AMP for Endpoints & Threat Grid

Size: px

Start display at page:

Download "AMP for Endpoints & Threat Grid"

Alexina Joseph
5 years ago
Views:

2 AMP for Endpoints & Threat Grid Response & Prevention Dean De Beer & Eric Hulse BRKSEC-2029

3 AMP Threat Grid Malware Analysis Engines & Techniques

4 A little background Malware Analysis & Threat Intelligence Appliance & Cloud delivery options Current DC: U.S East Coast Data Center U.S. UCS Data Center DC: U.S. UCS Data Center 2 EU UCS Data Center 1 Multiple API Options Integration Driven Scaling/Stability versus Features BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 4

5 Asymmetric Warfare: a conflict between opposing forces which differ greatly in military power and that typically involves the use of unconventional weapons and tactics

6 The Kernel Monitor Outside & invisible to the Guest OS Uses a map of symbols in select kernel functions Analyzes data coming through kernel functions trap defer=false, no_trap=false, arch=(), osver=(), hw=false For arguments of interest we extract interesting content Write data out to a series of files Analysis.json is produced and sent for further enrichment Define Trap Symbol Paths Monitor Set Handler Parse Arguments Raw Output Win Analyze Analysis.json No Is Trap Hit Yes BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 6

7 Dynamic Disk Analysis Forensic parsing of the physical disk MBR, Active & Inactive partitions Requires understanding of how we load VMs. Create snapshot of base image (control subject) Uses a clone of this image for analysis Keep log of changes at block/sector level Impossible to evade if persistence is required Invisible to the Guest OS Diff of changes is parsed Next we walk MFT for file name and location Produces a list of disk Modifications. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 7

8 MBR Modification (Dark Seoul) "orig": "3\u00c0\u008e\u00d0\u00bc\u0000 \u00fbp\u0007p\u001f\u00fc\u00be\u001b \u00bf\u001b\u0006pw\u00b9\u 00e5\u0001\u00f3\u00a4\u00cb\u00bd\u00be\u0007\u00b1\u00048n\u0000 \tu\u0013\u0083\u00c5\u0010\u00e2 \u00f4\u00cd\u0018\u008b\u00f5\u0083\u00c6\u0010it\u00198,t\u00f6\u00a0\u00b5\u0007\u00b4\u0007\u008b\ u00f0\u00ac<\u0000t\u00fc\u00bb\u0007\u0000\u00b4\u000e\u00cd\u0010\u00eb\u00f2\u0088n\u0010\u00e8f\ u0000s*\u00fef\u0010\u0080~\u0004\u000bt\u000b\u0080~\u0004\ft\u0005\u00a0\u00b6\u0007u\u00d2\u0080f \u0002\u0006\u0083f\b\u0006\u0083v\n\u0000\u00e8!\u0000s\u0005\u00a0\u00b6\u0007\u00eb\u00bc\u0081> \u00fe}u\u00aat\u000b\u0080~\u0010\u0000t\u00c8\u00a0\u00b7\u0007\u00eb\u00a9\u008b\u00fc\u001ew\u00 8b\u00f5\u00cb\u00bf\u0005\u0000\u008aV\u0000\u00b4\b\u00cd\u ", "curr :"PRINCPESPRINCPESPRINCPESPRINCPESPRINCPESPRINCPESPRINCPESPRINCPESPRINCPESPR INCPESPRINCPESPRINCPESPRINCPESPRINCPESPRINCPESPRINCPESPRINCPESPRINCPESPRINCPESP RINCPESPRINCPESPRINCPESPRINCPESPRINCPESPRINCPESPRINCPESPRINCPESPRINCPESPRINCPES PRINCPESPRINCPESPRINCPESPRINCPESPRINCPESPRINCPESPRINCPESPRINCPESPRINCPESPRINCPE SPRINCPESPRINCPESPRINCPESPRINCPESPRINCPESPRINCPESPRINCPESPRINCPESPRINCPESPRINCP ESPRINCPESPRINCPESPRINCPESPRINCPESPRINCPESPRINCPESPRINCPESPRINCPESPRINCPESPRINC PESPRINCPES BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 8

9 User Land Instrumentation Set of tools providing user-land visibility (Cloak and Dagger) Dagger handles injection & data exfiltration Support various evasion techniques Cloak handles user-land monitoring Allows for gathering information that does not make it to the kernel Active Capability as well Sleep & Crypto APIs Manipulation. bexhb7i/z2bic0tnezmphxb/xyoaetikgatzx5w5&jqc5uq4amhpowvuty2urh!gs9bcpt7qczspg 6:31:20 AM PC Administrator Introduces a presence into Guest OS BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 9

11 So it turns out that malware authors do not follow RFC s or standards of any type.

12 Artifact Static Analysis Multiple techniques for file-type identification Go based file parsers File is taken apart into component form & analyzed YARA rules on per-filetype basis Isolates crashes in static forensics Applied to all generated artifacts today Will be applied to incoming submissions shortly BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 12

Evasion Attempt Behaviors BRKSEC-2029 2016 Cisco

19 So all this work and

Indicator Engine Observations Indicator Types Behavioral Static Malware Compromise Evasion

21 Behavioral Indicators 675 Current Indicators Developed Weekly Additional 200 in Current Work Queue 400 in Backlog forensics attribute weakening artifact network enumeration malware file evasion persistence BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 21

23 Ransomware Excessive Suspicious Activity Generic Ransomware Desktop Background Change Generic Ransom Note Shadow Copy Deletion BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 23

Behavioral Indicator BRKSEC-2029 2016 Cisco and/or

27 Knowledge is partial and temporary without context there is no meaning.

Analysis Capabilities Advance Correlation Capabilities Produce Metrics &

28 Advanced Threat Research & Efficacy Team Drive Product Efficacy Create Detection Engines Content & Convictions Threat Research Advance Sandbox & Analysis Capabilities Advance Correlation Capabilities Produce Metrics & Reports BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 28

29 6,907,413 files were marked malicious in June leading to 514,015 Threat Detections and 113,509 Retrospective Detections on 226,873 endpoints across 2,131 businesses. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 29

30 Cisco AMP Provides Unique Value Cisco Sandbox More than 19% of files convicted by Threat Grid did not exist in Virus Total at time of detection 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% 63% 58% 37% 75% 75% 33% 57% 42% 19% 67% % 90% 80% 32% 70% 60% 50% 40% 30% 20% 10% 0% Cisco Threat Intelligence Research More than 45% of files convicted by Talos did not exist in Virus Total at time of detection 36% 83% 17% 33% 35% 57% 43% 45% 55% Known to Virus Total Threat Grid Known to Virus Total Talos BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 30

31 AMP For Endpoints

32 Point-in-Time Defenses Automatically stop as many threats as possible, known and unknown One-to-one signature Offer better accuracy and dispositioning Fuzzy finger-printing Machine learning Improve to handle new & emerging threats Advanced analytics Dynamic analysis Protect your business with no lag BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 32

33 Point-in-time detection alone will never be 100% effective.

34 AMP Analysis AMP Retrospective Security Action In Cloud AMP Cloud AMP Cloud Threat Grid Sandbox Check Changes Change Interval Talos Who has seen these Files? Lookup Database DGA Talos Sandbox Parsing Analysis Initiate Retrospective Quarantine BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 34

AMP & CTA CTA Alerts Directly in AMP Console BRKSEC-2029 2016

Virus Total & Research Lab Integrations Virus Total Data Research Labs

Vulnerability Data CVE Associations Ranked by CVSS Score BRKSEC-2029

39 Demo

Demo Summary Determined Delivery Method Remote File Fetch Due to Low Prevalence Sandbox Determined Sample Malicious Retrospectively Quarantined

40 Demo Summary Determined Delivery Method Remote File Fetch Due to Low Prevalence Sandbox Determined Sample Malicious Retrospectively Quarantined Enriched With Threat Grid Automated through API Cisco Brand Exchange BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 40

41 Advanced Threat & AMP Everywhere

The AMP Everywhere Architecture AMP Protection across the Extended Network for an Integrated Threat Defense AMP Threat Intelligence Cloud remote endpoints AMP for Endpoints AMP on

Services AMP for Endpoints AMP on Web & Email Security Appliances CWS/CTA AMP on ISR with Firepower Services AMP on Cloud Web Security & Hosted Email Windows OS Android Mobile

42 The AMP Everywhere Architecture AMP Protection across the Extended Network for an Integrated Threat Defense AMP Threat Intelligence Cloud remote endpoints AMP for Endpoints AMP on Firepower NGIPS Appliance (AMP for Networks) Threat Grid Malware Analysis + Threat Intelligence Engine AMP Private Cloud Virtual Appliance AMP on Cisco ASA Firewall with Firepower Services AMP for Endpoints AMP on Web & Security Appliances CWS/CTA AMP on ISR with Firepower Services AMP on Cloud Web Security & Hosted Windows OS Android Mobile Virtual MAC OS CentOS, Red Hat Linux for datacenters AMP for Endpoints can be launched from AnyConnect BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 42

43 We are buried beneath the weight of information which is being confused with knowledge.

44 AMP Response Incident Response & Orchestration

45 I want to enrich all events and alerts so that I can detect, prioritize, correlate and respond to incidents by taking advantage of the capabilities of my infrastructure, effectively reducing the time to respond and remediate.

46 All Responders want: A Systemic response to attacks Context and cross-product intelligence for all phases of an attack To identify the scope and criticality of a breach To assess containment and remediation while taking risk of remediation actions into account To enable automation to better deal with enrichment and response actions Overall management with better integrations BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 46

48 Reminders

Complete Your Online Session Evaluation Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card.

49 Complete Your Online Session Evaluation Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card. Complete your session surveys through the Cisco Live mobile app or from the Session Catalog on CiscoLive.com/us. Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 49

50 Continue Your Education Advanced Malware Protection [BRKSEC-2139] Eric Howard, Technical Marketing Engineer, Cisco Thursday, Jul 14, 10:30 a.m. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 50

51 Thank you

Cisco Advanced Malware Protection. May 2016

Cisco Advanced Malware Protection May 2016 The Reality Organizations Are Under Attack and Malware Is Getting in 95% of large companies targeted by malicious traffic 100% Cybercrime is lucrative, barrier