Firewall nové generace na platformě SF, přístupové politiky, analýza souborů, FireAMP a trajektorie útoků Jiří Tesař, CSE Security, jitesar@cisco.com CCIE #14558, SFCE #124266
Mapping Technologies to the Attack Continuum BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Firewall VPN NGIPS Advanced Malware Protection NGFW/AVC UTM Web Security Network Behavior Analysis NAC + Identity Services Email Security Visibility and Context 4
Cisco/Sourcefire Security Solutions FireSIGHT Management Center APPLIANCES VIRTUAL NEXT- GENERATION INTRUSION PREVENTION APPLICATION CONTROL CONTEXTUAL AWARENESS ADVANCED MALWARE PROTECTION FireAMP HOSTS VIRTUAL MOBILE COLLECTIVE SECURITY INTELLIGENCE FirePOWER Appliances APPLIANCES VIRTUAL Cisco and/or its affiliates. 5 All rights reserved.
Access Policy
FW integra+on with IPS Only a license
Demo
Policy- Driven Visibility and Control Filter Access and Apply Protec+on by Applica+on, User, and Traffic Path
Application Control Example Prevent BitTorrent
Web Access Filtering URL, Category, Reputa+on
Security Intelligence Automa+cally Updated Blacklists
Geoloca+on Visibility, Reports
Geolocation Blocking in Access Rules (NGFW) Define how traffic should be handled based on source and/or destination Assign different intrusion prevention policy based on country of origin Completely block all communications to a certain country Adds country objects to the access control policy New tab in the network pane of the AC rules editor allows a selection of country objects Selecting a country in an access control rule selects all IP addresses associated with that country
Updates from Cloud (VRT) IPS SW, vulnerabili+es with planorms
Updates from Cloud (VRT) Snort Rules
Chaining FW with IPS and File Analysis
Chaining FW with IPS and File Analysis
Advanced Malware Protection
Sourcefire Advanced Malware Protection with Retrospective Security Comprehensive Network + Endpoint Continuous Analysis Integrated Response Big Data Analytics Control & Remediation Collective Security Intelligence 21
Our Approach for Advanced Malware Protection Network AMP Retrospective Security Continuous File Analytics Reputation Determination Defense Center Sourcefire Sensor # # Client based AMP SaaS Manager AMP Malware license No Need for Client Small code (like a printer driver) host and mobile devices Checking of file copying / execution /moving Traps fingerprint & attributes Queries cloud for file deposition
Dynamic Analysis: Process Overview File Detected on FirePOWER - Calculates hashes - Saves a copy if policy dictates* FirePOWER Appliance 1892y sk)sd FireSIGHT Management Hash metadata sent to AMP Cloud AMP Cloud Response: E.g. - Disposi+on = Unknown - Threat Score = Unknown * File is sent to VRT Services Cloud for Dynamic Analysis* (if policy dictates) 1892y sk)sd Dynamic analysis:* - Analysis queue Status - Error Status - Threat Score <op+onal proxy*> <op+onal proxy*> Sourcefire Cloud Services VRT Dynamic Analysis Cloud* (Files) FireAMP Cloud (Metadata / Hashes) * = New with 5.3
Advanced Malware Detection Detection lattice considers content from each engine for real time file disposition One-to-One Signature Machine Learning Advanced Analytics Fuzzy Fingerprinting Dynamic Analysis Cloud-based delivery results in better protection plus lower storage & compute burden
Private Cloud Local Decision (VM) Capability Private Cloud Public Cloud File/Device Trajectory Threat Root Cause IOC and alerting Simple and Custom detection Cloud Lookups/Retrospective Alerting File Analysis -
Retrospective Security Always Watching Never Forgets Turns Back Time Continuous Analysis - Retrospective detection of malware beyond the event horizon Trajectory Determine scope by tracking malware in motion and activity File Trajectory Visibility across organization, centering on a given file Device Trajectory Deep visibility into file activity on a single system
File Trajectory Quickly understand the scope of malware problem Network + Endpoints Looks ACROSS the organization and answers: What systems were infected? Who was infected first ( patient 0 ) and when did it happen? What was the entry point? When did it happen? What else did it bring in?
File Trajectory Who was Patient 0? Introduc+on
File Trajectory How is it distributed? Introduc+on Sent by mail (thunderbird)
File Trajectory What else happened? Click! View the progression and propagation of advanced malware throughout the environment
Network File Trajectory View the path a file took through the network it reach its destination Works with files of any disposition Not just malware Uses SHA256 to uniquely identify a file Available for file types where a SHA256 is calculated PDF, EXE, JAR, SWF, Word, Excel, Powerpoint, etc Requires the following A File Policy to be enabled Malware detection or blocking as file action (to generate the SHA256) File Trajectory Link
AMP configuration in FirePOWER
Device Trajectory Break the reinfection lifecycle with fast root cause analysis + Endpoint Looks DEEP into a device and helps answer: How did the threat get onto the system? How bad is my infection on a given device? What communications were made? What don t I know? What is the chain of events?
Device Trajectory
AMP Device trajectory 37
AMP Context Explorer Details 38
AMP Context IOC s Indicators of Compromise Monitor and Analyse files potential Malware traits Monitors the now & retrospectively convicts files Filters and sorts the most important events Tells the analyst what is happening to reduce TCO Quick links to trajectory Search for SHA s (fingerprints, list all computers that have the file 39
Sourcefire Advanced Malware Protection Complete solution suite to protect the extended network FireAMP for hosts, virtual and mobile devices Dedicated Advanced Malware Protection (AMP) appliance Advanced Malware Protection for FirePOWER (NGIPS, NGFW) Cisco Email and Web Security Appliances
New Advanced Malware Protection Appliances More memory, storage, and CPU capacity for dedicated AMP processing 500 Mbps of Adv. Malware Protection 120G storage AC power only 4 Fixed Copper (Configurable Bypass) 8 Non-bypass SFP ports 2 Gbps of Adv. Malware Protection 400G storage AC and DC power options 3 x Netmod Slots No stacking AMP7150 AMP8150
Using Security Intelligence
Security Intelligence in FireSIGHT (NGIPS & NGFW) SI Events in a Separate Table Enables improved SI event storage outside of connection events Enables improved dashboard views of SI data E.g. Hosts that have connected to CNC servers What Kind of Events? Botnet C&C Traffic / Known Attackers / Open Proxies/Relays Malware, Phishing, and Spam Sources Allows creation of custom lists. Download lists from Sourcefire or third parties.
Security Intelligence View Analysis Connections Security Intelligence
Indications of Compromise (IOC) (NGIPS) Different Event Sources IPS events (Snort) FireAMP events (endpoint) Malware events (network) Security Intelligence (network + endpoint) What Do They Mean? Has it been targeted by a type of network attack? (snort) Has it downloaded malware? (Snort, FireAMP, Malware) Has it executed malware? (FireAMP) Has it connected to a CNC server? (Snort, FireAMP, SI) Welcome to Host and Event Correlation - IOC Style! Correlates different events with the hosts involved Another detection method and way of prioritizing analyst s focus Similar to FireAMP capabilities but for the network 4
IOC Dashboard Widget What are the threats to my environment? à What is owned in my environment? Host Number of IOCs set against the host Click to expand
A host profile view
IOC Data In Context Explorer
Demonstration @ Defense Center - Traffic Anomaly -> Context Explorer - C&C communication -> Security Intelligence - Really dangerous attacks -> Impact Flag - Suspicious activity -> Indicators of Compromise - Malware trajectory > Network AMP - Suspicious file threat score > AMP, file capture - Policy violation > Correlation dashboard - Reporting -> Templates, Scheduling 2013-2014 49
Q&A
Prosíme, ohodnoťte tuto přednášku Děkujeme
Backup Slides
Reports
Reports Can be launched directly from dashboard
Reports Template created from the dashboard
Custom Report Designer Templates can be customized or created
Report Malware Threats Malware Threats Time Window: 2014-04-28 14:50:16-2014-04-28 20:50:16 Application Protocols Transferring Malware Time Window: 2014-04-28 14:50:16-2014-04-28 20:50:16 Threat Detections over Time Time Window: 2014-04-28 14:50:16-2014-04-28 20:50:16 Constraints: Event Type = Threat Detected Threat Name Count W32.Trojan.Breach.VRT 178 CryptRedol:FakeAlert-tpd 141 FakeAlert:XPACK-tpd 141 Packed_NSPack:Bifrose-tpd 82 Lamechi:Downloader-tpd 78 Trojano:VBTroj-tpd 75 Troxa:Kunkka-tpd 75 Bifrose:Trojan-tpd 74 MalwareF:Trojan-tpd 64 Packed_NSPack:Backdoor-tpd 52 Troj_Generic:Small-tpd 48 Suspicious_F:Downloader-tpd 44 Troxa:Rootkit-tpd 40 Goldun-tpd 39 Kunkka:Troxa-tpd 38 Application:BHO-tpd 37 Lamechi:MalOb-tpd 37 Downloader:Trojano-tpd 36 Bifrose:Pakes-tpd 36 Goldun:Sality-tpd 34 Hosts Receiving Malware Time Window: 2014-04-28 14:50:16-2014-04-28 20:50:16 Constraints: Event Type = Threat Detected Application Protocol Count HTTP 6,619 Receiving IP Count 255.255.255.255 153 172.16.0.96 35 10.110.10.70 35 64.4.121.227 33 10.110.10.207 32 192.168.0.221 27 10.110.10.69 27 10.131.12.161 26 64.4.23.145 26 128.0.87.8 25 131.75.18.56 25 10.120.10.51 23 10.0.108.9 9 10.0.192.148 7 10.0.57.21 7 10.0.37.104 7 10.0.37.117 6 10.0.168.109 6 10.0.231.20 6
Report Malware Threats Hosts Sending Malware Malware Intrusions Time Window: 2014-04-28 14:50:16-2014-04-28 20:50:16 Constraints: Event Type = Threat Detected Sending IP Count 255.255.255.255 118 192.168.0.6 34 32.5.65.242 33 204.16.109.235 33 69.27.40.174 31 Time Window: 2014-04-28 14:50:16-2014-04-28 20:50:16 Constraints: Message = BLACKLIST,MALWARE Message OS-WINDOWS Microsoft Malware Protection Engine file processing denial of service attempt (1:17306) Count 11 10.112.10.180 29 10.131.13.211 27 192.168.0.123 26 172.16.0.167 25 128.0.18.102 25 172.16.141.39 25 204.16.62.200 24 10.0.69.136 11 10.0.164.120 10 172.16.0.94 9 10.0.231.105 9 10.0.57.66 9 10.0.95.22 9 10.0.231.28 9 10.0.112.147 9 File Types Infected with Malware Users Affected by Malware Time Window: 2014-04-28 14:50:16-2014-04-28 20:50:16 Time Window: 2014-04-28 14:50:16-2014-04-28 20:50:16 Constraints: Event Type = Threat Detected File Type Count MSEXE 5,981 User Count PDF 515 RAR 73 ZIP 50 Reports
Custom Reports Designer
Q&A