ccgba19 power of cisco advanced threat security a3 tn · cisco threat response in action three...

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Tim Nan

Security Business Group

May 30, 2019

Power of Cisco Advanced Threat Security


Opening Scenario


Security must work together…but too often it doesn’t...

Security Operations

Is it bad?

Why?

Has it affected us?

How?

SIEM

Email

Security

Malware

Detection

Next- Gen

IPS

Endpoint

Security

Third party

Sources

Network

Analytics

Threat

Intel

Identity

Management

Secure Internet

Gateway

Technologies and Intelligence

Web

Security

Next- Gen

Firewall


Cisco Security Portfolio


Introduction to Cisco Threat Response


Cisco Threat Response in the real worldJoin Cisco Security customers who are gaining value from it now

3000+Organizations are using it today

“You cannot hit a target you cannot see. Cisco Threat Response really simplifies security analysis...”

“I like quickly being able to see infections on my network, and this presents them in a really nice fashion…”

BRKSEC-2433 6


Introducing Cisco Threat ResponseUnleashing the power of the Cisco Integrated Security Architecture


Cisco Threat Response in actionThree simple ways to get started

• Have we seen these observables? Where?• Which endpoints connected to the domain/URL?

3

2

1

AMP forEndpoints

UmbrellaEmail

Security NGFW/NGIPS

Intelligence Sources

Casebook via Browser Plug-In

High-Fidelity Events

Investigate(search interface)

Incident Manager

• Are these observables suspicious or malicious?

Umbrella Investigate

Threat Grid

Cisco Talos

Observables:

• File hash• IP address• Domain• URL• Email

address• More...

8


Core Threat Response Terminology and Concepts

1. Modules

2. Observables

3. Investigate UI

4. Judgements

5. Verdicts

6. Sightings

7. Indicators

8. Targets

9. Snapshots

10.Casebooks


Modules

Cisco Threat Response uses integration modules to integrate with Cisco security products and 3rd party tools.

Integration modules can provide enrichment and response capabilities.


ObservablesCisco Threat Response supports the quick investigation of cyber Observables, which might be domain names, IP addresses, file hashes, PKI certificate serial numbers, and even specific devices or users.

The first thing that Cisco Threat Response does with an observable is determine its disposition by aggregating what is known about that observable from the various enrichment modules configured.

The disposition tells the Incident Responder whether the observable is:

• Clean (explicitly whitelisted)• Malicious (explicitly blacklisted)• Suspicious (potentially harmful)• Unknown (not currently associated with a known disposition)

Unknown observables are not enriched.


Investigate UIEnables an incident responder to copy and paste the contents of an email, or a log message, or an incident ticket into its main search form. Cisco Threat Response will then extract all of the Observables from the supplied text.

Once the investigation is begun, either via the form shown above or via a pivot into Cisco Threat Response from another product, the UI will show the results of that investigation.


Judgement• Associates a disposition with a cyber observable at a point in time, and is valid for an explicit

span of time.• Can optionally be related to Indicators, providing further insight as to why a specific disposition

was associated with that observable.• Are given by configured data source modules, and are shown associated with those data

sources, along with more information including the reason.


VerdictIndicates the most recent and most relevant disposition for a given cyber observable, as well as the Judgement from which the verdict was derived.

Cisco Threat Response considers a clean verdict to be more reliable than a malicious verdict. The order of precedence for verdicts is as follows:

• Clean• Malicious• Suspicious• Common• Unknown

When an observable has multiple verdicts, Cisco Threat Response computes a final verdict.


SightingA record of the appearance of a cyber observable at a given date and time.

Can optionally be related to Indicators, providing threat intelligence context about the observable.


IndicatorDescribes a pattern of behavior or a set of conditions which indicate malicious behavior.

Some indicators are more indicative than others of malicious behavior, so knowing exactly which bad behaviors an observable are exhibiting can help an incident responder decide what to do next.

Cisco Threat Response uses a large collection of malware indicators from the AMP Global Intelligence threat archive, Threat Grid, and other sources.


Target

The device, identity, or resource that a threat has targeted.

A Target is identified by one or more Observables. When known, a type, operating system, and other metadata is recorded as well.

Targets are always part of a local Sighting.


SnapshotSaves the current investigation and graph for subsequent retrieval and analysis.

Includes a unique identifier, and can have a custom Name and Description.

Documents the state of an investigation within a specific organization at a point in time.


CasebookBuilt with APIs hosted in and data stored in CiscoThreat Response.

Available via:• Cisco Threat Response Investigate UI• Other integrated Cisco products and tools• Any web page at all via browser plugin, including

• other Cisco products, integrated or not• existing external Threat Intel sources• existing 3rd party tools

Allow you to:• Gather observables in groups (aka cases).• Assign the case a name and a description• Take and save notes on the case• Add other observables at any time• Immediately see verdicts and take actions• Seamlessly work a case across multiple tools,

even from different vendors• Share cases between staff


Use Case: Hunt for Infected Hosts



Typical CIO question to InfoSec

A CIO just asked me about a new banking Trojan… I had no answer…

“I need to know now… are we impacted?”


Investigation Steps

1. Search security blogs for latest threat information

2. Find indicators of compromise (IoCs) to search

3. Search security operations systems looking for activity associated with

IoCs

4. Verify existing threats are blocked

5. Investigate related activity to trace the threat

6. Investigate and block any new threats related to the activity


Get latest IOCs to search

23


Search in AMP Console


Search for malicious IP in AMP


AMP Console shows interaction with IP and malicious hash


Let’s Conduct the Same Investigation with Threat Response


1. Paste IOCs directly into Threat Response


2. Track to Internal Targets


Click on any of the results to be taken directly to that system in the Relations Graph below it.


Select items on the graph to pull up further information


Note the Observables pane and what it tells you about sightings in your environment


Drill into the observables by clicking on them


3. Select the endpoint to investigate it


4. Find related file – add to investigation to learn more


5. Assess new related files in the map


Save your work in a snapshot


Share your work in a casebook


Add observables to Casebook


Pivot into investigation from casebook


6. Block threats in file blacklist


7. Block Domains in Umbrella


Cisco Security Services


Security Services: Securing the New Digital Economy

Security Advisory Services

Expert security

guidance to drive

business outcomes

Security Optimization

Service

Maximize

operational

excellence and

performance

Security Managed Services

Experts and

advanced analytics

to lower OpEx

Security Technical Services

Minimize business

disruption

Security Implementation

Services

Maximize solution

value

In Cybersecurity $3.5B Securityinvestment#1 20B Threats

blocked per day

18.5B Malwarequeries daily 60B DNS queries

daily

Advisory Implementation Optimization Managed Technical Training

SecurityCertifications and Learning

Programs

Build skills and

reduce time to value


Available in Incident Response Retainer Enhanced

I need help right now

Emergency

Incident

Response

Am I currently compromised?(Broad view)

Compromise Assessments

I need to know we will respond

correctly

IR

Tabletop

Exercises

Am I missing anything needed

to respond?

IR Readiness

Assessments

I need a plan for when an incident

occurs

IR Plans &

Playbooks

I need to build skills to combat

cyberthreats

Cyber Range

Workshop

I need help in evaluation of

attack prevention & detection

Purple TeamThreat Hunting

Am I currently compromised?

Focus view)

Incident Response Retainer Enhanced


Our expertise

+Vertical InsightCisco has set up the world’s +

Innovation

536AS patents

Direct Access to

ProductDevelopment

Supported by 10,000 World-Class Specialists

ExperienceAverage of

10 years per person

3480 CCIE®

certifications

Education

Software and HardwareDevelopers

Largest networks

IoT Labs Herndon and Chicago

Global Innovation CentersAustralia, Barcelona, Berlin,

Houston, London, Paris, Rio de Janeiro, Songdo, Tokyo, Toronto