Consoles like IBM, McAfee, Splunk,Tanium, Exabeam, Infoblox, LogRhythm, Rapid 7SGTDynamic ACLs,Increase Inspection
DUO
Duo’s Approach is Easy and Reduces Cost1Instantly integrateswith all apps2Users self-enrollin minutes3Authenticate inseconds
3 Key Points About Duo’sSecurity Policies1. Centrally build policies for all apps2. Web based policy management3. Customize for user groups & apps
Duo’s PlatformDevicesPersonal(Unmanaged) DevicesCorporate(Managed) DevicesIdentityApplications& InfrastructureAll EmployeesCloudPrivileged UsersOn-premiseContractors& urity & AccessRemediation
FlexibleAuthenticationOptions foryour usersPush, soft token, SMS,Phone Call, U2F, Wearables,Biometrics, HW Tokens
Verify End User DevicesAllow only compliant devices to access workapplications1.Mobile (iOS and Android)a. Natively using Duo Mobile app. MDM alternative.b. Integration with MDM platforms.1.Non Mobile (Windows, Mac, Linux, ChromeOS)a. Natively using browser data. No agents.b. Integration with endpoint management platform.
Nov 13, 2018 · Network, Web, Email Security Integrated File Analysis – On Premise Option AMP for Networks IDS / IPS AMP Private Cloud Threat Intelligence Engine AMP File Analysis AMP ThreatGrid Sandbox AMP on Web Security Appliance AMP Advanced Malware Protection AMP on Email Security Appliance Process na