behind the curtain: exposing advanced threats

Advanced Threat [email protected] / 647-988-4945

Sean Earhard

Advanced Threat Solutions [email protected] / 647-929-5938

Jean-Paul Kerouanton

EXPOSING ADVANCED THREATSAMP

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

HOW QUICKLY CAN YOUR TEAM—AND YOUR SECURITY VENDORS—DELIVER THE ANSWERS TO THESE QUESTIONS:

WHERE DID IT ORIGINATE?

HOW DID IT SUCCEED?

HOW MANY MACHINES/USERS?

WHAT IS IT DOING NOW?

HOW CAN IT BE STOPPED?

WITH 100% CONFIDENCE?


24 HOURS IN ENTERPRISE SECURITY vs.

SYSTEMS WILL SUCCESSFULLY STOP A

THREAT72 32

SYSTEMS WILL BE FOUND TO BE

BREACHED6 24

BREACHED SYSTEMS WILL HAVE BEEN

BREACHED FOR OVER A WEEK1 3

DEPLOYED SYSTEMS HAVING

VULNERABLE SOFTWARE48% 28%

MORE LIKELY TO BE BREACHED IF A

VULNERABLE APPLICATION EXISTS 62% 39%

MORE LIKELY TO BE BREACHED IF THEY

HAVE BEEN BREACHED IN THE PAST35% 38%

20162015

B L O C KProtection fails. Today, 1.5M unique threats will

be discovered – even 99.9% protection will fail

1,500 times.

TYPICAL CYBERSECURITY WORKFLOW vs. TIME REQUIRED

×

“How are we finding these

failures in our environment?”

“How do we know we’re responding

to the right alerts?”

“How long does it take us to answer these questions?”

“How long does it take us to find the

rest of the machinescompromised by the

same attack?”

“How long does it take us to

redefine security in all our tools?”

R E S P O N D T O A L E R T SSecurity tools generate 100’s, even

1,000’s of alerts each day. Any one of

those could be a breach in progress. !

I N V E S T I G A T E I N C I D E N T S

When a cybersecurity incident impacts

the business, the business needs answers:

• Where did it start?

• How did it succeed?

• How long have we been

compromised?

• How many machines are impacted?

• How can it be stopped?

?

R E I M A G E + R E C O V E RReimaging is not recovering. The average

compromised machine remains undiscovered for 200+

days.

I M P R O V E D E F E N S E

Reducing the attack surface means upgrading security

policy – but the average organization manages 34-55

security tools.


1. BLOCK


Stay

out!


BEFOREDiscoverEnforce Harden

DURINGDetect Block Defend

AFTERScope

ContainRemediate

THE ATTACK CONTINUUM

BUDGET BUDGET BUDGETTIME TIME TIME

Firewall

App Control

VPN

Patch Mgmt

Vuln Mgmt

IAM/NAC

IPS

Antivirus

Email/Web

IDS

FPC

Forensics

AMD

Log Mgmt

SIEM

Firewall

App Control

VPN

Patch Mgmt

Vuln Mgmt

IAM/NAC

IPS

Antivirus

Email/Web

IDS

FPC

Forensics

AMD

Log Mgmt

SIEM

antivirus point in time threat inspection

This population of threats is100% effective, 100% of the time

network point in time threat inspection

web point in time threat inspection

email point in time threat inspection

BEFORE, DURING AND AFTER IN ACTION


LEGACY SECURITY PRODUCTION MODEL

1. mass

sample collection

MALWARE

SAMPLE

#A4409K

2.prioritized

sample processing

MALWARE

ANALYSIS

#A4409K

3. prioritized detection creation

SIGNATURE

UPDATE

#A4409K

4.signature payload

distribution

TODAY


b260653178.exe

Firefox userconnects to

http://www.downloaders.com

Downloads an unknown

.zipTwo files are accessed

when the .zip is opened, b260653178.exe,

and a PDF.

PDF Reader application is opened to read the PDF.

Acrobatlaunches

svchost.exe

svchost.execonnects to

http://192.168.1.12

File #3, connects to 4 IP addresses

File #3 opens a dialog window and awaits response.

The last unknown file launches

calc.exe, hollows the process and

begins listening for remote connections

Geolocates and then connects to a C&C

server

3 files are downloaded

but 2 are blocked by

AMP

File#4is

downloaded

AMP Cloudissues a

retrospectiveblock

ATTACK FLOW EXAMPLE

37%

FALSE NEGATIVES

ARE COUNTED AS

SECURITY ‘WINS’


WHAT ISGARTNER

ADVISING ABOUT THIS?

65% of CEOs say their risk management

approach is falling behind.

In a new reality where security breaches come at

a daily rate, we must move away from trying to

achieve the impossible perfect protection and

instead invest in detection and response.

Organizations should move their investments

from 90 percent prevention and 10 percent

detection and response to a 60/40 split.

Peter Sondergaard

Senior VP and Global Head of Research

Gartner


WHO IS THE TOP‘DETECTION AND

RESPONSE’ VENDOR?


NSS LABS: BREACH DETECTION SYSTEMS

Over 5 billion discrete data

elements

Hundreds of victim machines

Collection and analysis of

Terabytes of logs

Hundreds of discrete

samples used in current

campaigns

Exploits, malware, and

evasion testing was

performed using regularly

abused compromise

mediums such as web and

email—leveraging multiple

common document types

Over 100 unique evasion

mechanics were tested

ONLY VENDOR TO BLOCK 100% OF EVASION TECHNIQUES

TOP VENDOR 2 YEARS IN A

ROW

CISCO AMP RATED 99.2%EFFECTIVE

AMP

2015 Gartner MQ for Intrusion Prevention Systems

“The Advanced Malware

Protection (AMP)

products provide a

quicker path to adding

advanced threat

capabilities… competing

well against stand-alone

and established

advanced persistent

threat (APT) solution

vendors.”


THE CISCO

RESPONSE


OVERVIEWAMP

Cisco Advanced Malware Protection Built on Unmatched Collective Security Intelligence

1.6 million

global sensors

100 TB

of data received per day

150 million+

deployed endpoints

600

engineers, technicians,

and researchers

35%

worldwide email traffic

13 billion

web requests

24x7x365 operations

4.3 billion web blocks per day

40+ languages

1.1 million incoming malware

samples per day

AMP Community

Private/Public Threat Feeds

Talos Security Intelligence

AMP Threat Grid Intelligence

AMP Threat Grid Dynamic

Analysis

10 million files/month

Advanced Microsoft

and Industry Disclosures

Snort and ClamAV Open Source

Communities

AEGIS Program

Email Endpoints Web Networks IPS Devices

WWW

Automatic

updates

in real time

101000 0110 00 0111000 111010011 101 1100001 110

1100001110001110 1001 1101 1110011 0110011 101000 0110 00

1001 1101 1110011 0110011 101000 0110 00

101000 0110 00 0111000 111010011 101 1100001

1100001110001110 1001 1101 1110011 0110011 10100

1001 1101 1110011 0110011 101000 0110 00

Cisco®

Collective

Security

IntelligenceCisco Collective

Security Intelligence Cloud

AMPAdvanced Malware Protection

3.5 BILLION

SEARCHES

TODAY

18.5B

CLOUDAMP

20.1 BILLION THREATS BLOCKED

TODAY

TALOSTHE CISCO SECURITY AND INTELLIGENCE RESEARCH GROUP

AMPCONTINUOUSLY RECORD ACTIVITY REGARDLESS OF DISPOSITION

AMP

CLOUD

PRIVATE CLOUD

AMP ThreatGrid

CONTINUOUS BACKGROUND ANALYSIS

vs.

AMPCLOUD

SYSTEMIC

RESPONSE

RETROSPECTIVE

DETECTION

HQ STORE: POS

DATA CENTER

ENDPOINT

MALWARE

EVENTS

SHARED

AMPAMPAMPAMPAMP

AMPAMPAMP AMP

AMP AMP AMP

TH R EATGR ID AMP

OR

TALOSSEC U R ITY AN DIN TELL IGEN C ER ESEAR C H

Fi reSIGH T

AMPAPPLIANCE(NGIPS)

AMP

CLOUDAMP

AM P FOR EN D POIN TS

THREATGRIDDYNAMICANALYSIS

C ISC O W EB

C ISC O EM AIL AMP

AMP

ASA + FPS AMP


AMPWORKFLOW IN ACTION


AMP INFRASTRUCTURE

AMP ARCHITECTURE

TALOS

AMPFOR

ENDPOINT

FIRESIGHTMANAGEMENTCENTER

AMPAPPLIANCE(NGIPS)

AMP

THREATGRIDDYNAMICANALYSIS

EQUIVALENT COMPETITIVE ARCHITECTURE



1,500 times. ×

!

?



C O N T I N U O U S A N A L Y S I S A N D R E T R O S P E C T I V E S E C U R I T Y

AMP blocks threats, but it doesn’t stop there. AMP uses

big data analytics to continuously analyze the history

of endpoint and network behavior in your environment

– uncovering advanced threats and rewinding history

to block them.

NETWORK:

• Start with Blocking: IP, IPS, Files

• Tracking Files: Good, Unknown, Bad

• Unknown Files = Dynamic Analysis

• Retrospective Events

ENDPOINT

• Tracking Files

• Tracking Behavior

• Blocking examples: IP, IoC, Files

• Dynamic Analysis

• Retrospective Events


Lb260653178.exe

Firefox userconnects to

http://www.downloaders.com

Downloads an unknown

.zipTwo files are accessed

when the .zip is opened, b260653178.exe,

and a PDF.

PDF Reader application is opened to read the PDF.

Acrobatlaunches

svchost.exe

svchost.execonnects to

http://192.168.1.12

File #3, connects to 4 IP addresses

File #3 opens a dialog window and awaits response.

The last unknown file launches

calc.exe, hollows the process and

begins listening for remote connections

Low prevalence analysis delivers a retrospective block

Tries to geolocateand then connect to

a C&C server

3 files are downloaded

but 2 are blocked by

AMP

File#4is

downloaded

AMP Cloudissues a

retrospectiveblock

DEVICE

TRAJECTORY

TRIGGERED

FILE

TRAJECTORY

TRIGGERED

THREATGRID

DYNAMIC

ANALYSIS

TRIGGERED

SNORT

RULE

ANALYSIS

TRIGGERED

RETROSPECTIVE

BLOCK

SYSTEMIC

BLOCK

LOW

PREVALENCE

THREATGRID

DYNAMIC

ANALYSIS

TRIGGERED

L

AMP FOR NETWORK AMP FOR ENDPOINT DETECTION

ATTACK FLOW vs. AMP


2. RESPOND TO ALERTS



those could be a breach in progress.



1,500 times. ×

!

?










to block them.

T H E P O W E R O F C O N T E X TIn real-time, AMP Appliances passively discover the

environment they are protecting – mapping the

vulnerabilities of each host. An attack leveraging

actual vulnerabilities of the target host is a true top

alerts.

• Alert overload example

• Unfiltered: List of Intrusion Events

• By Impact: List of Intrusion Events

• How? Passive Discovery Overview

• Endpoint: Vulnerable Software


3. INVESTIGATE INCIDENTS










compromised?





1,500 times.


×

!

?











to block them.





alerts.

V I S I B I L I T Y + C O N T R O LBecause AMP records the history of the

environment, your team can quickly scroll back

time to discover what happened.

• Identify ‘patient zero’ – the first victim.

• Determine the attack scope – how malware

traversed the organization.

• Contain the event, understanding all affected

systems.

• Remediate quickly, focusing on high-priority

events and systems.

• Prevent reinfection by identifying the root

causes.

Workflow: Investigate Incidents

• Network

• Endpoint


4. REIMAGE AND RECOVER










compromised?





1,500 times.



days.

×

!

?








same attack?”






to block them.





alerts.








systems.


events and systems.


causes.

S Y S T E M I C R E S P O N S E

AMP works through the cloud, enforcing security response

everywhere it is installed. Before we can react to alert, AMP is

already blocking on the network, endpoints – even laptops off our

network, email and web.

Systemic Response

• Example

Move beyond blind reimaging:

• Identify root cause (review)

• Roll back time even after reimaging


5. IMPROVE DEFENSE










compromised?





1,500 times.



days.

I M P R O V E D E F E N S E

Reducing the attack surface means upgrading security

policy – but the average organization manages 34-55

security tools.


×

!

?








same attack?”

“How long does it take us to

redefine security in all our tools?”






to block them.





alerts.

“AMP finds what our other tools

miss”

“We used to have to choose from 1,000’s of alerts…now

we know the 4-6 critical alerts for our

environment”

“What used to take us 2 weeks or 2

months now takes us 2 minutes”

“Instead of spending 4 hours each day chasing our tools, we’re

blocking everywhere,

automatically”“It would have taken 2 hours a day

to do what’s being done

automatically”








systems.


events and systems.


causes.

S Y S T E M I C R E S P O N S E

AMP works through the cloud, enforcing security response

everywhere it is installed. Before we can react to alert, AMP is

already blocking on the network, endpoints – even laptops off our

network, email and web.

S H A R E D S E C U R I T Y I N T E L L I G E N C EWith AMP ThreatGrid, both Cisco industry partners and non-

Cisco solutions can benefit from dynamic analysis executed by

AMP, automatically improving your defense.

Integration

• How sharing Threat Intelligence works

• Adding integration

• Invitation to review your environment?


Shares the results of dynamic analysis

(sandboxing) of your files, and threat

intelligence feeds, with your existing

security.

• Firewall

• IPS/IDS

• Gatway/Proxy

• Network Taps

• SIEM

• Log Management

• Endpoint Security

• Other tools

TH R EATGR ID TG

THREATGRID

OR

NEXT STEPS

1. “Cisco AMP”

2. Scoping Call

3. Custom Demo

4. POC

Sean Earhard

[email protected] / 647-988-4945

behind the curtain: exposing advanced threats

Technology