detect and protect - safeplus live san diego...• along standing threat actor group involved in...
TRANSCRIPT
Detect and Protect Against Security Threats,
Before It's Too Late!
BRKSEC-3061
Jazib Frahim
Principal EngineerCisco Security Solutions
Omar Santos
Incident Manager/Technical LeaderCisco PSIRT | Security Research & [email protected] | Twitter: santosomar
CURRENT THREAT LANDSCAPE
Introduction
• Attacks are more targeted
• Custom malware created at victim’s site
• More organized attack campaigns
EVERY ORGANIZATION INDIVIDUAL OR SYSTEM IS A TARGET
Even Ninja’s Get Pwned
You are a target…
• Intellectual Property
• Personal Information
• Distributed Development (source code)
Recent Evolution of Threats
• Custom malware is being deployed
• Multiple bad actors are present simultaneously
• Attacked infrastructure is a platform for the next attack
• Many are blind to network malfeasance
• Some are conceding loss of control
• Denial of Service can be a precursor to damage
• Undetected communication to embargoed countries
Targeted Attacks
“Tax season spam” increased during U.S. tax season.
Tax software specialized malware.
Targeted Attack Campaigns:
• Attackers correlating with trends showing people looking to make career changes during the beginning and end of the year.
• Interview Harvesting
• Money Mules
Example with Crypto Wall
http://blogs.cisco.com/security/talos/resume-spam-cryptowall
Targeted campaigns after natural disasters and political events.
dfdfdfWho are the “hackers” / bad actors
nowadays?
dfdfdf
According to Forrester's research, insiders
are the top source of breaches in
the last 12 months.
The study's numbers indicate that only 42%
of the North American and European
workforce surveyed had received training on
how to remain secure at work.
Only 57% say that they're even aware of
their organization's current security policies.
Data Security Incidents
36%
22%
16%
14%
12%Incidents
Negligence
Outsider Theft
Insider Theft
Malware
Phishing
Source: BakerHostetler Data Security Incident Response
67% of critical
infrastructure
providers were
breached in 2014
Who am I?
Who hired me?
[email protected] | Twitter @santosomar
Incident Manager and Technical LeaderCisco’s Product Security Incident Response Team (PSIRT)Security Research & Operations
Omar Santos
0x3AF27EDC
Anatomy of an APT Attack
Find users from public sites like Facebook / LinkedIn
1
Attacker sends targeted email with malicious attachment
2
You
Got
Mail!!!
Naïve user open the exploit that installs backdoor
3
Attacker targets other servers / devices to escalate privileges
4
Data acquired from targeted servers
5
Data transferred externally
6
Today’s Reality
75%of attacks start extracting data within
minutes
OVER
50%of attacks are left undetected
for months, if at all
OVER
Detection and Response capabilities must change
The Cost of A Breach
• $217 US Stolen Records
• ~80,000+ Incidents
• $154 per stolen record
• 24,000 records stolen per breach
• Over 2122 breaches
24
$1000-
$300K
$50/
500K
$2500
$150
Exploits
Spam
Malware Development
Mobile
Malware
Facebook Account
$1
$0.25-
$60
>
$50
~$7
$1
Credit Card
Data
Medical
Record
DDOS
as a Service
>
$1000
Welcome to the Global Hacker Economy
Social
Security
Bank
Account Info
”
“There's now a growing sense of
fatalism: It's no longer if or when
you get hacked, but the
assumption that you've already
been hacked, with a focus on
minimizing the damage.
CYBER INSURANCE
EXAMPLE.COM
INSURED FOR: $2B
DEDUCTIBLE: $500M
Global IP Traffic Forecast
* Cisco Visual Networking Index (VNI)
BYOD?
• DDoS
• Malware
• Spam
$ echo "aHR0cDovL2JpdC5seS9SNlNUViAgaHR0cDovL2JpdC5seS8yS29Ibw==" | openssl base64 -d
http://bit.ly/R6STV
http://bit.ly/2KoHo
CASE STUDY 1 – LARGE SCALE CREDIT CARD & PII BREACH EXAMPLES
Large Scale Credit Card and PII Breach
• Thousands of credit, gift, and debit cards stolen
• Malware created onsite
• Stolen credentials of critical systems
• Other Personally identifiable information (PII), or Sensitive Personal Information (SPI)
Typical Point of Sale (POS) Attack
1. Gain a foothold on a system and exploit vulnerabilities to
gain full control.
2. Compromise key systems that allow the attack to spread
to point of sale systems.
3. Malware is installed on point of sale systems by exploiting
a vulnerability on the POS system, or potentially by
installing the malware via compromising system update
functionality.
4. The malware collects financial and personal information.
5. Stolen data is transferred to a system with Internet access
and exfiltrated outside of the organization to the attacker.
Kaptoxa/BlackPOS Malware
The data exfiltration operation of BlackPOS two threads:
Scraper main process thread that periodically looks for the POS process and
scrapes card data from its memory.
A “transfer” thread which routinely transfers the stolen card data to another
machine via SMB.
PoSeidon Malware
http://blogs.cisco.com/security/talos/poseidon
KeyLogger
Upon execution, this file copies itself to either
%SystemRoot%\system32\<filename>.exe or %UserProfile%\<filename>.exe and
adds registry entry under HKLM (or
HKCU)\Software\Microsoft\Windows\CurrentVersion\Run.
CC Numbers & the Luhn Algorithm
http://en.wikipedia.org/wiki/Luhn_algorithm
The malware only looks for number sequences that start with:
• 6 (Discover)
• 5 (MasterCard)
• 4 (Visa)
• 3 (AMEX)
with a length of 16 digits (Discover, Visa, Mastercard) or 15 digits (AMEX)
Then uses the Luhn algorithm to verify that the numbers are actually credit or
debit card numbers.
Why am I talking to Embargo Countries?
(e.g., Afghanistan, Iran, Iraq, or Libya)
AT 3:00 AM IN THE MORNING!!!
Examples of DNS Exfil Tools
• DeNiSe – a Python tool for tunneling TCP over DNS
• dns2tcp - supports KEY and TXT request types
• DNScapy – a Python scapy-like tool. Supports SSH tunneling over DNS including a Socks proxy.
• DNScat or DNScat-P – a Java based tool that supports bi-directional communication through DNS.
• DNScat (DNScat-B) - runs on Linux, Mac OS X and Windows.
• Heyoka – supports bi-directional tunnel for data exfiltration.
• Iodine - runs on Linux, Mac OS X, Windows and even ported to Android.
• OzymanDNS – written by Dan Kaminsky and used to setup an SSH tunnel over DNS or for file
transfer. The requests are base32 encoded and responses are base64 encoded TXT records.
• psudp - injects data into existing DNS requests by modifying the IP/UDP lengths.
• Malware using DNS such as Feederbot and Moto have been used by attackers to steal sensitive
information from many organizations.
POS Malware and Snort Sigs
BlackPOS (POSRAM) (Dump Memory Grabber) - 29420, 29421 MALWARE-CNC Win.Trojan.Reedum
outbound FTP connection
Chewbacca – Malware that reads process memory, logs keystrokes and utilizes the TOR network to ship
data back - 29440 MALWARE-CNC Win.Trojan.Chewbacca outbound communication attempt
Dexter – Locates, dumps and ships credit card track data in memory for potential cloning. - 25553
MALWARE-CNC Win.Trojan.Dexter variant outbound connection
Trackr/Alina – Similar to Dexter, locates, dumps and ships credit card track data in memory - 26686
BLACKLIST User-Agent known malicious user agent - Alina
VSkimmer – Sold as a successor to Dexter with more functionality - 29415 BLACKLIST DNS request for
known malware domain posterminalworld.la & 29416 MALWARE-CNC Win.Trojan.vSkimmer outbound
connection
CASE STUDY 2 –GROUP 72
What is Group 72?
• Along standing threat actor group involved in Operation SMN, named Axiom
by Novetta.
• Sophisticated, well funded, and possesses an established, defined software
development methodology.
• Targets high profile organizations with high value intellectual property in the
manufacturing, industrial, aerospace, defense, media sectors.
• The preferred tactics of the group include watering-hole attacks, spear-
phishing, and other web-based tactics.
• Created ZxShell (aka Sensocode) - a Remote Administration Tool (RAT) used
to conduct cyber-espionage operations.
http://blogs.cisco.com/security/talos/threat-spotlight-group-72
ZxShell (aka Sensocode)
Once the RAT is installed on the host it will be used
to administer the client, exfiltrate data, or leverage
the client as a pivot to attack an organization’s
internal infrastructure.
• Keylogger (used to capture passwords and other interesting
data)
• Command line shell for remote administration
• Remote desktop
• Various network attack tools used to fingerprint and compromise
other hosts on the network
• Local user account creation tools
ZxShell CommandsCOMMAND MEANING
SysInfo Get target System information
SYNFlood Perform a SYN attack on a host
Ps Process service Unix command implementation
CleanEvent Clear System Event log
FindPass Find login account password
FileTime Get time information about a file
FindDialPass List all the dial-up accounts and passwords
User Account Management System
TransFile Transfer file in or from remote host
Execute Run a program in the remote host
SC Service control command, implemented as the Windows one
CA Clone user account
RunAs Create new process as another User or Process context.
TermSvc Terminal service configuration (working on Win Xp/2003)
GetCMD Remote Shell
Shutdown Logout, shutdown or restart the target system
ZxShell Commands (continued)COMMAND DESCRIPTION
ZXARPS Spoofing, redirection, packet capture
ZXNC Run ZXNC v1.1 – a simple telnet client
ZXHttpProxy Run a HTTP proxy server on the workstation
ZXSockProxy Run a Sock 4 & 5 Proxy server
ZXHttpServer Run a custom HTTP server
PortScan Run TCP Port MultiScanner v1.0
KeyLog Capture or record the remote computer’s keystroke (userland keylogger)
LoadDll Load a DLL into the specified process
End Terminate ZxShell DLL
Uninstall Uninstall and terminate ZxShell bot DLL
ShareShell Share a shell to other
CloseFW Switch off Windows Firewall
FileMG File Manager
winvnc Remote Desktop
rPortMap Port Forwarding
capsrv Video Device Spying
zxplug Add and load a ZxShell custom plugin
ShellMainThreadExample
Implements the main code, responsible
for the entire botnet DLL.
1. checks if the DLL is executed as a
service.
2. If so, it spawns the service watchdog
thread.
3. The watchdog thread checks the registry
path of the ZxShell service every 2
seconds, to verify that it hasn’t been
modified.
4. If a user or an application modifies the
ZxShell service registry key, the code
restores the original infected service key
and values.
Examples of other RATs:
• Gh0st RAT (aka Moudoor)
• Poison Ivy (aka Darkmoon)
• HydraQ (aka 9002 RAT aka McRAT aka Naid)
• Hikit (aka Matrix RAT aka Gaolmay)
• Zxshell (aka Sensode)
• DeputyDog (aka Fexel) — Using the kumanichi and moon campaign
codes
• Derusbi
• PlugX (aka Destroy RAT aka Thoper aka Sogu)
• HydraQ and Hikit
CASE STUDY 3 –SPECIALIZED & CUSTOM
MALWARE IN INFRASTRUCTURE DEVICES
New Threat Landscape
• Targeted attacks and custom malware against infrastructure devices (routers, switches, etc.)
• These attacks go undetected for a longer time than traditional attacks
Infrastructure Devices
History
• Theoretical Research in 2005-2006 (FX & Mike Lynn)
• Recent incidents (2013 & 2014)
• Custom malware to change infrastructure device configurations
• Remote code execution
• Persistent attacks
Custom Malware
• Malware is software created to modify a device's behavior for the benefit of a malicious third party (attacker).
• One of the characteristics of effective malware is that it can run on a device stealthily in privileged mode.
• Malware is usually designed to monitor and exfiltrate information from the operating system on which it is running without being detected.
• Potentially sophisticated Cisco IOS malware would attempt to hide its presence by modifying Cisco IOS command output that would reveal information about it.
Infrastructure Device Infection
On Cisco devices running Cisco IOS Software, a limited number of infection methods are available to malware. Malicious software in Cisco IOS Software may be introduced in the following ways:
• By altering the software image stored on the onboard device file system. These types of malware would be persistent and would remain after a reboot.
• By tampering with Cisco IOS memory during run time. In this case, the malware is not persistent and a reload will restore the Cisco IOS device to a clean state booted from the image stored in the flash.
• By modifying the ROM monitor on systems with flash-based ROM monitor storage.
• By a combination of some or all of the preceding mechanisms
Attack Methods
• Some Cisco IOS devices offer a limited set of commands that are intended to be used by Cisco Technical Assistance Center (TAC) engineers during the process of troubleshooting a technical problem. Such advanced troubleshooting and diagnostic commands require privileged EXEC level and require valid credentials to execute. Thus, these commands could be an area that attackers can focus on to identify ways to run malicious software in Cisco IOS.
• It is important to note that not all Cisco IOS platforms offer advanced diagnostic commands. Of the platforms that do, only a very limited set of such commands is usually available. Additionally, to run these commands, a user needs administrative access to the device. Thus, following common authentication and command authorization security best practices will help prevent a malicious user from even attempting to install malicious software in Cisco IOS Software.
Commands
Attack Methods (cont.)
• It is possible that an attacker could insert malicious code into a Cisco IOS Software image and load it onto a Cisco device that supports the image.
• This attack scenario applies to any computing device that loads its operating system from an external, writable device.
• Even though such a scenario is not impossible, there are image verification techniques, discussed in the Cisco IOS Image File Verification section of this document that could prevent the router from loading such an image.
Manipulating Cisco IOS Images
Attack Methods (cont.)
• As with every operating system, there is a possibility that a vulnerability could exist in Cisco IOS Software that, under certain conditions, could allow malicious code execution.
• An attacker who exploited the vulnerability would install or run malicious code in Cisco IOS Software, which could then be used to take malicious action, such as modifying device behaviors or exfiltrating information.
• PSIRT identifies, manages, and releases all vulnerabilities in and fixes for Cisco products.
• Any vulnerability that Cisco is made aware of is investigated and released in accordance with the Cisco vulnerability disclosure policy.
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
Vulnerabilities
Identification Techniques
MD5 hash calculation and verification using the MD5 File Validation feature can be accomplished using the following command:
verify /md5 filesystem:filename [md5-hash]
Example:
# verify /md5 sup-bootdisk:c7600rsp72043-
advipservicesk9-mz.151-3.S3
.....<output truncated>.....Done!
verify /md5 (sup-bootdisk:c7600rsp72043-
advipservicesk9-mz.151-3.S3) =
e383bf779e137367839593efa8f0f725
Using the Message Digest 5 File Validation Feature
Network administrators can also provide an SHA512
hash to the verify command. If the hash is provided, the
verify command will compare the calculated and
provided SHA hashes as illustrated in the following
example:
omar-asa# verify /sha-512 disk0:/asa941-smp-
k8.bin
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!Done!
verify /SHA-512 (disk0:/asa941-smp-k8.bin) =
1b6d41e893868aab9e06e78a9902b925227c82d8e31978f
f2c412c18ac99f49f70354715441385
e0b96e4bd3e861d18fb30433d52e12b15b501fa790f36d0
ea0
omar-asa#
Identification Techniques
Cisco IOS Software image file verification using this feature can be accomplished using the following commands:
file verify auto
copy [/erase] [/verify | /noverify] source-url destination-url
reload [warm] [/verify | /noverify] [text | in time [text] | at time [text] | cancel
The following example shows how to configure the file verify auto Cisco IOS feature:router# configure terminal
router(config)# file verify auto
router(config)# exit
router#
Using the Image Verification Feature
Identification Techniques
Network administrators can also verify the integrity of the run-time memory of Cisco IOS.
The best way to verify the integrity of run-time memory for IOS is to analyze the region of memory called “main:text.”
The main:text section contains the actual executable code for Cisco IOS Software after it is loaded in memory. As such, verifying its integrity is particularly relevant for detecting in-memory tampering. This region of memory should not change during normal Cisco IOS Software operation, and should be the same across reloads.
Because this region of memory holds the actual operating system code, it should not change between devices as long as they are the same model and running the same release number and feature set. However, if the Cisco IOS release in use is ASLR enabled, these assumptions become invalid. A side effect of ASLR is changing some parts of the operating system code. This means the memory contents will be different across devices, even if they are running the same operating system release and feature set.
http://www.cisco.com/web/about/security/intelligence/integrity-assurance.html
Cisco IOS Run-Time Memory Integrity Verification
Additional Indicators of Compromise
The presence of the following commands should trigger further investigation. The asterisk symbol * indicates any text that follows the command itself.
gdb *
test *
tlcsh *
service internal
attach *
remote *
ipc-con *
if-con *
execute-on *
show region
show memory *
show platform *
do-exec version of any of the above
Check logs for the presence of “unusual” commands
Additional Indicators of Compromise (cont.)
Cisco IOS devices support exporting the contents of the running memory. After the export, comparisons between the running memory dump, also called core dump, and the associated sections in the Cisco IOS image file can be performed to detect modification of the run-time memory contents.
Most Cisco IOS releases support a memory dump via the write core command.
The following example shows how to search suspicious commands captured in a core dump file by using the Linux utility string:
$ strings <CORE> |grep ^CMD:
CMD: 'verify /md5 system:memory/text' 06:59:50 UTC Wed Jan 15 2014
CMD: 'service internal | i exce' 07:02:41 UTC Wed Jan 15 2014
CMD: 'conf t' 07:02:45 UTC Wed Jan 15 2014
CMD: 'exception flash procmem bootflash:' 07:02:54 UTC Wed Jan 15 2014
CMD: 'exception core-file CORE compress ' 07:03:31 UTC Wed Jan 15 2014
Checking Command History in the Cisco IOS Core Dump
Resources
• This document analyzes injection of malicious software in Cisco IOS Software and describes ways to verify that the software on a Cisco router, both in device storage and in running memory, has not been modified.
• Additionally, the document presents common best practices that can aid in protecting against attempts to inject malicious software (also referred to as malware) in a Cisco IOS device.
http://www.cisco.com/web/about/security/intelligence/integrity-assurance.html
CASE STUDY 4 – High Profile Third Party
Software Vulnerabilities
https://securityblog.redhat.com/2015/04/08/dont-judge-the-risk-by-the-logo
Network Telemetry Attacker Destinations
Attacker Success
Seen response
12.53%
Not seen response
87.47%
Client Side Exploitation is a Reality
Client
5.39%
Server
94.61%
Services Being Targeted
Destination Port/ICMP Code
465 (smtps)/tcp
995 (pop3s)/tcp
993 (imaps)/tcp
443 (https)/tcp
EXPLOITATION
BASHLITE, detected as ELF_BASHLITE.A (ELF_FLOODER.W) within hours…
http://blog.trendmicro.com/trendlabs-security-intelligence/bash-vulnerability-shellshock-exploit-emerges-in-the-wild-leads-to-flooder
http://blog.malwaremustdie.org/2014/10/mmd-0029-2015-warning-of-mayhem.html
VULNERABILITY DISCLOSURE TRENDS
TIME
2000-2005: RESEARCHERS
• FAME
• UPDATE RESUME
• DEFCON/BLACKHAT PRESENTATION
TIME
2005-2010: RESEARCHERS
• MONEY
• GEAR
TIME
2010-2013: BROKERS
• TIMELINES TO VENDOR
• PAY RESEARCHERS
TIME
NOW: EXPLOIT ECONOMY
• SELLING IN BLACK MARKET
• TO CRIMINALS
• TO CORPORATIONS
• TO NATIONSand of
course
the New
Normal
Large-scale Impact : Critical Open Source
Examples
Concerned?
You can never get a 100% secure network. No product of any
size, vendor or type can provide 100% security at a given time
People
Process
Products
Comprehensive
Security
Every company, small or big, is a target for
malicious attacks
Anti-virus and Firewalls are NOT enough
to stop advanced targeted attacks
Each company has something that somebody else
wants to steal
Security is EVERYONE’s responsibility
Online Trust Alliance - Analysis of 500 recent data breaches
89 percent of data breaches
could have been prevented had
the organization implemented
rudimentary security controls or
followed best practices, such as
encryption, checking access
controls, and patch management
There are only two types of companies - those that have
been hacked and those that will be. Robert Mueller
Ex-Director, FBI
Think like an attacker
Improving Security PostureCisco Security Control Framework
Identify who or
what is using
the network
Identify
Observe and
monitor
activities
occurring on
the network
Monitor
Build
intelligence
from activities
occurring on
the network
Correlate
Separate and
create
boundaries
around users,
traffic and
devices
Isolate
Ensure
network
conforms to a
desired state
or behavior
Enforce
Complete ControlSecurity Policy Enforcement and Event
Mitigation
Total VisibilityIdentity, Trust, Compliance, Event, and
Performance Monitoring
Withstand and
recover from
security
anomalies
Harden
Secure, Resilient Networks and Services
Threat Intelligence
Each layer can apply visibility and
control mechanisms
Layered Security ModelConverts a network architecture into an abstract “onion” representing security layers
Critical resources are placed at the center
Periphery depicts potentially untrusted
entry points
Layered Security Model - Visibility Techniques
syslog
NetFlow
The security gaps are represented
through a color spectrum
Improving Network Visibility
Bring your own headache?
ISE
Wired
WirelessVPN
Dynamic Segmentation Options:
VLANs, DACLs, or TrustSec
Intelligent Cyber Security policy and segmentation is impractical
without Real Threat Context in todays Security Landscape
- Who are you? Bob
- What Device? BYOD or Corporate Endpoint
- Where are you? Building 200, 1st Floor Lobby
- When? 11:00 AM CST on April 10th
- How ? Wired, Wireless, or VPN
Network Visibility with Real Context
Network Traffic Visibility
Dynamic cloud-based binary analysis (AMP)
Signature-based detection
Products: Snort, Cisco NGIPS
Requires tuning to be effective
Analysis of protocol meta-data and packet content
Network Traffic Visibility
Each Flow Data record contains IPs, Ports, duration,
and bytes transferred
Look for unusually frequent, large, or lengthy network sessions
Products: Cyber Threat Defense, Cognitive Threat Analytics, ELK
Does not require as much storage space as Full Packet Capture
Look for connections to suspicious IP Geo-locations
Building a SOC
Threat Visibility
SOC Tools
Updated regularly with emerging threats, poorly
reputable sites/IPs
Used for event research and analysis
Products: Senderbase, Zeus tracker, malwaredomainlist
Collective Intelligence Framework (CIF)
Can be imported into alerting tools to add detection and fidelity
DNS Query
malicious-domain.com
DNS Query
someotherwebsite.com
Corporate
DNS Server
External
DNS RPZ
malicious-domain.com
Is BAD!
AXFR
IXFR
DNS Response
from DNS RPZ
someotherwebsite.com
LOCAL RPZ
Client
Upstream
DNS
Server
example.com has address 93.184.216.119
Where is example.com?
DNS Response Policy Zones (RPZ)
SOC Tools
Detects and blocks malicious or zero-day exploits
Analyze file behavior:Capture malicious network communication
Dropped files
Registry/OS Changes
Products: FireAMP, ThreatGrid, Cuckoo, FireEye
Detonates suspicious files (sandboxing)
SOC Tools
Stores all network traffic, including packet payload
Used for event research and analysis
Products: Moloch, BlueCoat Solera, NetWitness
Requires large amounts of storage space
Confirms True Positive signature alerts
Useful for alerting in SIEM reports
Contains only packet meta-data, no payload
Products: Tshark, Bro, Qosmos
Does not require as much storage space as FPC
Used for event research and analysis
SOC Tools
Operational Security
Patch Management – Proactive SecurityVulnerability
Announced by Vendor
Identify Affected Devices
Identify Workarounds
Patch/Fix is Obtained
Patch/Fix is Tested
Patch is Implemented
Awareness
• You need to keep up with vulnerability announcements from vendors at all times.
Identification/Correlation
• Identify vulnerable devices
• Identify potential workarounds and network mitigations
Fix Tested andImplemented
• Test
• Certify Image/Software
• Implement
Incident Management – Reactive Security
TEvent
(Te-To)
Tincident
(Ti-Te)
Tcontainment
(Tc-Ti)
T0 Te Ti Tc
To = Time when an event occurs on the network
Te = Time when the event is detected on the network
Ti = Time when the event is classified as an incident
Tc = Time when the incident is contained on the network
Metrics for SOC Operations
• Meantime to identify an event
• Meantime to identify an incident
• Meantime to contain an incident
• Meantime to identify devices in real-time
• Meantime to identify users in real-time
• Meantime to revoke access once someone leaves a company
• Percent of unauthorized data flows found during audits
Metrics for SOC Operations
• Meantime to identify vulnerable and affected devices?
• Meantime to test and implement a fix/patch on affected devices
• Percent of devices in-compliance with certified software image
• Percent of device logging administrative logins & configuration changes
• Frequency of audit identity systems for unauthorized users
• Frequency of audit your firewall rules
Building Trend lines
50
100
150
200
250
300
350
400
450
Q1 Q2 Q3 Q4
TT-ID-EV
TT-ID-IN
TT-CO-IN
Pulling it all together
Correlate events across multiple information sources
Event Correlation
Products: Splunk, ArcSight, OSSIM, OpenSOC
Consume alerts, syslogs, feeds, and output from other tools
Create custom reports based on known Indicators of
Compromise (IOC)
Playbook Reports
Provides custom views into network events
End-user as well as SOC staff
Training
In-House vs. Managed SOC?
Challenges for In-House SOC
• Lack of Cyber Security talent
• Increasing complexity of threats
• Heightened regulatory environment
• Accelerating pace of innovation
Questions for MSSP• What types of telemetry data form the basis
for your visibility and detection capabilities?
• How are you performing analytics on that
data?
• What do you report on?
• How can you help protect my organization
against unknown, zero-day attacks?
• Where do you keep that data and how do
you protect it?
Source: http://www.securityweek.com/five-questions-ask-when-evaluating-managed-security-services
Active Threat Analytics - Architecture
DEDICATED CUSTOMER SEGMENT
AdministrativeConsoles
PORTAL
TICKETING
COMMON SERVICES
Threat Intelligence
Dedicated Customer Portal
Alerting/Ticketing System
Investigator Portal
Authentication Services
24/7 ACCESS
CUSTOMER
SOC
Secure Connection(HTTPS/SSH/IPSec)
VPNINTERNET
VPN
CUSTOMER PREMISE CISCO DATA CENTER
FIR
EW
AL
L
FIR
EW
AL
L
CMSP
Advanced Malware
Protection
Full Packet Capture
Anomaly Detection
Sourcefire IDS
Collective Security
Intelligence
Streaming Analytics
ThreatGrid
NetFlow
Full Packet
Machine Exhaust
Cisco
Third Party
Threat IntelligenceFeeds
Enrichment Data
OpenSOC Overview
Full packet capture
Protocol metadata
NetFlow
Machine exhaust (logs)
Unstructured telemetry
Other streaming telemetry
Parse + Format
Enrich Alert
Log Mining and Analytics
Big Data Exploration,Predictive Modelling
Network Packet Mining
and PCAP Reconstruction
Applications + Analyst Tools
Incident ResponseWhen everything else fails !!!!!!
Before an Incident - Build an IR Team
• Appoint an IR Lead• Communications (both internal and external)
• Coordination of activities
• Internal Politics & Blame game
• Include members from all IT teams
• Define clear Roles and Responsibilities
• Training• Procedures
• How to document• How to establish chain of custody• How to gather all possibly important evidence
• Escalations
• Testing the team / Procedures
• Communication Coordination
• Law Enforcement
• Media
• Other Incident Response Teams
• Incident Handling
• Protect evidence (Accidental or intentional tampering / destruction)
• Long haul activities
• Incident ownership
• Prioritization of activities
During an Incident
During an Incident
• Boundaries of response• Ethical
• Legal
• Technical Activities• Do not disconnect or shutdown compromised machines
• Maintain and preserve all logs
• Establish Out-of-Band communication channels
• Scope the Incident
• Remediate the Attack
Engage an Incident Response Partner
Targeted InfostealerDiscovered via HuntingCase-StudyWith Cisco Active Threat Analytics Service
Active Threat Analytics (ATA) Incident: Zeus Variant ALERT
Inte
llig
en
t V
isib
ility
Sw
itch
DEDICATED
CUSTOMER SEGMENT
Administrative
Console
Investigator
Portal
Authentication
Services
CUSTOMER PREMISE CISCO DATA CENTER
Sourcefire
Full Packet Capture
Advanced Analytics
Metadata Extraction
Passive Network Tap
NetFlow
Syslogs
Vendor Agnostic
Telemetry
FIREW
ALL
CustomerATA analyst noticed
email zip attachments
originating outside of the
customer’s GEO region
through AMP
Alerting/Ticketing System
Dedicated Customer Portal
Threat Intelligence
ATTACK SUMMARY
Secure Connection
(HTTPS/SSH/IPSec)
INTERNETVPN VPN
SOC
Email Subject: Your document
Email File: document_234787_pdf.zip
SHA256
Dropped file: zdpya.exeSHA256
ThreatGRID
ThreatGrid analysis
revealed four GET
requests associated with
campaign
Active Threat Analytics (ATA) Incident: Zeus VariantDETECT
Analyst scrutinized
activity and escalated to
investigator for further
review
ATTACK SUMMARY
Inte
llig
en
t V
isib
ility
Sw
itch
DEDICATED
CUSTOMER SEGMENT
Administrative
Console
Investigator
Portal
Authentication
Services
CUSTOMER PREMISE CISCO DATA CENTER
Sourcefire
Full Packet Capture
Advanced Analytics
Metadata Extraction
Passive Network Tap
NetFlow
Syslogs
Vendor Agnostic
Telemetry
FIREW
ALL
Customer
SOC
Alerting/Ticketing System
Dedicated Customer Portal
Threat Intelligence
Secure Connection
(HTTPS/SSH/IPSec)
INTERNETVPN VPN
ThreatGRID
Active Threat Analytics (ATA) Incident: Zeus VariantCONFIRM
Full packet capture and
threat intelligence
allowed investigator to
perform detailed network
traffic analysis
ATTACK SUMMARY
Inte
llig
en
t V
isib
ility
Sw
itch
DEDICATED
CUSTOMER SEGMENT
Administrative
Console
Investigator
Portal
Authentication
Services
CUSTOMER PREMISE CISCO DATA CENTER
Sourcefire
Full Packet Capture
Advanced Analytics
Metadata Extraction
Passive Network Tap
Syslogs
Vendor Agnostic
Telemetry
FIREW
ALL
Customer
SOC
Alerting/Ticketing System
Dedicated Customer Portal
NetFlow
Secure Connection
(HTTPS/SSH/IPSec)
INTERNETVPN VPN
Threat Intelligence
Determined over 2000
targeted email
attachments were sent
by more than 100
unique email addresses
with the same subject
and file format
ThreatGRID
Active Threat Analytics (ATA) Incident: Zeus VariantREMEDIATE
Investigator searched
through customer logs at
drop site and identified
several hosts that made
contact with drop site
ATTACK SUMMARY
Inte
llig
en
t V
isib
ility
Sw
itch
DEDICATED
CUSTOMER SEGMENT
Administrative
Console
Investigator
Portal
Authentication
Services
CUSTOMER PREMISE CISCO DATA CENTER
Sourcefire
Full Packet Capture
Advanced Analytics
Metadata Extraction
Passive Network Tap
Syslogs
Vendor Agnostic
Telemetry
FIREW
ALL
Customer
SOC
Alerting/Ticketing System
Dedicated Customer Portal
Threat Intelligence
NetFlow
Secure Connection
(HTTPS/SSH/IPSec)
INTERNETVPN VPN
ThreatGRID
Active Threat Analytics (ATA) Incident: Zeus VariantREMEDIATE
Investigator highlighted
suspicious traffic and
provided the customer
with remediation
methods to reduce
impact of the event
ATTACK SUMMARY
Inte
llig
en
t V
isib
ility
Sw
itch
DEDICATED
CUSTOMER SEGMENT
Administrative
Console
Investigator
Portal
Authentication
Services
CUSTOMER PREMISE CISCO DATA CENTER
Sourcefire
Full Packet Capture
Advanced Analytics
Metadata Extraction
Passive Network Tap
Syslogs
Vendor Agnostic
Telemetry
FIREW
ALL
Customer
SOC
Alerting/Ticketing System
Dedicated Customer Portal
Threat Intelligence
NetFlow
Secure Connection
(HTTPS/SSH/IPSec)
INTERNETVPN VPN
Active Threat Analytics (ATA) Incident: Zeus VariantREMEDIATE
Customer blocked drop
site, IP, email subject
line and attachment per
recommendation of ATA
ATTACK SUMMARY
Inte
llig
en
t V
isib
ility
Sw
itch
DEDICATED
CUSTOMER SEGMENT
Administrative
Console
Investigator
Portal
Authentication
Services
CUSTOMER PREMISE CISCO DATA CENTER
Sourcefire
Full Packet Capture
Advanced Analytics
Metadata Extraction
Passive Network Tap
Syslogs
Vendor Agnostic
Telemetry
FIREW
ALL
Customer
SOC
Alerting/Ticketing System
Dedicated Customer Portal
Threat Intelligence
NetFlow
Secure Connection
(HTTPS/SSH/IPSec)
INTERNETVPN VPN
ThreatGRID
Active Threat Analytics (ATA) Incident: Zeus VariantRESOLVED
Fully remediated - ATA
continued to monitor and
saw no further signs of
compromise
ATTACK
SUMMARY
Inte
llig
en
t V
isib
ility
Sw
itch
DEDICATED
CUSTOMER SEGMENT
Administrative
Console
Investigator
Portal
Authentication
ServicesSecure Connection
(HTTPS/SSH/IPSec)
INTERNET
CUSTOMER PREMISE CISCO DATA CENTER
Sourcefire
Full Packet Capture
Advanced Analytics
Metadata Extraction
FIREW
ALL
Customer
SOC
Alerting/Ticketing System
Dedicated Customer Portal
Threat Intelligence
VPN VPN
Passive Network Tap
Syslogs
Vendor Agnostic
Telemetry
NetFlow
ThreatGRID
Scan1%
Ransomware1%
Other11%
InfoStealer1%
Exploit Vuln7%
Downloader6%
Phishing73%
Security IncidentsQ1 2015
Phishing19%
Zeus13%
Nuclear EK36%
Necur11%
Fiesta EK21%
Security IncidentsQ3 2014
Shift in Tactics
Incident Classification BreakdownActive Threat Analytics Service
Thank you
Participate in the “My Favorite Speaker” Contest
• Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress)
• Send a tweet and include
• Your favorite speaker’s Twitter handle @santosomar
• Two hashtags: #CLUS #MyFavoriteSpeaker
• You can submit an entry for more than one of your “favorite” speakers
• Don’t forget to follow @CiscoLive and @CiscoPress
• View the official rules at http://bit.ly/CLUSwin
Promote Your Favorite Speaker and You Could Be a Winner
Complete Your Online Session Evaluation
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card.
• Complete your session surveys though the Cisco Live mobile app or your computer on Cisco Live Connect.
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Table Topics
• Meet the Engineer 1:1 meetings
• Related sessions
