Applied Advanced Network Telemetry: ETA and Beyond

Transcription

1

2 BRKSEC-2809 Applied Advanced Network Telemetry: ETA and Beyond TK Keanini, Principal Engineer Blake Anderson, Technical Leader

3 Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot#brksec Cisco and/or its affiliates. All rights reserved. Cisco Public

4 Hello My Name is TK Keanini Keanini (Pronounced Kay-Ah-Nee-Nee) TK: The past years in a nutshell BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 4

5 Hello My Name is Blake Anderson Born in Memphis, Tennessee Anderson (Pronounced And-er-son) PhD in security/machine learning from the University of New Mexico New Mexico = Joined Cisco ~3 years ago My puppy longingly stares at her food bowl all day Arya = BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 5

6 Agenda Encrypted Traffic Analytics Cryptographic Compliance Malware Detection without decryption Robust Network Data Features OS Fingerprinting Adversarial Machine Learning

7 Encrypted Traffic Analytics (ETA)

8 Encrypted Traffic Analytics Only solution that provides visibility and malware detection without decryption Malware in encrypted traffic Cryptographic compliance BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 8

9 Encrypted Traffic Analytics (ETA) NFv9 with ETA information elements ETA Collector(s) Cloud Analysis Malware detection and cryptographic compliance Leveraged Network Faster Investigation Higher Precision Enhanced NetFlow from Cisco s newest switches and routers Enhanced analytics and machine learning Global-to-local knowledge correlation 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

10 The early days of network telemetry NetFlow Provides A trace of every conversation in your network An ability to collect records everywhere in your network (switch, router, or firewall) Network usage measurements An ability to find north-south as well as east-west communication Lightweight visibility compared to Switched Port Analyzer (SPAN)-based traffic analysis Indications of compromise (IOC) Security group information Internet Switches Routers Flow Information Packets SOURCE ADDRESS DESTINATION ADDRESS SOURCE PORT DESTINATION PORT 443 INTERFACE Gi0/0/0 IP TOS 0x00 IP PROTOCOL 6 NEXT HOP TCP FLAGS 0x1A SOURCE SGT 100 : : APPLICATION NAME NBAR SECURE-HTTP BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 10

11 End-to-end visibility across all telemetry User Device Server Switch Router WAN Router Firewall Server Cisco Identity Services Engine Router Switch Firewall Data Center ISR CSR ASR WLC Catalyst IE ETA enabled Catalyst ASA FTD Meraki Nexus switch Tetration Web Endpoint Policy and User Info Other Web Security Appliance (WSA) AnyConnect Identity Services Engine (ISE) Stealthwatch Flow Sensor Stealthwatch Enterprise also enables telemetry ingestion from many third-party exporters BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 11

12 Encrypted Traffic Analytics Overview Outcomes Analytics Cryptographic Compliance ETA Enhanced Analytics Malware Detection IDP SPLT BD* ETA Data Features Initial Data Packet The first packets of any connection contain valuable data about the content. Sequence of Packet Lengths and Times The SPLT field gives us visibility beyond the first packet of the encrypted flows. srcip, dstip, srcport, dstport, prot, starttime, stoptime, numbytes, numpackets, IDP, SPLT, BD Exporters of Netflow Byte Distribution The BD keeps a count for each byte value encountered in the payloads of the packets of the flow being analyzed Routers/Switches Packet Capture Devices Other Exporters *BD in fast follow release BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 12

13 IP Header TCP Header Initial Data Packet TLS Header TLS version SNL (Server Name) Ciphersuites Certificate Organization Issuer Issued Expires BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 13

14 Sequence of packet lengths and time Flow Start Time BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 14

15 Cryptographic Compliance

16 How much of my digital business is encrypted versus in the clear? 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

17 Encryption Details on all Network Flows 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

18 Filter Flows by TLS/SSL BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 18

19 Malware Detection without decryption

20 Telemetry Features Incidents Threat context Power of multi-layer machine learning Threat Analytics Threat Grid Encrypted Traffic Analytics Internet scrapers Global risk map Threat correlation 10B requests per day Anomaly detection Trust modeling Event classification Entity modeling Relationship modeling Layer 2 Layer 3 50,000 incidents per day Layer 1 Anomalous Requests Processed NetFlow + Proxy (weblog) Malicious Events (telemetry sequences) Threat Incidents (aggregated events) BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 20

21 Power of multi-layer machine learning Increase fidelity of detection using best-in-class security analytics 10,000,000,000 requests per day Anomaly detection Trust modeling Anomalous Traffic Global Risk Map Threat Grid, TALOS Event classification Entity modeling Malicious Events 50,000 incidents per day Relationship modeling Threat Incidents BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 21

22 Expanded CTA Dashboard View Encrypted Traffic Analytics Cognitive Analytics BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 22

23 Stealthwatch Threat Analytics User Flows CTA Widget on SW Dashboard CTA Incident Timeline on SW Host Report CTA Incident Detail on CTA Dashboard Select IP Address Select Incident Detail CTA Dashboard on Separate Tab BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 23

24 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

25 Future Research The Future of Encrypted Traffic Analytics Telemetry

26 How Much of my Traffic is not Encrypted? BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 26

27 Ports/Protocols are not Sufficient Custom encryption over port 80 TLS over port 80 Unknown protocol Known protocol over nonstandard port HTTP over port 80 Known protocol over standard port BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 27

28 Plaintext Detection Leverage additional ETA data features, signatures, and machine learning Data Sources Data Features {Encrypted} {Plaintext} TCP UDP TCP UDP IP Known Encrypted Protocols IP Known Plaintext Protocols SPLT/IDP Per-packet byte distribution (ppbd) Information Data Packet (IDP+) BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 28

29 TLS alert Messages client_ hello client_key _exchange change_ cipher_ spec encrypted _handshake _message app_data app_data server_ hello certificate cont. server_ key_ exchange change_ cipher_ spec encrypted _handshake _message app_data encrypted _alert server_ hello_ done BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 29

30 TLS alert Messages close_notify Indicates one party wishes to close the connection bad_record_mac, record_overflow, decode_error, etc. Active attacks (e.g., padding oracle attack) Bug in the client/server software BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 30

31 TLS alert Message Inference Leverage ETA data features and supervised machine learning Data Sources Data Features Endpoint Logs Server Logs Network Traffic Sequences of TLS Record Lengths and Times BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 31

32 Robust Network Data Features

33 Detecting Malware not Sandboxes Sandbox Intranet Malware Benign BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 33

34 Benign Malware Detecting Malware not Sandboxes Sandbox Intranet No HTTP Via header HTTP Via header from proxy BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 34

35 Benign Malware Detecting Malware not Sandboxes Sandbox Intranet Sandbox Label Assignment Intranet Label Assignment Identical Client Runs BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 35

36 MiTM/Proxies Premises Internet MiTM certificate/etc. record altered client_hello/etc. records altered BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 36

37 Length Generic Receive Offload (GRO) Time BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 37

38 Robust Network Data Features Normalize as much as possible: RTT estimate, individual packets application messages TLS cipher_suites category of TLS library (Schannel, Firefox, etc.) HTTP Via / MiTM TLS cipher_suites remove features and add proxy indicator [200 bytes, 39k bytes ] HTTP headers [Via, X-Forwarded-For] Web Proxy: WSA/10.x BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 38

39 Solution Overview Cisco Products classifier description auxiliary data fingerprint rules flow record Enhanced NetFlow Network Inference OS Inference Application Inference Malware Detection Malware Family flow record Enhanced NetFlow labels Endpoint Context OS, Applications, PMTU, RTT, Infection, BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 39

40 OS Fingerprinting

41 OS Fingerprinting Goals Understand devices sending attack traffic Identify evasion through network header rewriting Understand infected internal devices Detect unauthorized devices Detect obsolete, vulnerable OSes BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 41

42 Data Features BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 42

43 Classifier Results acc=97.50% BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 43

44 Evasion Model: attacker can control a fraction of the data features Windows Mac OS X Mac,iOS Win SP1 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 44

45 Adversarial Machine Learning

46 Adversarial Machine Learning Evasion Attacks Craft samples to evade detection of a specific classifier Training Dataset Testing Evading Sample Typical Samples BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 46

47 Evading Classifiers Inferred Application Behavior (v: 52.0) + = (v: 1.0.1r) + = BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 47

48 Attacking Evasion with More Data Endpoint Monitoring Inferred Application Behavior Server s Identity (v: 52.0) (v: 1.0.1r) BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 48

49 Adversarial Machine Learning Poisoning Attacks Craft samples to corrupt a specific classifier Normal Dataset Poisoned Dataset Poisoning Samples BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 49

50 Poisoning Real-World Datasets Prerequisites: Approximate knowledge of the classifier (white papers / blogs / ETA license) Influence over the training data (ThreatGrid and/or ETA license) Optimal Poisoning Sample(s) Poisoned Model BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 50

51 Attacking Poisoning with More Data ETA Classifier Training AMP Poisoning-Resistant Model Submission Metadata Poisoning Detection BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 51

52 Conclusions

53 Conclusions The threat landscape will continue to evolve, and we evolving with it Cisco is continuing to innovate around ETA to address future threats Malware's Exclusive Use of TLS 20.00% 18.00% 16.00% 14.00% 12.00% 10.00% 8.00% 6.00% 4.00% 2.00% 0.00% Sep-16 Nov-16 Dec-16 Feb-17 Mar-17 May-17 Jul-17 Aug-17 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 53

54 References ETA Overview ETA Deployment Guide Martin Rehak, Blake Anderson Securing Encrypted Traffic on a Global Scale; Cisco Blogs Blake Anderson, David McGrew; Machine Learning for Encrypted Malware Traffic Classification: Accounting for Noisy Labels and Non-Stationarity; KDD, 2017 Blake Anderson, David McGrew; Identifying Encrypted Malware Traffic with Contextual Flow Data; CCS AISec, 2016 Blake Anderson, Subharthi Paul, David McGrew; Deciphering Malware s Use of TLS (without Decryption); Journal of Computer Virology and Hacking Techniques, Blake Anderson, David McGrew; OS Fingerprinting: New Techniques and a Study of Information Gain and Obfuscation; CNS, 2017 Open source package for network data capture and analysis: BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 54

55 Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot#brksec Cisco and/or its affiliates. All rights reserved. Cisco Public

56 Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt All surveys can be completed via the Cisco Live Mobile App or the Communication Stations Complete Your Online Session Evaluation Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at Cisco and/or its affiliates. All rights reserved. Cisco Public

57 Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Tech Circle Meet the Engineer 1:1 meetings Related sessions BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 57

58 Thank you

59