Cisco Forschung & Lehre Forum für Mecklenburg Vorpommern Cisco Security Exposed Through the Cyber Kill Chain Rene Straube CSE, Cisco Advanced Threat Solutions January, 2017
The Cisco Security Model BEFORE Discover Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Network Endpoint Mobile Virtual Cloud Threat Intelligence X Point in Time Continuous
Preparation Intrusion Active Breach 1. Reconnaissance Harvest information to create attack strategy and toolset 3. Delivery Delivering weaponized bundle to the victim via email, web, USB, etc. 5. Installation Installing malware on the asset 7. Actions on Objectives With Hands on Keyboard access, intruders accomplish 2. Weaponization Coupling exploit with backdoor into deliverable payload 4. Exploitation Exploiting a vulnerability to execute code on victim s system 6. Command & Control Command channel for remote manipulation of victim s system Based on Lockheed Martin s Cyber Kill Chain
1. Reconnaissance Harvest information to create attack strategy and toolset OS AV Applications Ports Personal Information
Reduce your threat exposure WWW Network Firewalling Application Visibility and Control (AVC) URL Filtering VPN Capabilities Block unauthorized access and activity by controlling traffic flow Tailor application behavior to reduce attack surface and risk of data loss Restrict access to specific sites and sub-sites, as well as categories of sites Protect both site-to-site connections and remote users with granular control Next Generation Intrusion Prevention System (NGIPS) Detect and prevent threats from entering your network
Get more with advanced intelligence and integrated defense Shared intelligence Talos Shared contextual awareness Visibility Radware DDoS URL Network analysis Email Threats Identity & NAC DNS Firewall Consistent policy enforcement Firepower 4100 Series Firepower Management Center Firepower 9300 Platform
SECURITY SOLUTION STARTS WITH CISCO ASA VIRTUAL ASA PHYSICAL ASAv Full ASA Feature Set Hypervisor Independent Virtual Switch Agnostic Dynamic Scalability ASA 5585-X 16 Way Clustering with State Synchronization Scalable to 640Gbps ASAv available on VMWare, KVM, Hyper-V and AWS TODAY
Cisco NGFW Platforms New Appliances Firepower 4100 Series and Firepower 9300 Firepower Services on ASA 5500-X Firepower Services on ASA 5585-X All* Managed by Firepower Management Center *5585-X management avail 2H 16 (pre-commit date)
Introducing Cisco Identity Services Engine A centralized security solution that automates context-aware access to network resources and shares contextual data Physical or VM Identity Profiling and Posture Role-Based Policy Access Network Resources Who Traditional Cisco TrustSec Network Door What When Where How Guest Access BYOD Access Role-Based Access Context Compliant Secure Access ISE pxgrid Controller
Control It All from a Single Location Network, Data, and Application Secure access from any location, regardless of connection type Wired Wireless VPN Apply access and usage policies across entire network Admin Headquarters Branch Remote User Monitor access, activity, and compliance of noncorporate assets, take containment actions when needed Guest Enterprise Mobility Contractor Partner
Enhance Control with Location-Based Authorization With the Integration of Cisco Mobility Services Engine (MSE) What s New for Cisco ISE 2.0? The integration of Cisco Mobility Services Engine (MSE) adds the physical location of a user and/or endpoint to the context by which access is authorized. Benefits Granular Control of network access with location-based authorization for individual users Enhanced Policy Enforcement with automated location check and reauthorization Simplified Management by configuring authorization with Cisco ISE management tools Location-Based Authorization Admin defines location hierarchy and grants users specific access rights based on their location Patient Data Access Locations Lobby Patient Room Lab ER Patient Data Lab ER Doctor No access to patient data Access to patient data No access to patient data Access to patient data Lobby Patient Room Capabilities Enables configuration of location hierarchy across all location entities Applies Cisco MSE location attributes to access request to be used in authorization policy Checks Cisco MSE periodically for location changes Reauthorizes access based on new location
2. Weaponization Coupling exploit with backdoor into deliverable payload Exploit Kits AV Evasion Obfuscation Rootkit
Reputation Filtering And Behavioral Detection Reputation Filtering Behavioral Detection Continuous Protection One-to-One Signature Fuzzy Finger-printing Machine Learning Indications of Compromise Dynamic Analysis Advanced Analytics Device Flow Correlation
AMP ThreatGrid
3. Delivery Delivering weaponized bundle to the victim via email, web, USB, etc. Phishing Watering Whole Malvertising
Most dangerous threats Watering hole Spear phishing Dropper Approach Infect or inject a trusted site Target users through compromised links Deliver malware with stealth and self-deleting programs Tactic Conduct reconnaissance on a target Leverage social engineering Gain access through DLL injection and control firewalls, antivirus, ect Impact Deliver an exploit that will attack Deliver an exploit that will attack Compromises system control, personal data and authorizations Threat vector 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Cisco Email Security (Overview) Incoming Threat Before During Talos Cisco Cloud After Appliance Virtual Inbound Email Email Reputation Mail Flow Policies Acceptance Controls Anti-Spam Anti-Virus File Reputation ThreatGrid Graymail Management Safe Unsubscribe Content Controls URL Rep & Cat Outbreak Filters Anti-Phish File Sandboxing & Retrospection Tracking User click Activity (Anti-Phish) X X X X X X X X Outbound Email Outbound Liability HIPAA Before X Mail Flow Policies X Anti-Spam and Anti-Virus During X Data Loss Protection X Encryption HQ Allow Admin Warn Management Reporting Message Track Block Partial Block
Cisco Email Security Integration with Threat Intelligence Built on Unmatched Collective Security Analytics Threat Intelligence I00I III0I III00II 0II00II I0I000 0110 00 10I000 0II0 00 0III000 II1010011 101 Cisco 1100001 110 110000III000III0 I00I II0I III0011 0110011 101000 0110 00 Talos Research Response 1100001110001III0 I00I II0I III00II 0II00II 101000 0110 00 101000 0II0 00 0III000 III0I00II II II0000I II0 100I II0I III00II 0II00II I0I000 0II0 00 Email Endpoints Web Networks IPS Devices 1.6 million global sensors WWW 100 TB of data received per day 150 million+ deployed endpoints 600+ engineers, technicians, and researchers 35% worldwide email traffic 13 billion web requests 24x7x365 operations 40+ languages ESA 180,000+ file samples per day FireAMP community Advanced Microsoft and industry disclosures Snort and ClamAV open source communities Honeypots Sourcefire AEGIS program Private and public threat feeds Dynamic analysis
Talos Cisco Web Security Appliance (WSA) Before During Appliance After Virtual Client Authentication Technique Web Reputation Web Filtering Application Visibility and Control Cloud Access Security Parallel AV Scanning File Reputation Data-Loss Prevention File Sandboxing Cognitive Threat Analytics* www File Retrospection Cisco ISE X X X X X X X Traffic Redirections WCCP Load Balancer Explicit/PAC PBR AnyConnect Client www www www HQ Admin Management Reporting Log Extraction Campus Office Branch Office Roaming User Allow Warn Block Partial Block
Who Leveraging Resolves a Single Your DNS Global Requests? Recursive DNS Service CHALLENGES BENEFITS Multiple Global Internet Service Activity Visibility Providers Direct-to-Internet Network Security Branch w/o Adding Offices Latency Users Consistent Forget Policy to Always Enforcement Turn VPN On Different Internet-Wide DNS Log Cloud Formats App Visibility ISP? mobile carrier ISP? ISP? Home Users Mobile Devices Roaming Laptops Remote Sites Enterprise Location A Internal InfoBlox Appliance Enterprise Location B Internal Windows DNS Server Enterprise Location C Internal BIND Server ISP 1 ISP 2 ISP 3 Authoritative DNS for Intranet Domains Recursive DNS for Internet Domains
4. Exploitation Exploiting a vulnerability to execute code on victim s system Day-0 Unpatched Social Engineering
Rest Assured That Cisco ISE Is Keeping Track Identifies Device Checks Posture Helps Ensure Policy Compliance Quarantines Non- Compliant Devices Enterprise Mobility Management (EMM) Integrations AV installed? Registered?? Custom Criteria? Vulnerable? OS Patches? X X X
Vulnerable Endpoints
5. Installation Installing malware on the asset Rootkit AV evasion
Protection Across Networks Network Endpoint WWW Content The Network platform uses indications of compromise, file analysis, and in this example file trajectory to show you exactly how malicious files have moved across the environment
Protection Across Endpoints Network Endpoint WWW Content The Endpoint platform has device trajectory, elastic search, and outbreak control, which in this example is shown quarantining recently detected malware on a device that has the AMP for Endpoints connector installed
Protection Across Web and Email Network Endpoint WWW Content Cisco AMP for Web and Email protects against malware threats in web and email traffic by blocking known malware and issuing retrospective alerts when unknown files are convicted
6. Command & Control Command channel for remote manipulation of victim s system Encryption Use Known Legit Apps (Twitter, SSH)
Turn-Key and API-Based Integrations Works with what you already have THREAT DETECTION + OTHERS THREAT ANALYSIS & INTEL FEEDS + THREAT INTEL PLATFORMS + OTHERS CUSTOM Indicators of Compromise UMBRELLA Enforcement & Visibility Logs or blocks domains sent from partner or custom systems
7. Actions on Objectives With Hands on Keyboard access, intruders accomplish Multiple hops to cover tracks Compromised 3 rd party machines Ecosystem
Cyber Threat Defense Dashboard Active Alarms Alarms Top Applications Flow collection trend
Dynamic Flow Analysis: Results Actions conversational or tabular view Faceted filtering of results Enhanced Quick View