Cisco Advanced Malware Protection · directly on the client ... [Application] Compromise - A...
Transcript of Cisco Advanced Malware Protection · directly on the client ... [Application] Compromise - A...
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Company
ProductsMalware
Mindset
Strategy
Knowledge
Behavior
Complexity
Features
Detection Engines
Coverage
The history of Endpoint Protection
Probability
Detection?
Remediation?
Proactive?
Winner
Who wins the Race?
Hopefully you!
Processing
Company (Defender)
Products (Features)
Malware (Attacker)
Domain Names / IP Address
Hash Values
Network/Host Artifacts
TTPs / Tools
Levels
Tough!
Challenging
Annoying
Simple
Easy
Trivial
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
From Event to Context
• Context simplifies complexity
• Provides a complete different view to yourinsight threatlandscape
• Context aware is not a product, it is more a capability and approach
• Contextis RelationshipbetweenInformation andArtifacts
IP, URL, Domain
Flow Correlation
Behavior
Events
Context
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
From Event to Context – what can be includedEvent(s)
Event from variouspoint of products.
Context
Includes much information. Events are one part only.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Endpoint Challenges
Result20min. with Win 10
(Procmon)Threat Intelligence Counters by Talos
• To much data to handle OnPremise
• To much data to handle directly on the client
• Threat Landscape is to complex to be handled on the endpoint only
• Another approach necessary
• 46M OS operation events
• 8.7M File events
• 11.5K Process events
• 114K Network events
• 35M Registry events
• 1.5M unique Samples Daily
• 20B Threats blocked/day
• 150B DNS entries daily
• 18.5B AMP queries/day
• 16B URLs/Web requests daily
• Threat Data processed: 120TB/day, 3.6PB/month
4,9
96
,895
,529 u
niq
ue
hashes
pe
r w
ee
k
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
N + = X
Information
Threat Feeds
Intelligences
Analytic Systems
Researcher
Event
Event Details
Engines / Technologies
Signatures Based
Advanced Techniques
Proactive Techniques
Machine Learning
Exploit Prevention
Memory Protection
Host based IPS
Advanced Analytics
When needed?
Configuration
Endpoint Configuration
Cloud and Intelligence
When querying cloud
or other intelligences
Start
Something comes up
at the endpoint.
1 of 46 Million
Endpoint Protection – Traditional Approach
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
N + = X
Information
Threat Feeds
Intelligences
Analytic Systems
Researcher
Event
Event Details
Engines / Technologies
Signatures Based
Advanced Techniques
Proactive Techniques
Machine Learning
Exploit Prevention
Memory Protection
Host based IPS
Advanced Analytics
When needed?
Configuration
Endpoint Configuration
Cloud and Intelligence
When querying cloud
or other intelligences
Start
Something comes up
at the endpoint.
1 of 46 Million
Endpoint Protection – Traditional Approach
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Behavior Cluster
Malicious behaviour cluster including hundrets/thousands/million artifacts and also including one or more Threat Events
No Event
No Information
No Event
No Information
No Event
No Information
No Event
No Information
No Event
No Information
No Event
No Information
N + = X
Information
Threat Feeds
Intelligences
Analytic Systems
Researcher
Event
Event Details
Endpoint Protection – Traditional Approach
Timeline in one direction Timewindow from ms/sec. No information beyond Threat Events
Integrations
Intelligence, Product, SIEM
Endpoint Protection – Traditional Approach
Engines / Technologies
Signatures Based
Advanced Techniques / Proactive Techniques
Machine Learning
Exploit Prevention
Memory Protection
Host based IPS
Cloud Information
Information for different types of artefacts
File Hashes
Certificate Information
Remediation infos
IP/URL Reputation
Management
Policies, Events
Logging
Reports
Updates/Upgrades
Timeline in one direction
Timewindow from ms/sec.
No information beyond Threat Events
Threatlandscape complexity
Ressource Intensive
Event Management
Event Rating
Visibility
EndpointProtection
Knowledge/Ressource/Design Gap
GOAL: Fix this gaps
Endpoint Protection – New Generation Strategy
Endpoint Connector Endpoint Backend
Endpoint Prevention
Advanced Techniques
Proactive Techniques
Machine Learning
Exploit Prevention
Memory Protection
**Signature Based
Endpoint Protection Endpoint Mgmt.
Management
Events
Policies
Reporting
Threat Information Integration
Activity Storage
Endpoint Mgmt.Endpoint Monitoring
Disk Activity Monitoring
Network Monitoring
Device Flow Correlation
Endpoint IOC
Command Line Capture
Endpoint Monitoring Backend Intelligence
Intelligence
Idication of Compromise Calculation
Data Enrichment
Cloud Analysis Features
Backend Intelligence
Endpoint Protection – New Generation Strategy
Endpoint Connector Endpoint Backend
3rd Party
Integration (APIs)
Sharing (APIs)
Threat Feeds
Existing Infrastructure
Perimeter
Web and E-mail
Network Anomaly
Encrypted Traffic Analysis
NGFW/IPS
Agentless Detection
Weblog Analysis (CTA)
DNS BasedSecurity
Advanced Analytics
Static Analysis
Dynamic Analysis
Threat Intelligence Group
Research , Traps and Telemetry
Research and EfficacyTeam (RET)
Cisco Product Security Incident Response Team (PSIRT)
Endpoint Prevention
Advanced Techniques
Proactive Techniques
Machine Learning
Exploit Prevention
Memory Protection
**Signature Based
Endpoint Protection
Communication Platform
Endpoint Mgmt.
Management
Events
Policies
Reporting
Threat Information Integration
Activity Storage
Endpoint Mgmt.Endpoint Monitoring
Disk Activity Monitoring
Network Monitoring
Device Flow Correlation
Endpoint IOC
Command Line Capture
Endpoint Monitoring Backend Intelligence
Intelligence
Idication of Compromise Calculation
Data Enrichment
Cloud Analysis Features
Backend Intelligence
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
3rd Party
Existing Security
Talos
ThreatIntelligence
CognitiveAnalytics
Network
AgentlessDetection
Anomaly
ETA
Start
Something comes up in the enterprise including managed and unmanaged devices
Endpoint Behavior
Collecting Artifacts, Behavior, Network Activity…….
Start
Something comes up
at the endpoint
Content
Web
From Event to Context – Continous MonitoringChanging Time Window from ms/sec. to weeks
Time to both directions
Intelligence
Moving Ressource intensive Analysis from the endpoint to the cloud.
Endpoint Events
Disposition, Reaction, Action, Details
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
3rd Party
Existing Security
Talos
ThreatIntelligence
CognitiveAnalytics
Network
AgentlessDetection
Anomaly
ETA
Start
Something comes up in the enterprise including managed and unmanaged devices
Endpoint Behavior
Collecting Artifacts, Behavior, Network Activity…….
Start
Something comes up
at the endpoint
Content
Web
From Event to Context – Continous MonitoringChanging Time Window from ms/sec. to weeks
Time to both directions
Intelligence
Moving Ressource intensive Analysis from the endpoint to the cloud.
Endpoint Events
Disposition, Reaction, Action, Details
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Information
Threat Feeds
Intelligences
Analytic Systems
Researcher
3rd Party
Existing Security
Talos
ThreatIntelligence
CognitiveAnalytics
Network
AgentlessDetection
Anomaly
ETA
Start
Something comes up in the enterprise including managed and unmanaged devices
Endpoint Behavior
Collecting Artifacts, Behavior, Network Activity…….
Start
Something comes up
at the endpoint
Content
Web
From Event to Context – Continous Monitoring
Endpoint Events
Disposition, Reaction, Action, Details
Continuous Monitoring 7x24x365
RETROSPECTION
VISIBILITY
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
3rd Party
Existing Security
Talos
ThreatIntelligence
CognitiveAnalytics
Network
AgentlessDetection
Anomaly
ETA
Start
Something comes up in the enterprise including managed and unmanaged devices
Endpoint Behavior
Collecting Artifacts, Behavior, Network Activity…….
Start
Something comes up
at the endpoint
Content
Web
From Event to Context – Continous Monitoring
Endpoint Events
Disposition, Reaction, Action, Details Information
Threat Feeds
Intelligences
Analytic Systems
Researcher
Continuous Monitoring 7x24x365
RETROSPECTION
VISIBILITY
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Endpoint(s)
Endpoint Software
3rd Party
Existing Security
Talos
ThreatIntelligence
CognitiveAnalytics
Network
AgentlessDetection
Anomaly
ETA
Content
Web
From Event to Context – Continous Monitoring
Information
Threat Feeds
Intelligences
Analytic Systems
Researcher
Indications of Compromise
Cloud Based
Local Calculated
Manual IOC File Upload
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Event BasedTraditional Approach
Context basedAMP Visibilty Approach
From Event to Context – Summary
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Disk Memory
Sophisticated Malware Example - Infection
Code Installation
Malware installedCode
Injection
Binary Data
Dynamic created Content
Loaded from 3rd party
Obfuscated Content
Encrypted Content
Looks like “waste”
Partial Download
HTTPS Traffic
Hidden Protocol in HTTPS
Category: Business
Reputation: good
IP-Reputation: good
Status: Compromised
Good?
Malicious?
Unknown? WORKING Hidden, Stealthy, time-delayed
DECOY User
PREVENT Detection
New Sample in the world
In Memory
Entrenchment
Code generated
Code
Injection
.HLP .MSI
New Attack vector
New vulnerabilities
.SVC
.DLL=
.ISO.OCX.EXEews.exe
Dropped Payload,
autom. executed,
generates new Files
.EXE
OInfoP11.exe
created
OInfo11.ocx
created, holds
Decryption Info
OInfo11.iso
extracted,
encrypted,
compressed
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Disk Memory
Sophisticated Malware Example – Post Infection
Code Installation
Malware installedCode
Injection
Binary Data
Dynamic created Content
Loaded from 3rd party
Obfuscated Content
Encrypted Content
Looks like “waste”
Partial Download
HTTPS Traffic
Hidden Protocol in HTTPS
Category: Business
Reputation: good
IP-Reputation: good
Status: Compromised
Good?
Malicious?
Unknown? WORKING Hidden, Stealthy, time-delayed
DECOY User
PREVENT Detection
New Sample in the world
In Memory
Entrenchment
Code generated
Code
Injection
.HLP .MSI
New Attack vector
New vulnerabilities
.SVC
.DLL=
.ISO.OCX.EXEews.exe
Dropped Payload,
autom. executed,
generates new Files
.EXE
OInfoP11.exe
created
OInfo11.ocx
created, holds
Decryption Info
OInfo11.iso
extracted,
encrypted,
compressed
All unwanted
malicious behavior
Status: Clean
No Sample, no Signature
Infection Vector unknown
Time-to-detect infected host
Single File not malicious
C&C Communication
Data Loss
Which Artifacts are left for investigation?
Which Information is available for investigation?
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Sample IOC Events:
Event list for Generic IOC.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
IOC Event DetailExamples
Generic IOC: Powershell Download
Generic IOC: W32.PoweliksPersistence
Generic IOC: Possible Privilege Escalation Attempt Detected
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
AMP4E Calculating Indication of Compromise -1Calculation from observed Activity over the last 7 days Info
Threat Detected - One or more malware detections were triggered on the computer.
Potential Dropper Infection - Potential dropper infections indicate a single file is repeatedly attempting to download malware onto a computer.
Multiple Infected Files - Multiple infected files indicate multiple files on a computer are attempting to download malware.
Executed Malware - A known malware sample was executed on the computer. This can be more severe than a simple threat detectionbecause the malware potentially executed its payload.
Suspected botnet connection - The computer made outbound connections to a suspected botnet command and control system.
[Application] Compromise - A suspicious portable executable file was downloaded and executed by the application named, for exampleAdobe Reader Compromise.
[Application] launched a shell - The application named executed an unknown application, which in turn launched a command shell, forexample Java launched a shell.
Generic IOC - Suspicious behavior that indicates possible compromise of the computer.
Suspicious download - Attempted download of an executable file from a suspicious URL. This does not necessarily mean that the URL orthe file is malicious, or that the endpoint is definitely compromised. It indicates a need for further investigation into the context of thedownload and the downloading application to understand the exact nature of this operation.
AMP Cloud/Appliance Cloud Service Not available
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
AMP4E Calculating Indication of Compromise - 2Calculation from observed Activity over the last 7 days Info
Suspicious Cscript Launch - Internet Explorer launched a Command Prompt, which executed cscript.exe (Windows Script Host). This sequence of events is generally indicative of a browser sandbox escape ultimately resulting in execution of a malicious Visual Basic script.
Suspected ransomware - File names containing certain patterns associated with known ransomware were observed on the computer. Forexample, files named help_decrypt.<filename> were detected.
Possible webshell - the IIS Worker Process (w3wp) launched another process such as powershell.exe. This could indicate that thecomputer was compromised and remote access has been granted to the attacker.
Cognitive Threat - Cisco Cognitive Threat Analytics uses advanced algorithms, machine learning, and artificial intelligence to correlatenetwork traffic generated by your users and network devices to identify command-and-control traffic, data exfiltration, and maliciousapplications. A Cognitive Threat Indication of Compromise event is generated when suspicious or anomalous traffic is detected in yourorganization. Only threats that CTA has assigned a severity of 7 or higher are sent to AMP for Endpoints.
AMP Cloud/Appliance Cloud Service Not available
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
IncidentManagement without ThreatResponse
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The power of connected intelligences
E.g. Co-OccurrenceModel
Cloud Based IOCsThreat CorrelationRetrospection
Log Lines > Anomaly Detection
-> 5-10% of Traffic left
Trust Modeling
-> Lon term prediction model
Events Classification
-> Naming for Events
Relationship Modeling ->
Aggregate with Endpoint Information
(Same Threat, Same Attacker)
Threat FeedsWordwide Sensors
Several automated withArtificial intelligenceSupported systems
TALOSAMP &
TG
CTAUmbrella
Common theme or
goal
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Deliver
System back to user
Deliver to User
Format Device
Find
Where, who, howwhen….
Find the Malware
Disk Forensics
OnDemand ScanManual SearchKnowledge?
Full Disk Forensics
Availability
Client not availableUser on PTONo Sensordifferent Department
Availability
Ticketing
Defined Process?
Open Ticket
Verify
Verify the event e.g. if further analysis is necessary
Verify
Searching
Search in Siem or other available InformationSourse, Logfiles andso on.
Search in SIEM
Alert
Malware Alert from a single point of product
Malware Alert
Incident Response (IR) without Cisco Threat Response (CTR)
Timeline (Hours? Days? Weeks?)
Format
Most information lost
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Q1 - Commodity/Targeted?Q2 - Persistency?Q3 - Ransom/Backups?Q4 - Lateral movement?Q5 - Clean/Format?
Steps
What next?
Next Steps
a.ExeHash: 92a6…………7a
Result
Result
Analysis Tools
Process Explorer
Wireshark
Full Disk Forensics
Other Tools
ToolsSearch on ClientSearch in SIEM
Q1 - DHCP info?Q2 - AD info?Q3 - CMDB info?Q4 - Vulnerability info?Q5 - AV info?Q6 - Who is doing the C&C?
Alert by Next-Gen Network• C&C Traffic Detected:• Destination : 52.28.249.128 Threat
Intelligence?• Source : 10.0.2.11 Q, Q, Q, Q, Q, Q, ?• Pcap Capture available?
C&C Traffic Alert
Timeline (Hours? Days? Weeks?)
IR without CTR – C&C traffic alert!!
Searching
Sources?Intelligences?Correlations?
Payload
OS
Hardware
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Endpoint Protection Approach Dilemma
Threat Event?
Threat Event?
Threat Event?
Blind Spots for Investigations
Dependencies
Network Connections
Other relevant information for investigation
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Chkdsk.exe
Network connection and drops/executes a malicious file.
Activity
Malicious File starts chkdsk.exe
Activity
Create, execute and network connection
IOC?
Application X generated and executed an unknown application Y….
PDFcreated
Execution
Application X was executed by application Y
IOC Vulnerability
Application with vulnerability
IR with CTR – Example
Network
Established networkconnections
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Unknown PE
Application “unknown” was executed by a.exe.
IR with CTR – Response (Retrospection)