Advanced Threat Detection

Szilard Csordas

IT Security Consultant

Cisco

Limits Of Preventive Security – 10%

Source: AMP & Threat Grid Research and Efficacy Report 12/2016

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

2016-07 2016-08 2016-09 2016-10 2016-11 2016-12

Detection Retrospective Detection

Encryption is changing the threat landscape

Percentage of the IT budget earmarked for encryption Source: Thales and VormetricExtensive deployment of encryption

Straight-lineprojection

16%

20% 19%22% 23% 23%

25%27%

30%

34%

41%

60%

50%

FY05 FY06 FY07 FY08 FY09 FY10 FY11 FY12 FY13 FY14 FY15 2016 2017

Based on Cisco Threat Grid analysis, 2017

Percentage of malware

Dec Jan Feb Mar Apr May

25%

10%

Gartner predicts that by 2019

80% of all traffic will be encrypted

https://www.nutech.net/assets/images/nutech-security-onion-3-2012x1146-99.jpg

https://cybersec.buzz/endpoint-security-sizzling-however/

AVG can sell your browsing and search history to advertisershttp://www.wired.co.uk/article/avg-privacy-policy-browser-search-data

Is security software becoming a security risk?

10

Prevent Detect RespondPrevent attacks and

block malware in real timeContinuously monitor for threats on your endpoints to decrease time to detection

Accelerate investigations and remediate faster and more effectively

AMP for Endpoints

AMP History

In 2011 acquired by

In 2014 acquired by

Founded in 2008

http://www.immunet.com

AMP for Endpointsmain features

• Prevention, Monitoring + Detection, Response

• Deep Visibility, Context, and Control if something gets in

• Continuous Analysis of File Behavior and Retrospective Security

• Built-in AV Detection Engine for customers that want to consolidate their antivirus and

advanced endpoint protection in one agent Next-gen EP (EDR+EPP)

• Containment and quarantine on endpoint

• Built-in sandbox powered by Threat Grid

• Open APIs for seamless integration

• Agentless protection via CTA

• AMP Visibility

• AMP Unity

• Protection Engines (exploit prevention, system process protection)

• Malicious Activity Protection (focusing on Ransomware)

PC

MobileLinux

Mac

Time To Detectionshorter longer

AMP for Endpoints

Classic AV

Exploit Prevention In Memory

Inside the Memory Space

Decoy System Resources

New System ResourcesTrusted Code

TrapMalicious

Code Injection

Make the memory unpredictable by changing the memory structure

Make the app aware of legitimate memory structure

Any code accessing the old memory structure is malware!

System Process Protection In Memory

• Session Manager Subsystem (smss.exe) • Client/Server Runtime Subsystem (csrss.exe) • Local Security Authority Subsystem (lsass.exe) • Windows Logon Application (winlogon.exe) • Windows Start-up Application (wininit.exe) Protects system processes from being compromised

through memory injection attacks by other processes

Evaluates desired process/thread access, truncates potentially dangerous access from the desired access list before invoking the original system call

Lsass

Netlogon Active Directory

LSA server SAM server

Msv1_0.dll

Kerberos.dll

Winlogon

LSA policy SAM

Active Directory

In Memory

• new exploit detection technology identified an executable triggering our advanced malware protection systems

• malicious payload featured a Domain Generation Algorithm (DGA) as well as hardcoded Command and Control (C2) functionality

Beta Testing New Engine

in AMP Leads to

Discovery – CCleaner

Serving Malware

In Memory

Malicious Activity Protection (beta)

20

• Cloud side Indicators of Compromise (IoC)’s• Defines a set of activities that when observed on an endpoint lead us to

believe the endpoint has been compromised/infected• There are run in the AMP cloud, currently

• We are copying a subset of the Cloud IoC’s into the endpoint• Monitor only in the beta release, beta will be coming soon• Will eventually move to blocking capability

• Tuned & focused on Ransomware initially• Looks for encryption behaviors, catching 80-90% in the labs so far• You have to see the encryption start, so will always lose a few files

• Would have stopped WannaCry in its tracks, when in blocking mode

On Disk

AcroRd32.exe [PE]

Device Trajectory in Action

(AMP for Endpoints)

?

IoC

Suspicious Behavior

IoC

Potential Dropper

Calc.exe [PE]

a.exe [PE]

Promotion.pdf.exe [PE]

4 [TXT]

Installer.exe [PE]

?

Create Connection Execute

2017-03-16 00:03:26 GST

Detected W32.Trojan.20ez.1201 as Promotion.pdf.exe

Downloaded from http://1.1.1.1

SHA256 Value (1f5a5..a41f03)

File was Quarantined Successfully.

File Path: C:\Users\Admin\My Documents\Promotion.pdf.exe

Detected by ETHOS

Clean

Unknown

Malicious

2017-03-15 11:03:26 GST

Outgoing connection from AcroRd32.exe

Adobe Reader 9.3.3.177 (825b7b2..2e4f82)

TCP Port 1067 to 64.59.140.93 port 80

Unknown Disposition

Post Infection

Advanced Malware Protection for Endpoints Post Infection

Post Infection

Complex Malware Revealed

24

Powershellprivilege

escalation

Browser extension installation

Stealing browser

credentialsMalware

injection path

Would be prevented by ISE quarantine

Post Infection

AMP Cloud

NGIPS NGFW

Network AppliancesEndpoints Content Appliances

WWW

WSA ESA/CES

Global Trajectory

Whitelists SimpleCustom

Detections

Common Objects

See once, protect everywhere (web proxy, firewall, email gateway, endpoint) Post Infection

See Everywhere That It Has Been

What happened?

Where did the malware come from?

Where has the malware been?

What is it doing?

How do we stop it?

Track infected areas in the system:

• Where is the attack now

• What other endpoints have seen it

• Where should I focus my response

• Where is still safe

Cognitive Threat Analytics Post Infection

Visibility into devices with or without AMP Connector – cover unsupported OS and IoT devices

File-less malware and ~30% more detections

Correlation with AMP for Endpoints events and links to files responsible for C2 communication

Priority rating and human readable threat descriptions with course of action

Data Exfiltration

C&C Communication

HTTP(S) Tunneling

DGAs Exploit Kits

Cognitive Threat Analytics

AMP 4 Endpoint~ +30% detection

Post InfectionStealthwatch NetFlow Telemetry

Cisco Stealthwatch with CTA

Extended Visibility and Behavioral Analytics

Advanced Threat Detection

Encrypted Traffic Analytics

Cognitive Analytics

StealthwatchManagement

Console

Stealthwatch

Flow Collector

Netflow exportinginfrastructure

Post Infection

AMP 4 Endpoint ~ +30% detection

Web

Proxy

What Metadata is sent to the cloud?

31

• Metadata sent from Stealthwatch to Cognitive: Initial Data Packet (IDP) and Sequence of Packet Lengths and Time. (SPLT)

• Metadata is sent only for traffic that crosses the perimeter (i.e. internet bound traffic) and DNS based traffic

• The connection from the Stealthwatch flow collector to Cognitive is TLS encrypted.

• Most of the data sent to Cognitive is deleted within 2-4 hours after the upload after analysis.

• Cognitive Analytics processes the ETA data (Enhanced NetFlow) in its production DC, with all production restrictions and security and privacy measures applied

• Deployment is aligned on the security and data governance principles applied in production

What Does CTA Typically Detect?

Sample report demonstrating an advanced threat visibility gap: http://cognitive.cisco.com/preview

Post Infection

Cognitive Analytics multi-layer machine learning

33

TALOS

• Generic – lengths, status codes, mime types

• HTTP – URLs, referrers, character distribution

• HTTPS – anomaly values, timings, context

• Global – domain/AS popularity

• External – whois, TLS certificates

~600 features per single web request

Automatic ISE quarantine

35BRKSEC-

2444

CTAIncident

ISE

Device

HTTP(S)

Logs

STIX/TAXII

Quarantine

Encrypted Traffic Analytics (ETA) – needs netflowVisibility and malware detection without decryption

Use case #2: Cryptographic compliance

Use case #1 : Malware in encrypted traffic

Is the payload within the TLSsession malicious?

• End to end confidentiality

• Channel integrity during inspection

• Adapts with encryption standards

How much of my digital business uses strong encryption?

• Audit for TLS policy violations

• Passive detection ofCiphersuite vulnerabilities

• Continuous monitoring of network opacity

• HTTPS header contains several information-rich fields.

• Server name provides domain information.

• Crypto information educates us on client and server behavior and application identity.

• Certificate information is similar to whoisinformation for a domain.

• And much more can be understood when we combine the information with global data.

Initial data packet

IP H

ead

er

TCP

He

ade

rTLS Header

TLS versionSNI (Server Name)

Ciphersuites

Certificate

Organization

Issuer

Issued

Expires

Initial data packet

Initial data packet

Initial data packet

38

Sequence of packet lengths and times

Sequence of packet lengths and times

Flow start Time

• Size and timing of the first packets allow us to estimate the type of data inside theencrypted channel.

• We can distinguish video, web, API calls, voice, and other data types from one another and characterize the source within the class.

40

Sequence of packet lengths and times

Cisco’s threat intelligence map

Image: http://census2012.sourceforge.net/images.html

• Who’s who of the internet’s dark side

• Models use up to 20 features of 150 million malicious, risky, or otherwise security-relevant endpoints on the internet.

• These data features include domain data, whois data, TLS certificate data, usage statistics, and behavioral data for each server.

Encryption Details on all Network Flows

Expanded CTA Dashboard View

Cognitive Analytics

44

Encrypted Traffic Analytics

BRKSEC-2809

45

46