leverage the network

62
Cisco Confidential © 2015 Cisco and/or its affiliates. All rights reserved. 1 Leverage the Network to Detect and Manage Threats Matthew Robertson Technical Marketing Engineer May 19, 2016

Upload: cisco-canada

Post on 17-Feb-2017

166 views

Category:

Technology


1 download

TRANSCRIPT

Page 1: Leverage the Network

Cisco Confidential© 2015 Cisco and/or its affiliates. All rights reserved. 1

Leverage the Network to Detect and Manage Threats

Matthew RobertsonTechnical Marketing Engineer

May 19, 2016

Page 2: Leverage the Network

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

Page 3: Leverage the Network

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3

Page 4: Leverage the Network

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4

“The world is full of obvious things which nobody by any

chance observes.”

Sherlock Holmes, The Hound of the Baskervilles

Page 5: Leverage the Network

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5 5

About this Session: Finding the Insider ThreatMonitoring the network interior to find the threats within

Page 6: Leverage the Network

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6

Insider Threat

Page 7: Leverage the Network

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7

Stealthwatch

About this Session: Finding the Insider ThreatMonitoring the network interior to find the threats within

Page 8: Leverage the Network

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8

NetFlow

10.2.2.2port 1024

10.1.1.1port 80

eth

0/1

eth

0/2

Start Time Interfac

e

Src IP Src

Port

Dest IP Dest

Port

Proto Pkts

Sent

Bytes

Sent

SGT DGT TCP Flags

10:20:12.22

1

eth0/1 10.2.2.

2

1024 10.1.1.

1

80 TCP 5 1025 100 1010 SYN,ACK,PSH

10:20:12.87

1

eth0/2 10.1.1.

1

80 10.2.2.

2

1024 TCP 17 28712 1010 100 SYN,ACK,FIN

Start Time Interfac

e

Src IP Src

Port

Dest IP Dest

Port

Proto Pkts

Sent

Bytes

Sent

SGT DGT TCP Flags

10:20:12.22

1

eth0/1 10.2.2.

2

1024 10.1.1.

1

80 TCP 5 1025 100 1010 SYN,ACK,PSH

Page 9: Leverage the Network

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9

NetFlow = Visibility

Router# show flow monitor CYBER-MONITOR cache

IPV4 SOURCE ADDRESS: 192.168.100.100

IPV4 DESTINATION ADDRESS: 192.168.20.6

TRNS SOURCE PORT: 47321

TRNS DESTINATION PORT: 443

INTERFACE INPUT: Gi0/0/0

FLOW CTS SOURCE GROUP TAG: 100

FLOW CTS DESTINATION GROUP TAG: 1010

IP TOS: 0x00

IP PROTOCOL: 6

ipv4 next hop address: 192.168.20.6

tcp flags: 0x1A

interface output: Gi0/1.20

counter bytes: 1482

counter packets: 23

timestamp first: 12:33:53.358

timestamp last: 12:33:53.370

ip dscp: 0x00

ip ttl min: 127

ip ttl max: 127

application name: nbar secure-http

A single NetFlow Record provides a wealth of information

Page 10: Leverage the Network

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10

NetFlow Deployment

Catalyst® 6500

Distribution

& Core

Catalyst® 4500

ASA

ISR

Edge

ASR

Each network layer offers unique NetFlow capabilities

Access

Catalyst®

3560/3750-X

Catalyst® 4500

Catalyst®

3650/3850

Endpoint

AnyconnectNetwork Visibility Module

Page 11: Leverage the Network

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11

Stealthwatch System Components

Cisco Network

UDP Director

• UDP Packet copier

• Forward to multiple

collection systems

NetFlowStealthwatch Flow Sensor (VE)

• Generate NetFlow data

• Additional contextual fields

(ex. App, URL, SRT, RTT)

Stealthwatch Flow Collector

• Collect and analyze

• Up to 2000 sources

• Up to sustained 240,000

fps

Stealthwatch Management

Console

• Management and reporting

• Up to 25 Flow Collectors

• Up 6 million fps globally

Best Practice: Centralize

collection globally

Page 12: Leverage the Network

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12

NetFlow Collection: Flow Stitching

10.2.2.2port 1024

10.1.1.1port 80

eth

0/1

eth

0/2

Start Time Client IP Client

Port

Server IP Server

Port

Proto Client

Bytes

Client

Pkts

Server

Bytes

Server

Pkts

Client

SGT

Server

SGT

Interfaces

10:20:12.221 10.2.2.2 1024 10.1.1.1 80 TCP 1025 5 28712 17 100 1010 eth0/1

eth0/2

Uni-directional flow records

Bi-directional:

• Conversation flow record

• Allows easy visualization and analysis

Start Time Interface Src IP Src

Port

Dest IP Dest

Port

Proto Pkts

Sent

Bytes

Sent

SGT DGT

10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 100 1010

10:20:12.871 eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712 1010 100

Page 13: Leverage the Network

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13

NetFlow Collection: De-duplication

Start Time Client

IP

Client

Port

Server

IP

Server

Port

Proto Client

Bytes

Client

Pkts

Server

Bytes

Server

Pkts

App Client

SGT

Server

SGT

Exporter, Interface,

Direction, Action

10:20:12.221 10.2.2.2 1024 10.1.1.1 80 TCP 1025 5 28712 17 HTTP 100 1010 Sw1, eth0, in

Sw1, eth1, out

Sw2, eth0, in

Sw2, eth1, out

ASA, eth1, in

ASA, eth0, out, Permitted

ASA eth0, in, Permitted

ASA, eth1, out

Sw3, eth1, in

Sw3, eth0, out

Sw1, eth1, in

Sw1, eth0, out

10.2.2.2port 1024 10.1.1.1

port 80Sw1

Sw2

Sw3

ASA

Page 14: Leverage the Network

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14

Host Groups

• Virtual Container of IP Addresses

• User defined

• Similar attributes

• Model any Process/Application

Page 15: Leverage the Network

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15

ISE as a Telemetry SourceMonitor Mode

• Open Mode, Multi-Auth

• Unobstructed Access

• No impact on productivity

• Profiling, posture

assessment

• Gain Visibility

Authenticated Session Table

Cisco ISE

• Maintain historical session table

• Correlate NetFlow to username

• Build User-centric reports

StealthwatchManagement

Console

syslog

Page 16: Leverage the Network

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16

Global Intelligence

Stealthwatch

Threat

Intelligence

License

• Known C&C Servers

• Tor Entrance and Exits

Page 17: Leverage the Network

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17

Conversational Flow Record

WhoWhoWhat

When

How

Where

• Stitched and de-duplicated

• Conversational representation

• Highly scalable data collection and compression• Months of data retention

More context

Page 18: Leverage the Network

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18

Conversational Flow Record

ISE

Telemetry

NBAR

Applied situational

awareness

Flow Sensor

Geo-IP

mapping

Threat

Intelligence

Page 19: Leverage the Network

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19

Conversational Flow Record: Exporters

Path the flow is taking through the network

Page 20: Leverage the Network

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20

NetFlow Analysis with Stealthwatch:

Identify additional Indicators of Compromise (IOCs)

• Policy & Segmentation

• Network Behaviour & Anomaly Detection (NBAD)

Better understand / respond to an IOC:

• Audit trail of all host-to-host communication

Discovery

• Identify business critical applications and services across the network

Page 21: Leverage the Network

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21

“There is nothing like first hand evidence”

Sherlock Holmes, A Study in Scarlett

Page 22: Leverage the Network

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22

Flow Query Basics – The Flow Table

FilterFilter conditions

Details More details

Page 23: Leverage the Network

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23

Flow Query Basics - Filtering

Select host to

investigate

All flows in which this host was

a client or server

Page 24: Leverage the Network

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24

Hunting

Page 25: Leverage the Network

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25

Host groups and reports make it

easier to hunt

Page 26: Leverage the Network

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26

Types of Host Groups

• Inside Hosts:

• All Hosts specifically defined as part

of the network

• By Default – “Catch All” • Outside Hosts

• All Hosts not specifically defined as

part of the network

• Countries – GEO-IP

• SLIC Created

• Bogon

• Command & Control Servers

• Tor

Page 27: Leverage the Network

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27

Inside Host Groups

Default Host Groups

• Catch All

• RFC 1918 Space

• By Function

• By Location

Include public IP space

Page 28: Leverage the Network

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28

Host Groups: Parent-Child Relationship

Configuration trickles downInformation reports up

Page 29: Leverage the Network

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29

Host Groups – Targeted Reporting

Geo-IP-based Host Group

Summary chart of traffic

inbound and outbound from

this Host Group

Page 30: Leverage the Network

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30

Host Groups – Targeted Reporting

Traffic inbound

Traffic outbound

Page 31: Leverage the Network

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31

Host Groups – Application Report

Applications outbound

Applications inbound

Page 32: Leverage the Network

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32

Concept: Indicator of Compromise

IDS/IPS Alert

Log analysis (SIEM)

Raw flow analysis

Outside notification

Behavioural analysis

Activity monitoring

an artifact observed on a network or in operating system

that with high confidence indicates a computer intrusion• http://en.wikipedia.org/wiki/Indicator_of_compromise

Anomaly detection

File hashes

IP Addresses

Page 33: Leverage the Network

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33

IoC’s from Traffic Analysis

Behavioural Analysis:

• Leverages knowledge of known bad behaviour

• Policy and segmentation

Anomaly Detection:

• Identify a change from “normal”

Page 34: Leverage the Network

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34

Stealthwatch NBAD Model

Algorithm Security

EventAlarm

Track and/or measure behaviour/activity

Suspicious behaviour observed or anomaly detected

Notification of security event generated

Page 35: Leverage the Network

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35

Alarm Categories

Each category accrues points.

Page 36: Leverage the Network

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36

Stealthwatch: Alarms

Alarms

• Indicate significant behaviour changes and policy violations

• Known and unknown attacks generate alarms

• Activity that falls outside the baseline, acceptable behaviour

or established policies

Page 37: Leverage the Network

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37

Behavioural AnalysisLeverages knowledge of known bad behaviour

Mouse

Page 38: Leverage the Network

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38

Segmentation Monitoring

Host Groups

Relationship

Forbidden relationship

Page 39: Leverage the Network

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39

Policy Violation: Host Locking

Client groupServer group

Client traffic

conditions

Server traffic

conditions

Successful or

unsucessful

Page 40: Leverage the Network

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40

Policy Violation: Host Locking

Communication in violation of policy

• Active alarm monitoring adherence to policy

Page 41: Leverage the Network

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41

Policy Violation: Custom Security Events

Custom event

triggers on traffic

condition

Source Tag

Destination Tag

Rule name and

description

Object conditionsPeer conditions

Connection

conditions

Page 42: Leverage the Network

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42

Policy Violation: Custom Security Events

Alarm dashboard showing all Policy alarms

Details of “Employee to Productions

Servers” alarm occurrences

Page 43: Leverage the Network

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43

Anomaly DetectionIdentify a change from “normal”

Suit?

Page 44: Leverage the Network

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44

Example Alarm Category: Concern IndexConcern Index: Track hosts that appear to compromising network integrity

66 different algorithms as of

v6.7.1.

Page 45: Leverage the Network

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45

High Concern IndexBaseline deviated by 2,432%!

Page 46: Leverage the Network

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46

Identifying Internal Reconnaissance from CI

Scanning on TCP-445

across multiple subnets

Concern Index Events

Page 47: Leverage the Network

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47

Example Event: Suspect Quiet Long Flow

An IP communication between an Inside and Outside host (with traffic in both directions)

that exceeds the “Seconds required to qualify a flow as long” duration and is suspiciously

small

Default Policy

Page 48: Leverage the Network

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48

Watching for Data Theft

Data Exfiltration

• Identify suspect movement from Inside Network to Outside

• Single or multiple destinations from a single source

• Policy and behavioral

Page 49: Leverage the Network

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49

Data Hoarding

Suspect Data Hoarding:

• Unusually large amount of data

inbound from other hosts

Target Data Hoarding:

• Unusually large amount of data outbound

from a host to multiple hosts

Page 50: Leverage the Network

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50

Suspect Data Hoarding

Data Hoarding

• Unusually large amount of data inbound to a host from other hosts

• Policy and behavioral

Page 51: Leverage the Network

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51

“The Science of Deduction.”

Chapter 1: The Sign of the Four

Page 52: Leverage the Network

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52

The Science of Deduction Gathering Evidence

Data Element

What did they get?

When did they get it?

Where did they go?

Are they still here?

Who is they?

IOC

Page 53: Leverage the Network

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53

Investigating a Host Host report for 10.201.3.59

Behavior alarms

Quick view of host

group communication

Summary

information

Page 54: Leverage the Network

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54

Investigating: Host Drilldown

User

informationApplications

Page 55: Leverage the Network

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55

Investigating: Applications

A lot of applications. Some

suspicious!

Page 56: Leverage the Network

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56

Investigating: Audit Trails

Network behavior retroactively analyzed

Page 57: Leverage the Network

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57

It Could Start with a User …

Alarms

Devices and

Sessions

Active Directory

Details

Username

View Flows

Page 58: Leverage the Network

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58

Adaptive Network Control

Quarantine/Unquarantine via pxGrid

Identity Services Engine

StealthwatchManagement

Console

Page 59: Leverage the Network

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59

Key Takeaways

Insider threats are operating on the network interiorThreat detection and response requires visibility and

context into network traffic

NetFlow and the Cisco Stealthwatch System provide actionable security intelligence

Page 60: Leverage the Network

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 60

Page 61: Leverage the Network

Thank you.

Page 62: Leverage the Network