Cisco Advanced Malware Protection against WannaCry "A false sense of security is worse than a true sense of insecurity" Senad Aruc Consulting Systems Engineer Advanced Threats Group Nils Roald Advanced Threats Group North Sales Leader
Hello world this is WannaCry New Ransomware variant began compromising systems on May 12 Exploits MS17-010 using tools leaked by Shadow Brokers
Why defense in-depth was useless against WannaCry? Known threats are blocked Current defense indepth approach is built on binary detection Good files make it through ü ü ü????? Unknown threats are passed to the next system ü? ü? ü? NGFW NGIPS ESA WSA Endpoint ISR Single points of inspection have their limitations
Propagation-Infection Vector s Scans IP subnet 445 TCP ETERNALBLUE DOUBLEPULSAR Scans external IPs So far there is more than 400 unique samples in the wild!
Race against time.. Campaign start timer: 00:01 ETERNALBLUE Cisco 4EP customer with more than 10K connectors. RCE/Exploit unknown sha256 Attacker GET/WannaCry / File Low Prevalence - ACTIVE DOUBLEPULSAR WannaCry Compromised Server 7.min ThreatGrid Malware Sandbox = Cloud
Velocity of Propagation Honeypot 445 TCP Connections Kill Switch Domain DNS Queries
Infection Process Encrypts files RSA 2048 Deletes temp files DOUBLEPULSAR ETERNALBLUE taskdl.exe installs DEMO drops mssecsvc.exe drops tasksche.exe drops Check kill switch (http GET) Tor.exe taskse.exe Scan 445 TCP Creates service mssecsvc2.0 & executes executes @wannadecr yptor@.exe
Mitigation Apply the MS17-010 patch to your systems Microsoft has released this update for XP/Server 2003 systems Block ALL Inbound/Outbound SMB traffic ports 139, 445 Snort Rules 42329-42332 DoublePulsar (April 25) 42340 Anonymous SMB (April 25) 41978 Samba buffer overflow (March 14) Prevention Use an actively supported operating system that receives security updates Implement an effective patch management process Implement a disaster recovery plan to back-up/restore systems
Public Cloud & Threat Grid SaaS CISCO TALOS Threat Grid Appliance Disposition Lookup Content Security Firepower Static/Dynamic Analysis On-Premise Private Cloud VMWare ESXi ESA WSA for Endpoint NGFW NGIPS Retrospective Security Continuous Monitoring (Move, Copy, Execute) Outbreak Controls ISE Vulnerable Applications File Low Prevalence Automatic and Manual Dynamic Analysis Elastic Search OpenIOCs CUSTOMER SITE Windows, Mac OSX, Linux RedHat/CentOS, Android
Helping you detect and mitigate threats that have evaded your defenses Make the unknown, known See once, block everywhere Accelerate security response
Detect and mitigate threats in your environment faster Make the unknown, known See once, block everywhere Accelerate security response No threat symptoms displayed Sent information from internal server? IoC identified? Compromised Customer data Origin Threat Contained Initial device compromised Launched malicious file downloads Threat continuously records all activity In most networks, there s no way to see threat progression or origin With, trace back threat activity and remediate incidents quickly
Supercharge your existing security infrastructure Make the unknown, known See once, block everywhere Accelerate security response Protect, detect, and respond across your environment Sandboxing Cloud Automatically block threats seen outside your network NGFW NGIPS Endpoint WSA APIs Augment the functionality of Cisco and 3 rd party products Talos ESA ISR 3 rd party products makes everything in your network better API integration
Empower your team to act faster and decrease the impact of an incident Make the unknown, known See once, block everywhere Accelerate security response Understand which alerts need further investigation with precision Accelerate investigations and reduce management complexity Eliminate time-consuming and error-prone tasks Automate intelligencedriven security responses
What about the integration and automatization efforts? Threat Intel SIEM Malware Analysis Network edge Datacenter Branch Routers Email Gateways Endpoint
With, you get both across your entire environment Talos Cloud Threat Grid NGFW NGIPS ISR CES / ESA WSA / SIG Endpoint
s secrets External (Talos) vs internal () threat intelligence? External Thief House
Solution Integration: Cisco Portfolio Stealthwatch Network ISR/ASR ISE Cloudloc k Umbrella Event Threat Intel Policy Context Meraki Advanced Malware Threat Grid Email Web WWW NGFW/ NGIPS
Solution Integration: Rapid Threat Containment Automatically Defend Against Threats with Firepower and ISE Corporate user downloads file, not knowing it s actually malicious FMC aggregates and correlates sensor data FMC alerts ISE. ISE then changes the user s/device s access policy to suspicious Based on the new policy, network enforcers automatically restrict access Device is quarantined for remediation or mitigation
by the numbers 22,000+ Customers (~29K w/ Meraki) 1,500+ New Customers added each Quarter 2,200+ Total for Endpoints Customers 7M+ Active for Endpoints connectors 40+ for Endpoints Customers with 10K+ connectors Largest for Endpoints Customer has 100K+ deployed ~14% EDR Market Share (Gartner EDR Market Guide) PC Mac Cloud (N.A.) Peak queries per second: 134 Thousand Peak queries per day: 5 Billion Linux Mobile Research & Efficacy Data: 43% of Threat Grid detections did not exist in VirusTotal at time of detection 35% of Talos detections did not exist in VirusTotal at time of detection 21% of all detections in December were retrospective
Q/A IDC Names Cisco for Endpoints a Leader IDC research states Cisco provides comprehensive protection against targeted attacks amongst other benefits in their latest report. is rated number one achieved a 99.2% security effectiveness rating in recent tests by NSS Labs. News: Security Cisco for Endpoints Meets PCI and HIPAA Requirements for Compliance
Cisco Threat Grid Unified Malware Analysis and Threat Intelligence Platform Low Prevalence, Actionable Threat threat Grid content platform Suspicious, or Unknown 101000 0110 00 0111000 111010011 101000 1010110 1100001 0111000 and 110 111010011 101 1100001 110 intelligence correlates is generated the sample that can Files 1100001110001110 1001 1101 1110011 101000 be packaged 0110011 result 00 with and 0111000 101000 integrated millions 0110 111010011 in to 00 101 1100001 110 a variety of other of existing samples systems and or Analyst or system (API) submits used billions independently. of artifacts suspicious sample to Threat Grid Cisco Threat Grid platform correlates the sample result with millions of other samples and billions of artifacts Outside looking in approach Proprietary techniques for static and dynamic analysis 400+ Behavioral Indicators Glovebox remote interaction 1001 1101 1110011 0110011 101000 01101001 1101 1110011 0110011 101000 0110 00 An automated engine observes, deconstructs, and analyzes using multiple techniques Sample and Artifact Intelligence Database Actionable Intelligence Threat Score / Behavioral Indicators Big Data Correlation Threat Feeds Actionable threat content and intelligence is generated that can be utilized by, or packaged and integrated into a variety of existing systems or used independently. Cloud Power and Scale Context-based Malware Analytics Premium & Custom Threat Feeds Two-way Rest API for Integration
Proactive Protection Tools Prevent Close attack pathways, uncover stealthy malware, and reverse-analyze suspicious threats. Vulnerabilities Our vulnerabilities feature shows you, across all of your endpoints, all the software on your system that s vulnerable to malicious attacks, so you can patch them and close any potential attack pathway. Low Prevalence Our low prevalence feature shows you applications on endpoints that are flying under the radar, and lets you take a closer look to see if there s any malicious behavior happening. Built-In Sandboxing Built-in sandboxing capabilities powered by Threat Grid let you submit a file for analysis against over 700 behavioral indicators so you can see what that file is trying to do and if it s bad. Then will automatically block and quarantine the file.