WIXLIB

Advanced Threat Solutiontentokrát více o koncovém zařízeníListopad 2018Jiří Tesařjitesar@cisco.comCSE Security, CCIE #14558, SFCE #124266, CEH

Security Strategy Overview

Digital Disruption Drives the Hacker EconomyAttack SurfaceThreat ActorsAttack Sophistication Creating an ever-evolving, dynamic threat landscape

RansomwareDDoSMalvertisingAdvanced Persistent ThreatsDrive by DownloadsData ManipulationSpyware/MalwarePhishingMonetary TheftWiper AttacksBotnetsRogue SoftwareMan in the MiddleData DestructionData/IP TheftUnpatched SoftwareTrojans

Technology

We developed Cisco Talos: the largest nongovernment threat intelligence organization on theplanet250 full-time threatresearchers and datascientistsAnalyzing 1.5 millionunique malwaresamples dailyBlocking 20 billionthreats daily. More than20x any other vendor.We see more so you can block more and respond faster to threats.

More threats blockeddaily than anyone elseProofpoint1MZscalerFortinet800K972M20BCheck Point700KTrend Micro250MSymantec4MPalo Alto1M

See it once, protect everywhereNGIPSNGFWISECloudlockUmbrellaAMPThreat GridMerakiNetwork ISR/ASRStealthwatchBest news yet: Cisco Talos is free for customers

Fo rc i n g t h e B a d G u ys to I n n o vateSpreading security news,updates, and otherinformation to the publicThreatSource Newslettercs.co/TalosUpdateSocial Media PostsFacebook: TalosGroupatCiscoTwitter: @talossecurityWhite papers, articles, & other informationtalosintelligence.comTalos Blogblog.talosintelligence.comInstructional Videoscs.co/talostube

AMP for Endpoints

Monitor DetectRecordingIdentify athreat’spoint of originSee what it isdoingSee where it's beenTrack it’s rate ofprogression andhow it spreadSurgically targetand remediate

AMP for Endpoints Protection LatticeshorterTime To Detectionlonger

In MemoryExploit Prevention§Make the memory unpredictable bychanging its structure§Make the app aware of legitimate memorystructure§Any code accessing the old structure ismalware§Currently protects 32-bit apps on 32/64-bitOS! (64bit app protection coming in AMPfor Windows 6.2.x, check release notes)§No Audit mode & CVE agnostic e.exe e keng.exeMalicious CodeInjection HittingTrusted Codea ert!

In MemoryExploit Prevention: In Field FindingsCCleaner0-day FlashExPrev Beta Test leads tobackdoor discovery inCCleaner software from Avast0-day Remote Code Executionvulnerability prevented, preventsexfiltration and remote adminIcedID TrojanMinimalist (evolutionary) codeinjection technique preventedby ExPrev technologyCCleaner: istributes-malware.html0-day Flash: 3-goes-wild.htmlIcedID: Talos Analysis: banking-trojan.html

In MemorySystem Process Protection§Protects Windows system processesfrom being compromised throughmemory injection attacks§Evaluates desired process/threadaccess, truncates potentially dangerousaccess§Protects against Mimikatz dumpingcredentials from lsass.exe memory Session Manager Subsystem (smss.exe)Client/Server Runtime Subsystem (csrss.exe)Local Security Authority Subsystem (lsass.exe)Windows Logon Application (winlogon.exe)Windows Start-up Application (wininit.exe)Talos Analysis: evolution-continues-netting-over.html

Malicious Activity Protection§Detects abnormal behavior of arunning program, initially focused onransomware§Uses rules that monitor processesreading, writing, and renaming ordeleting files within short span oftime§Modes of operation: audit, blocking,quarantine§Process can be excluded from MAPinspectionOn Disk

On DiskTETRA and AMP can use also local Update ServerTETRA definitionUpdates§ Offline AV engine for Windows§ On-prem server gets updates from AMP Public CloudCustomerpremisesTETRAUpdate Server§ Server FQDN configured per AMP PolicyPublic Wi-Fi§ Can make FQDN available publically for external updates§ AMP Update Server runs on Windows or Linux, uses IIS /Apache / nginx (currently TETRA updates only)TETRA definitionsfrom cloudInternalUpdatesExternalUpdates

Post InfectionCognitive Intelligence§ Visibility into devices with or without AMPConnector – cover unsupported OS and IoT devices§ File-less malware and 30% more detectionsDataExfiltration§ Correlation with AMP for Endpoints events and linksC&CCommunicationto files responsible for C2 communication§ Priority rating and human readable threatdescriptions with course of actionDGAsExploit KitsHTTP(S)Tunneling

New MDM/EMM vendor support:One app, two layers of securityControl and visibility DNS-layer enforcement and encryption via net new iOS 11 functionality Customizable URL-based protection with intelligent proxy Available to Umbrella* customers at no extra chargeif subscription already covers iOS usersVisibility App-layer auditing and correlation via net new iOS 11 functionality Logs encrypted URL requests without SSL decryption Available to AMP for Endpoints customers at no extra chargeif subscription already covers iOS devices* Professional, Insights and Platform packages

DemoAMP4EThreatgridUmbrellaCisco Threat Response

AMP4E – Fetch the File for Analysis

AMP4E – Fetch the File and Send to Sandbox

Threat Grid

Threat Grid1.Sample submissionInputSubmit suspicious samples to Threat Gridvia Integration, API, or PortalProcess2.Analyze, Correlate, andEnhanceSample is executed and analyzed usingmultiple techniques Proprietary techniques for static anddynamic analysis “Outside looking in” approach 1000 Behavioral Indicators3.Produce Intelligence &Inform AMP ArchitectureOutput Behavioral Indicators & Threat Score Pokes AMP cloud, integrations will block Threat Intel Feeds & Global Intel

Threat Grid IntegrationsSupported Integrations & PartnersSelect Recipe IntegrationsSelect Threat Feed Integrations

File Analysis: Static and Dynamic Static Analysis File on disc Header details AV enginesWhat it is/contains Dynamic Analysis Execution/Detonation Network Connections File/System changes Function/Library callsWhat it does

Addressing the Challenges: Playbooks User EmulationAutomation 9 Default Playbooks User Generated Playbooks Dynamic Playbook Selection

Network, Web, Email SecurityIntegrated File Analysis – On Premise OptionAMP for NetworksIDS / IPSAMP FileAnalysisAMPAdvanced MalwareProtectionAMP ThreatGridSandboxAMP on WebSecurity ApplianceAMP on EmailSecurity ApplianceAMP EndpointAgentsAMP Private CloudProcess namesRegistry KeysIP AddressesDNS Names#WWST #CISCOVT #CISCOSEThreat Intelligence Engine

Cisco Threat Reponse

Cisco Threat ResponseIntegrating security for faster defenseKey pillars of our integrated architecture Automates & Orchestratesacross security products Focuses on security operationsfunctions – Detection,Investigation, and Remediation

Contextual Analysis and Incident Response(support will come also with NFGW and Content Gateways)Cisco Threat Response1 Get high fidelity IPS events2 Investigate with automated enrichment3 Remediate in AMP & UmbrellaFMCNGFW From FMC, pivot intoThreat Response viacasebook browser plug-inVirusTotalTALOSThreatGrid What do you know about these (IP,Hash, URL, etc.) observables?AMPUmbrellaSMA Have we seen these observables? Which end-points reached out to the URL? Etc.

Encrypted Traffic?

Encrypted Traffichttps inspection on gateways (resign, known keys) NGFW WSALeverage Endpoint Visibility AMP4E NVM AnyConnectBehavior analysis of encrypted traffic ETA Stealthwatch

Telemetry sources thatinstrument the digitalbusiness.Catalyst9000Collect and store atscale.StealthwatchEnterpriseAnalyze and automate.Security OutcomesStealthwatchCustom ceMalwareDetection

ETA dataInitial Data PacketSequence of packetlengths and timesGlobal Risk MapC2 MessageData ExfiltrationSelf-Signed CertificateMake the most ofunencrypted fields 2018 Cisco and/or its affiliates. All rights reserved.Identify the content type throughthe size and timing of packetsKnow who’s who of theInternet’s dark sideGlobalSales Training

Cryptographic Compliance 2018 Cisco and/or its affiliates. All rights reserved.GlobalSales Training

Identifying maliciousencrypted trafficGoogle Search Page itiate Command and ControlServerPacket lengths, arrival times anddurations tend to be inherently differentfor malware than benign trafficsrcdstExfiltration and Keyloggingsrc 2018 Cisco and/or its affiliates. All rights reserved.dstdstGlobalSales Training

ETA Data Features, TLS 1.2client keyexchangeApplication Informationchangecipherspecapp dataencryptedhandshakemessageclienthelloapp dataserverhellocertificateServer ncryptedhandshakemessageapp dataencryptedalertserverhellodoneBehavioral Information 2018 Cisco and/or its affiliates. All rights reserved.GlobalSales Training

ETA Data Features, TLS 1.3app dataApplication Informationapp dataclienthelloserverhelloapp dataapp dataapp dataapp dataapp dataapp dataServer InformationBehavioral Information 2018 Cisco and/or its affiliates. All rights reserved.GlobalSales Training

ETA Topologyv Showcased in NOC & ThreatWallv Monitored Public WiFi, Show floor networksv 25,000 Attendeesv 185 Million Flows Analyzedv 88% HTTPS vs 12% HTTPv 40K fps from Wireless UsersThreats Detectedv 400 Detections using ETAv Ransomware detectedv C&C and Data Exfiltrationv Multiple Critical, High- and Medium-risk Detectionsv Numerous Malware Instances including Cryptomining & Botnet activitiesv Several Applications using TLS 1.0

Security that works losStealthwatchEnterprise 2018 Cisco and/or its affiliates. All rights aldomainlookupsUmbrellaInvestigateUser, device andapplication infoISEPxGridTrustSecAnyConnectNVMGlobalSales Training

Stealthwatch Endpoint Visibility SolutionManagementConsolenvzFlowAttributing a flow to: Process name Process hash Process account Parent process name Parent process hash Parent process account 2017 Cisco and/or its affiliates. All rights reserved.EndpointConcentratorAnyConnect withNetwork Visibility ModuleFlowCollectorISEThreat FeedLicenseCognitiveAnalytics

Integrated Security

Latest Announcements in the Cisco Security TechnicalAlliances Ecosystem See 9/19 announcement: How Alliances Strengthen Your CybersecurityDefenses Introducing pxGrid 2.0 – evolving the bedrock of our policy ecosystem ISE & IoT – bringing IoT into mainstream network access policy New integrations and partners from network to endpoint to cloud ISEFirepowerAMP for EndpointsCisco Cloud Security Threat Grid Cisco Security ConnectorAppendix – Details on New Ecosystem Partners and Integrations

CSTA September Announcement Summary57 new integrations from network to endpoint to cloud CISCO ISEpxGrid Integrations forIOT, Orchestration,Deception, Endpoint,VulnerabilityManagementCISCO FirepowerThreat Intelligence Director forNGFW Enrichment, Firepowerintegrations

CSTA September Announcement Summary57 new integrations from network to endpoint to cloud CISCO AMP for EndpointsIntegrations provide analysts withdetailed information and actions onendpoint eventsCISCO Cloud SecurityThreat Intelligence on MaliciousDomains and Threat ResponseEnforcement & CASBCISCO Threat GridMalware Intelligence Sharing andIncident Response Integration

Simplifying WSA Policies with SGTsWho: DoctorWhat: LaptopWhere: OfficeISEDoctorsInternetEnterpriseBackboneWho: DoctorWhat: iPadWhere: OfficeBYODWho: GuestWhat: iPadWhere: OfficeGuestW wwWebSecurityAppliancePoliciesOrderGroupProtocols andUser AgentsURLFiltering(global policy)Block: 1Monitor: 78Doctors BYOD(global policy)Block: 1Monitor: 78Guests(global policy)Global PoliciesNo blocked items1Doctors23ApplicationsBlock: 10Monitor:367ObjectsAnti-Malware and Reputation(global policy)(global policy)Block: 10Monitor:367(global policy)(global policy)Block: 1Monitor: 78Block: 10Monitor:367(global policy)(global policy)Monitor: 79Monitor:367No Blocked ItemsWeb Reputation: EnabledAnti-Malware Scanning: Enabled

ISE as a source of Context Cisco ISE SMC 2018 Společnost Cisco a její pobočky.Maintain historical session tableCorrelate NetFlow to usernameBuild User-centric reportsLive Sessions Table of ISEDevice/User AuthenticationDevice ProfilingNAD detailsLive Authentication Eventsshown in SMC