cisco techupdate marts 2018 · mongodb 75% couchdb 20% docker 75% elasticsearch to reduce risk of...

Tue Frei Nørgaard & Jesper Rathsach

Consulting systems engineers, Cisco Security North Team

22nd of march 2018

Cisco Annual Security Rapport, Firepower og TTT.

Cisco Techupdate Marts 2018

Dagens Agenda

• Introduktion

• Cisco Annual Security rapport

• AMP for Endpoint Exploit Prevention

• Firepower update

• Tips og Tricks

• Q & A

Jesper Rathsach

Consulting systems engineer, Cisco Security North team

20th of march 2018

Cisco Annual Security Rapport 18

2018 Annual Cybersecurity Report

• Unprecedented levels of sophistication and impact

• Becoming more adept at evasion

• Exploiting new technology security gaps

• Defenders: Investing in Protecting their Organizations

. Reliance on automation, machine learning, AI

. Majority of organizations are leveraging behavior analytics to ID, mitigate against bad actors

• Attackers: The Maturing Tradecraft

. Field testing of malware and deployment

. . Obfuscation of command and control

. Use of cloud

. Network-based ransomware

. Vulnerabilities and patch management

. IOT and DDoS

Cisco 2018 Annual Cybersecurity Report Highlights

Malicious Binaries and Encryption

Increase

November 2016

Attackers embrace encryption to conceal their command-and-control activity

19%

12% Increase

268%70%

50%

38%

Global Encrypted Web Traffic Malicious Sandbox Binaries with Encryption

October 2017

Malicious Documents in Email

January-May June-October

Compared usage of malicious attachments from first portion of 2017 to second

Office

55%

Archive

415%

PDF

255%

Sandbox Evasion PatternsAttackers are constantly testing sandbox evasion techniques

Document CloseDoc Embedded

in PDF

Malicious Samples Total Samples

Oct 2016

Volu

me

Volu

me

Oct 2017 Oct 2016 Oct 2017

Network-based Ransomware

Network-Based

Ransomware

Worm

WannaCry and Nyetya: rapid-moving, self-propagating network-based attacks

With active, unpatched machines, these automated worms

will attack again. Have you secured your network?

53%manage over half of

their infrastructure in

the cloudEase of use (46%)

Scalability (48%)

Lack of internal workforce (41%)

Better security (57%)

Appeal:

The CloudOrganizations increase reliance on the cloud

IoT and DDos

Application-layer attacks

are rising, network-layer

attacks are declining

Burst attacks are

increasing

Amplification attacks

• Complexity

• Frequency

• Duration

2/5of businesses experienced a

reflection amplification attack in

2017

of those organizations

mitigated the attacks2/3

Source: Radware

Malicious Use of Legitimate Resources

AdaptabilitySubverts Domain and

Certificate Intelligence

Easy Setup

Whitelisted

IP Address

Cybercriminals are adopting command-and-control channels that rely on legitimate

Internet services, making malware traffic almost impossible to shut down

Reduce Burning Infrastructure

Leverage

Encryption for C2Source: Anomali

Exposed Development Systems

80%Memcache

100%MongoDB

75%CouchDB

20%Docker

75%Elasticsearch

To reduce risk of exposure to

DevOps ransomware attacks:

• Develop solid standards for secure

deployment

• Maintain active awareness of the

company’s public infrastructure

• Keep DevOps technologies up to

date and patched

• Conduct vulnerability scans

Percentage of DevOps servers left WIDE OPEN is creating a huge ransomware risk

Source: Rapid7

Insider ThreatMachine learning algorithms can greatly help detect internal malicious actors

62%occur outside of

normal work hours

5200docs per user

PDFswere the most

common file type

“Data”was the most popular

keyword in doc titles

High*accuracy of malicious activity

detection since June 2017

IT/OT Attack Sentiment

69%of organizations believe

OT is a viable attack

vector in 2018

• 20% believe it will be

eventually

• 10% believe it will remain

in IT alone

ICS Vulnerabilities

Being Connected

to the Internet

Known Vulnerabilities

Rarely Patched

Lack of

Knowledge

Too Specialized

USB or DVD as Entry Point

Threat actors are actively engaged in

researching pivot points to facilitate

future attacks

Source: TrapX

We need a better way to improve patch management processes

High Severity Vulnerabilities and Patch Management

High severity is driven by headlines

MS17-010 Detections

Patches double as organizations

realize potential threat

Exploited vulnerability

makes headlines

Microsoft warns

of vulnerability

Nu

mb

er

of

Dete

cti

on

s

Month Source: Qualys

Alerts

44%of Alerts are

NOT Investigated

8%Experienced NO

Security Alert

56%of Alerts are

Investigated

34%of Investigated

Alerts are

Legitimate

51%of Legitimate Alerts

are Remediated

93%Experienced

Security Alert

Uninvestigated alerts still create huge business risk

49%of Legitimate Alerts are

NOT Remediated

Defenders Still Favor Best of Breed

72%use best-of-

breed

28%use single vendor

solution

vs.

Challenges and Obstacles

27%Lack of Trained

Personnel

( 5%)

34%Budget

27%Compatibility

Issues

27%Certification

Requirements

( 5%)

( 5%)( 2%)

Mobile Devices

57%Find Very and Extremely

Challenging to Defend

Data in Public

Cloud



User Behavior(For Example, Clicking

Malicious Links in Email or

Websites)



Data Center/

Servers



Key Constraints Key Functions

Strategic, Operational, and Tactical Issues

26%can be addressed

by products alone

74% might also require

people and/or

processes to address

People

Products Policies

An overemphasis on

product solutions can leave

openings for attackers

The Need for OutsourcingIn order to keep up, organizations are looking for outside help

54%Consulting

(up 3%)

49%Monitoring

(up 5%)

47%Incident Response

(up 2%)

Most Frequently

Outsourced Services

Market Expectations and Emerging Capabilities

OutcomesInvestment

Technology

Market Expectations: Threat Landscape

The threat landscape to remain complex and

challenging

• Few predict radically new threats on the horizon, but they

see more capable and more diabolical bad actors

• Believe they’ll need ever more sophisticated security

arsenals to keep they at bay

Market Expectations: Modern Workplace

The modern workplace will continue to create

conditions that favor the attackers

• The footprint security executives must secure continues to

expand

• Employees increasingly carry their work (and the

company’s data) with them wherever they go—a well-

documented source of exposure

• Clients, partners and suppliers all need secure access to

corporate resources

• With the increasing deployment of IoT sensors, etc.,

companies’ interfaces to the internet will multiply

dramatically

Market Expectations: Scrutiny

Additional scrutiny of their ability to secure

the organization

• Many expect they’ll be under additional scrutiny—from

regulators, executives, stakeholders, partners and clients

• Top scrutiny from Executive Leadership, Clients, and

Business Partners (76%, each)

• Several CISOs mention that the need to meet others’

expectations for accessibility puts increasing strains on staff

• Current and potential clients can be particularly demanding

of information regarding security processes and protocols

Market Expectations: Breaches Drive Budget

Budgets will remain stable, unless a security

breach drives unexpected investment

• 51%: Budgets based on previous year’s budget

• 51%: Organization’s security outcome objective

• 46%: Percent of revenue

• 47%: Breach drove improvements to a great extent

!

Market Expectations: AI and Machine Learning

More spending on AI/ML capabilities

• AI, ML and automation are all increasingly desired and

expected

• 83%: Reliant on automation to reduce the level of effort to

secure the organization

• 74%: Reliant on AI to reduce the level of effort to secure

the organization

• CISOs expect to take increasing advantage of AI and

robotics

Market Expectations: Safeguards

Spending more safeguards for

protecting critical systems

• 22.3% Protection

• 21.9% Identification

• 19.3% Detection

• 18.2% Recovery

• 18.1% Response

Market Expectations: Outsourcing

More reliance on outsourcing services

• 53%: More cost efficient

• 52%: Desire for more unbiased insight

• 51%: More timely response to incidents

Observed Threats and TTDCloud-based security technology has been a key factor in helping Cisco

maintain a low median despite an increase in threat samples

Cisco Annual Median TTD

(Hours)

37.1

14

4.6

2015 2016 2017

Number of Observed Threat Samples

10xIncrease

2016 2017

Adversary tactics are continuously evolving, using encryption and legitimate Internet

services to conceal their activity and undermine traditional security technologies

Lead from the top: executives/board set the security tone, culture

Top 7 Actions:

. Educate by roles for maximum benefit

. Adhere to corporate policies, practices for application, system, and appliance patching

. Assume ownership of IoT device security and add scanning for these devices to security reviews

. Review, practice security response procedures

. Back up data often, test restoration procedures

. Review third-party efficacy testing of security technologies to reduce risk of supply chain attacks

. Conduct security scanning of micro-service, cloud service, and application administration systems

Conclusion/Recommendations

2018 Annual Cybersecurity Report

• Unprecedented levels of sophistication and impact

• Becoming more adept at evasion

• Exploiting new technology security gaps

Download the Cisco 2018

Annual Cybersecurity Report

cisco.com/go/acr2018

Jesper Rathsach

Consulting systems engineer, Cisco Security North team

20th of march 2018

Exploit detection

Cisco AMP For Endpoint

Memory attacks penetrate via endpoints and malware evades security defenses by exploiting vulnerabilities in applications and operating system processes

Most attacks operate in the memory space of the exploited application and remain untouched by existing solutions once they gain access to the memory

Advanced Attack Execution

Memory

App/OS

Vulnerabilities

DATA CENTER

ENDPOINT

NETWORK

FW / GW / IPS / IDS

AV

Command & Control Server

Disk

Malware

PERIMETER

In Memory

Exploit Prevention

On Disk

AMP Cloud

TETRA

Custom Detections

Post-Infection

DFC

CTA

Server Side IOC

Client Side IOC

Time To Detectionshorter longer

Exploit Prevention

New

System Resources

Making the memory unpredictable

to attack by manipulating the

memory structure.

Done on the fly each time it loads

One way randomization with no key

STEP 1

Trusted Code

System Resources

A user activates the application,

which loads to the memory space.

Exploit Prevention

Trusted Code

Decoy System

Resources

Make the process aware that there

is a legitimate new memory

structure.

Keep dummy of original structure

Application starts running as usual

STEP 2

New

System Resources

Exploit Prevention

Any code that tries to access the

original memory structure, not

aware of the changes, is malicious

by default!

STEP 3

New

System Resources

The attack is immediately trapped

during the initial exploit and saved

for further investigation.

STEP 4

Malicious Code Injection

Trusted Code

Trap

Decoy

Zero-day, one-day, exploit based malware, Shellcode, PowerShell,

attacks on unpatched vulnerabilities are prevented. For example:

All web-borne attacks

All malicious files such as Adobe and Office documents

Malicious sites containing Flash, Silverlight and JavaScript attacks

Attacks on Java that use shellcode to run payload (all recent attacks)

Vulnerabilities exploited by file-less and non-persistent malware

Ransomware, Trojan, Macros using in memory techniques

Coverage

© 2017 Cisco and/or its affiliates. All rights reserved. © 2017 Cisco and/or its affiliates. All rights reserved.

Dagens Agenda

• Firepower new stuff

• Tue’s tips og tricks

• Q & A

• Tak for i dag og på gensyn

© 2018 Cisco and/or its affiliates. All rights reserved.

System Improvements and Quality

6.2.3

Customer Found Issues

and Escalations• Major reduction of open CFDs

Improved Upgrade

Experience

• Upgrade times improved

• Improved upgrade reliability

• Single shot upgrade: 6.16.2.3

High Availability• Improved reliability and configuration

sync

Policy Apply

• Common Snort restarts removed, users

alerted if required

• Reliability and >50% performance

improvements

Context Explorer • Query times improved drastically

System Improvements in 6.2.3 Expected release date: 29/3-2018


Firepower 6.2.3, ASA 9.9.2Firepower 6.2.3 Features (March 2018)

New FDM Capability for

Commercial/Midmarket:• IPS Tuning

• SSL Decryption

• Security Intelligence

• Flexconfig

• Troubleshooting CLI Console

• KVM

FDM

APIs APIs allowing Control and

Orchestration:• FMC APIs: NAT, Routing, HA

• Publication of FTD API

Customer

Health

Score

Telemetry from FMC and FTD

Framework to eventually enable

us to determine customer needs

for improved experience

IPv6

Improvements

SNMP, Radius support for IPv6

Firepower 6.2.3.x Features (Target 1H CY2018)

SSL HW

Decrypt

ASA 9.9.2 Features (March 2018)

Man-in-the-middle and known

key decryption

• Enabled via command line on

4100/9300 devices

• Will be enabled by default in

future release


Firepower API usage


• Currently SSL decryption is performed in software

• Leverage crypto hardware already present on new platforms

• Delivered as part of 6.2.3.x

• Targeted for these platforms:

• Firepower Threat Defense on 4100/9300 and 5525/5545/5555

• 2100 - roadmap

SSL Hardware Decryption

Result: ~2-3X performance improvement over software alone


• Prevention of virtually all connection drops with Snort flow preservation

• Snort restart scenarios eliminated or warnings added

*Added in 6.2.3

• Warnings on policy applies that require Snort restart

Policy Apply Improvements

Result: Virtually all traffic impact eliminated

Restarts

Eliminated

Access Policy, NAP & Intrusion Policy, App Detectors & App-ID, Security Intelligence*,

URL & File Policy, Simple SRU Update, FTD HA Setup

Restart

Warnings

SSL Policy, Captive Portal, File Policy, MTU, SRU Updates (shared objects), VDB*, NAP

(Adv), Custom App Detectors, Upgrades


Warnings About Inspect Interruption on Policy Apply


Upgrade Improvements in 6.2.3

Single-Step

Upgrade

• Single-step upgrade

from 6.1 (and interim

versions) to 6.2.3

• For FMC, FTD, Firepower

Services, 7000/8000

Series

6.1

6.2

6.2.3

Backward

Management

• 6.2.3 installed on all new

systems by default

• 6.2.3 FMC will manage as

far back as 6.1 devices

• FMC Push feature reduces

software installation time

Result: Much easier, less time-consuming upgrade process


Firepower Device Manager Releases

Introduced in 6.1

• Easy Initial Device Setup

• Wizard based guided

configurations

• Firewall configurations –

Interfaces, NAT, Static Routing

• Unified Access Control Policy

• Captive Portal for User Identity

• Pre-defined IPS and Malware

Policies

• Topology View

• Intuitive GUI-based dashboard

and monitoring

• Real Time Logging

6.2.3

• IPS signature tuning for

false positives

• Cisco Security Threat

Intelligence for early

protection

• SSL Decryption in software

for encrypted Traffic

• Built-in CLI console for

troubleshooting

• Device APIs for

automation/orchestration

• Support for FTDv on KVM

6.2.X

• Support on FTDv on

VMware

• Site-to-Site VPN for branch

deployments

• Remote Access VPN for

mobile users using

Anyconnect

Simple, easy management

FDM vs FMCFirepower Management Center (Off-box) Firepower Device Manager (On-box)

NAT & Routing

Access Control

Intrusion & Malware

Device & Events Monitoring

VPN - Site to Site & RA

Security Intelligence

Other Policies: SSL, Identity, Rate Limiting (QoS) etc.

Active/Passive Authentications

Firewall Mode Router / Transparent Routed

Threat Intelligence & Analytics

Correlation & Remediation

Risk Reports

Device Setup Wizard

Interface Port-Channel

High Availability

6.2.3

6.2.3( )

( )


FDM DEMO


ue’s ips og ricks

ISE FMC

ASA

ESAISR FTD

WS

ASDA

CSM

API

ACS

ASR

T AAA

MAC

MABACL

T T

IOS

© 2017 Cisco and/or its affiliates. All rights reserved. © 2017 Cisco and/or its affiliates. All rights reserved

Firepower

• Recommended software versions

• Logging Best Practices

• Intelligent application bypass

• Exclude flows from snort inspection

• Variable sets

• Q & A


Firepower

Recommended software versions

• Software selection is a highly tailored process

• Delicate balance between desired features and code stability

• Dependent on platform, traffic patterns, and other device interoperability

• A comprehensive network overview and a thorough bug scrub is required

• Ongoing certification and re-evaluation process ownership

• AS has tools to provide tailored recommendation. AS must be engaged for tailored recommendations.

• If not AS; GSSO, in consultation with customer’s network stakeholders, should provide tailored recommendation.

• TAC or BU may suggest an upgrade path for known defects only

• The final recommendation must be based on a customer deployment• Ta

Tailored or Custom Software Recommendation

Current Best Practices

Release Deployment Why

6.2.0.5 • Exiting installations

• New customer deployments

• Stable, fifth maintenance release.

• Flow preservation for existing flow in

case of snort restart or reload. Flow

preservation is not available in 6.2.2

• Customer prefers connectivity over

security on snort restart or reload

• 6.2.2 is new in the field

6.2.2.2 • New customer deployments

• FPR 2100’s

• Exiting installations

• If Customer need new features

RAVPN, CTID,

• Customer is planning to prominently

use scenarios solved by snort reload

• Customer prefer security over

connectivity

• Has 2100s

• Balance new features against code stability with ASA

• ASA 9.6(3.latest) or wait for ASA 9.6(4.latest) for conservative customers

• ASA 9.8(2.24 or later) for longevity and feature velocity

• Pick latest compatible FXOS based on Logical Device Support

Additional - ASA Code recommendation

FXOS release ASA release

FXOS 2.3(1.66) ASA 9.6.3, 9.6.4, 9.7.1

9.8.1, 9.8.2, 9.9.1

https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/compatibility/fxos-compatibility.html#pgfId-136544


Logging Best Practices

• Do not log at the beginning

and end of the connection

• Avoid logging for noisy

protocols:

• DNS

• NTP

• Routing traffic

• Monitoring rules

• Logging of monitoring tools


Intelligent Application Bypass

• Snort is a single thread

process for traffic processing

• Uses data already available

• Test/On modes

• Configurable thresholds


Intelligent Application Bypass

• Every Performance Sample Interval monitor Inspection Performance Thresholds

• Once one of the Inspection Performance Thresholds is reached, determine what flows to bypass based on the Flow Bypass Thresholds


Exclude flows from snort inspection

• First thing when starting to

tune an NGFW/NGIPS

• VOIP

• Scanner

• Backup

• Routing traffic

• Current limitation. Not

possible to create Layer 2

prefilter rules



• Prefilter Rules

• Fastpaths traffic from Lina+Snort

inspection

• Prefilter rules cannot be

configured on the default

Prefilter Policy



• Trust rules:

• Lina checks, bypasses snort

inspection only

• Can be defined based on

L4-L7 parameters


Variable Set configuration

• Most IPS rules are based in

variables like HOME_NET

• alert tcp $EXTERNAL_NET any ->

$HOME_NET $HTTP_PORTS

• alert tcp $EXTERNAL_NET any ->

$HTTP_SERVERS $HTTP_PORTS

• Defining EXTERNAL_NET

• Cisco recommendation

!$HOME_NET

• Might not detect peer to peer

events

• If using non-standard ports,

they should be defined as

well


Access Control Policy:Rules ordering to improve performance


ACP rules ordering to improve performance

1. Trust rules should always be at the top of the

policy

2. Rules which use IP and port should always be

above rules that require application control or a

database mapping lookup (i.e. user, URL, Geo,

etc.)

3. Block rules should be above allow rules when at

all possible to exit detection sooner

4. URL based rules should be above application

based rules as we can see the URL sooner in the

session


ACP rules ordering to improve performance

• What analysis is done to

packets before ACP rule can

be determined?• Inspection is determined by the “Intrusion

Policy used before Access Control rule is

determined”


Et par ting der er værd at huske !!


Air-gapped network:

Mit management net harikke internet adgang – hvadgør jeg så med licenser?

ASA : Bestille PLR* licenser –

fra starten

FTD : Snakker med Cisco DK

om beta på smart licensing

Satellite server til PLR* licenser.

*Permanent License Reservation


Fixed software versions for : cisco-sa-20180129-asa1

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1


Q & A