Advanced Threat Defence using NetFlow and ISE

Transcription

1

2 Advanced Threat Defence using NetFlow and ISE Matthew Robertson TME, Cisco David Salter Technical Director, Lancope

3 Abstract Trends such as BYOD and the rise of the Advanced Persistent Threat (APT) are leading to the erosion of the security perimeter and increasingly attackers are gaining operational footprints on the network interior. Participants of this session will learn how to leverage NetFlow and the Lancope StealthWatch System in concert with the Cisco ISE and ASA to gain contextual awareness of network activity in order to identify insidious threats and accelerate incident response. Using realworld examples from Cisco s Security Incident Response Team (CSIRT) where appropriate, this session will cover how to leverage these technologies to gain visibility throughout the kill chain to accomplish tasks such as identifying command and control channels, detecting network reconnaissance, tracking malware propagation and detecting data loss. The target audience for this session are security administrators and analysts interested in learning how to best leverage NetFlow and other telemetry sources as part of their security toolkit. 3

4 Speakers Matthew Robertson Technical Marketing Engineer, Cisco Systems Matt is a Technical Marketing Engineering in the Security Technology Group at Cisco Systems. David Salter Technical Director, EMEA & International, Lancope Inc. David manages Lancope s technical operations outside of North America. 4

5 Agenda Introduction Meet John: Professional Mercenary How To #1: Breaking the business Learning from History Introduction to the Kill Chain Gaining Visibility with NetFlow How To #2: The security blanket you didn t know you had A lesson from Sun Tzu Adding Context Case Studies Protecting the Virtual Data Center Conclusion 5

6 Session Objectives At the end of the session, the participants should be able to: Understand the key challenges to complex threat visibility Define Cisco s approach to solving this problem Understand how to instrument their network infrastructure to gain visibility and context How to use the increased level of visibility and context to identify cyber threats 6

7 Meet John Professional Mercenary University Graduate Contracted by a Nation State Success Driven 7

8 Objective Assigned by Employer payment on delivery Steal critical secrets 8

9 Step 1: Reconnaissance Learn personal information Identify employees 9

10 Step 2: Infection Installs remote control software using legitimate password 10

11 Step 3: Propagation Performs exploratory activity in internal network. Identifies assets, information, targets Gains access to target systems 11

12 Step 4: Exfiltration Data is obtained from repository and stolen. 12

13 Debrief So what happened here? Skilled, determined, motivated attacker with defined measure of success Perimeter successfully bypassed Propagation throughout the internal network Valid credentials used Data moved from critical asset and exfiltrated 13

14 The Evolution of Cyber Threats Viruses (1990s) Defense: Anti-Virus, Firewalls Worms (2000s) Defense: Intrusion Detection & Prevention Botnets (late 2000s to current) Defense: Reputation, DLP, App.-aware Firewalls Directed Attacks (APTs) (today) Strategy: Visibility and Context ILOVEYOU Melissa Anna Kournikova Nimda SQL Slammer Conficker Tedroo Rustock Conficker Aurora Shady Rat Duqu 14

15 Thinking Beyond the Perimeter Advanced Persistent Threats and other Modern threats are consistently bypassing the security perimeter as they break the rules. X X X X O X X X O O 15

16 Concept: Kill Chain Reconnaissance Weaponization Delivery Exploitation Command and Control Actions on Objectives Harvesting addresses, identifying information, etc. Coupling exploit with backdoor into deliverable payload Delivering weaponized bundle to the victim via , web, USB, etc. Exploiting a vulnerability to execute code in victim system Command channel for remote manipulation of victim Intruders accomplish their original goal 16

17 Kill Chain: Post Breach 1. Command and Control 17

18 Kill Chain: Post Breach 2. Reconnaissance 1. Command and Control 18

19 Kill Chain: Post Breach 2. Reconnaissance 1. Command and Control 3.Propagation 19

20 Kill Chain: Post Breach 2. Reconnaissance 1. Command and Control 3.Propagation 20

21 Kill Chain: Post Breach 2. Reconnaissance 1. Command and Control 3.Propagation 21

22 Kill Chain: Post Breach 2. Reconnaissance 1. Command and Control 3.Propagation 22

23 Kill Chain: Post Breach 2. Reconnaissance 1. Command and Control 3.Propagation 23

24 Kill Chain: Post Breach 2. Reconnaissance 1. Command and Control 3.Propagation 4. Data Theft 24

25 If ignorant of both of your enemy and yourself, you are certain to be in peril. Sun Tzu Visibility of all host-to-host communication, inside and out, are essential to the maintenance of a strong security posture. 25

26 Know the Attacker Who? Nation-state? Competitor? Individual? What? What is the target? When? Is there a time when the attacker is most active? Where? Where is the attacker? Where are they successful? Why? How? Why are they attacking what is their goal? How are they attacking Zero-day? Knownpasswords? Insider? 26

27 Know Yourself Who? What? When? Where? Why? How? Is on the the network? Are your users doing? application? Behaviour? The device was on the network? Is it normal? Where do users normally access the network from? Why are they using that application? Are they accessing the network? 27

28 Telemetry Metadata you leverage every day Itemized telephone bill Flow Records 28

29 NetFlow 29

30 NetFlow NetFlow v fields to choose from including IPv6 and payload sections 30

31 Expert Systems for Analytics 31

32 Flow Based Anomaly Detection 32

33 Behaviour Based Analysis 33

34 Leveraging NetFlow

35 Components for Advanced Threat Detection StealthWatch Management Console Reputation Feed (Optional) Other tools/collectors https StealthWatch Labs Information Center https StealthWatch FlowReplicator StealthWatch FlowCollector Cisco ISE NetFlow NetFlow StealthWatch FlowSensor NBAR NSEL Cisco Network StealthWatch FlowSensor VE Users/Devices 35

36 Cisco NetFlow Support Cisco ASA Cisco 2900 Cisco 2800 Cisco 1700 Cisco 7600 Cisco NGA Cisco 7200 VXR Hardware Supported Cisco ISR G2 Cisco XR Cisco ASR Cisco 3560/3750-X Cisco Nexus 7000 Cisco Catalyst 4500 Cisco Catalyst

37 Versions of NetFlow Version Major Advantage Limits/Weaknesses V5 Defines 18 exported fields Simple and compact format Most commonly used format IPv4 only Fixed fields, fixed length fields only Single flow cache V9 Template-based IPv6 flows transported in IPv4 packets MPLS and BGP nexthop supported Defines 104 fields, including L2 fields Reports flow direction IPv6 flows transported in IPv4 packets Fixed length fields only Uses more memory Slower performance Single flow cache Flexible NetFlow (FNF) Template-based flow format (built on V9 protocol) Supports flow monitors (discrete caches) Supports selectable key fields and IPv6 Supports NBAR data fields Less common Requires more sophisticated platform to produce Requires more sophisticated system to consume IP Flow Information Export (IPFIX) AKA NetFlow V10 Standardized RFC 5101, 5102, 6313 Supports variable length fields, NBAR2 Can export flows via IPv4 and IPv6 packets Even less common Only supported on a few Cisco platforms NSEL (ASA only) Built on NetFlow v9 protocol State-based flow logging (context) Pre and Post NAT reporting Missing many standard fields Limited support by collectors 37

38 NetFlow Deployment Each network layer offers unique NetFlow capabilities Access Distribution & Core Edge Catalyst 3560/3750-X Catalyst 4500 ISR Catalyst 4500 Catalyst 6500 ASA ASR 38

39 NetFlow Deployment Access Catalyst 3560/3750-X Catalyst 4500 Access: New network edge Detect threats as the enter the network Detect threats inside the switch east-west Layer 2 traffic Fewer false positives Higher-granular visibility Identify the endpoint collect MAC Address 39

40 NetFlow Deployment Distribution & Core Catalyst 4500 Distribution & Core: Traditional deployment Minimal recommended deployment Enable at critical points/bottle necks Typically done on a Layer 3 boundary Detect threats internal to the VLAN When deployed on an SVI interface Detect threats as they traverse the internal network Move between subnets Catalyst

41 NetFlow Deployment Edge ISR ASA Edge: Detect threats as they enter and leave the network Monitor communication between branches Gain context from edge devices Application - NBAR Events - NSEL ASR 41

42 eth0/1 eth0/2 NetFlow Challenges: Flow Stitching Uni-directional flow records port port 80 Start Time Interface Src IP Src Port Dest IP Dest Port Proto Pkts Sent Bytes Sent 10:20: eth0/ TCP :20: eth0/ TCP Start Time Client IP Client Port Server IP Server Port Proto Client Bytes Client Pkts Server Bytes Server Pkts Interfaces 10:20: TCP eth0/1 eth0/2 Bi-directional: Conversation flow record Allows easy visualization and analysis 42

43 NetFlow Challenges: De-duplication Router A: :1024 -> :80 Router B: :1024 -> :80 Router C: :80 -> :1024 Duplicates Router C port 1024 Router B Router A Without de-duplication: Traffic volume can be misreported False positive would occur Allows for the efficient storage of flow data Necessary for accurate host-level reporting Does not discard data port 80 43

44 The need for context A key challenge in threat visibility Who is ? Policy Start Active Time Alarm Source Source Host Groups Target Details Desktops & Trusted Wireless Jan 3, 2013 Suspect Data Loss Atlanta, Desktops Multiple Hosts Observed 5.33G bytes. Policy maximum allows up to 500M bytes. 44

45 Obtain Context through the Cisco ISE Attribute flows and behaviours to a user and device Policy Start Active Time Alarm Source Source Host Groups Source User Name Device Type Target Desktops & Trusted Wireless Jan 3, 2013 Suspect Data Loss Atlanta, Desktops John Chambers Apple-iPad Multiple Hosts 45

46 Obtaining Context through NSEL Flow Action field can provide additional context State-based NSEL reporting is taken into consideration in StealthWatch s behavioral analysis Concern Index points accumulated for Flow Denied events NAT stitching 46

47 Providing Scalable Visibility Drilling into a single flow yields a wealth of information 47

48 Attack Detection without Signatures High Concern Index indicates a significant number of suspicious events that deviate from established baselines Host Groups Host CI CI% Alarms Alerts Desktops ,645,669 8,656% High Concern index Ping, Ping_Scan, TCP_Scan Monitor and baseline activity for a host and within host groups. 48

49 Aside: CSIRT NetFlow Collection at Cisco San Jose RTP Amsterdam Tokyo Bangalore 15.6 billion flows / day Sydney 90 day retention 49

50 Working with NetFlow

51 Detecting Command and Control Periodic phone home activity What to analyze: Countries Applications Uploads/Downloads ratio Time of day Repeated connections Beaconing - Repeated dead connections Long lived flows Known C&C servers StealthWatch Method of Detection: Host Lock Violation Suspect Long Flow Beaconing Host SLIC Reputation Feed 51

52 Detecting Command and Control Alarm indicating communication with known BotNet Controllers Source user name IP Address Target that triggered alarm Alarm details Start Active Time Alarms Source User Name Source Source Host Groups Target Target Host Groups Details Dec 11, 2012 Bot Infected Host Attempted C&C Activity John Chambers Sales and Marketing, Atlanta, Desktops node1.bytecluster.com ( ) Optima, United Kingdom Attempted communication was detected between this inside host and C&C server using port 80 and the TCP protocol 52

53 Identifying Reconnaissance Activity Long and slow activity to discover resources and vulnerabilities What to analyze: High number of flows High client byte ratio One-way or unanswered flows Flows within the subnet/host group Flows to non-existent IP s Flow patterns Abnormal behaviour StealthWatch Method of Detection: Concern Index High Traffic High Connections Trapped Hosts 53

54 Identifying Reconnaissance Activity 54

55 Identifying Reconnaissance Activity High Concern Index indicates a significant number of suspicious events that deviate from established baselines Host Groups Host CI CI% Alarms Alerts Desktops ,645,669 8,656% High Concern Index Ping, Ping_Scan, TCP_Scan 55

56 Identifying Reconnaissance Activity 56

57 Identifying Malware Propagation Discovered host answers and vulnerability exploited What to analyze: High number of flows High client byte ratio Connections within the subnet/host group Flow patterns Abnormal behaviour StealthWatch Method of Detection: Concern Index, Target Index Scanning Alarms Touched Host Worm Propagation Alarm Worm Tracker 57

58 Detecting Internally Spreading Malware Prioritized Threats 58

59 Detecting Internally Spreading Malware Targeted resources and behaviour 59

60 Detecting Internally Spreading Malware Source user, asset and connection point 60

61 Detecting Data Loss Intermediary resource used to obfuscate theft Data is exported off resource What to analyze: Historical data transfer behaviour Applications Time of day Countries Amount of data single and in aggregate Time frames Asymmetric traffic patterns Traffic between Host Groups StealthWatch Method of Detection: Suspect Data Loss Alarm 61

62 Detecting Data Loss 62

63 Detecting Data Loss 63

64 Detecting Data Loss Source host, peer and data volume 64

65 Secure the Virtualized Datacenter VM VM SERVICE CONSOLE lightweight packet capture and flow creation performed using a virtual FlowSensor appliance capture Visibility & Context: Flow records include: VM name VM server name VM State vmotion aware Host Profiled in terms of VM name FlowSensor verifies over 900 applications Monitors response time measurements 65

66 Secure the Virtualized Datacenter 66

67 Secure the Virtualized Datacenter Provide VM-to-VM visibility within the same VMware server 67

68 Key Takeaways Advanced threats are consistently bypassing the traditional security perimeter. Threat detection requires visibility and context into network traffic. NetFlow can provide the necessary visibility and when joined with context from products such as the Cisco ISE, ASA, ISR and Lancope StealthWatch, these threats can be detected. 68

69 Call to Action Schedule a Whisper Suite Briefing to experience the following demos/solutions in action: Schedule a demo with your Cisco or Lancope representative Meet the Engineer Matt and David are available the rest of the week. Discuss your project s challenges at the Technical Solutions Clinics 69

70 71

71