![Page 1: Praktikus malware analízis –hogyan lehetne elemezni egy · Talos or other intel sources Threat Response automatically queries Cisco Security and 3rd party products via APIs to](https://reader033.vdocuments.mx/reader033/viewer/2022060223/5f07ed537e708231d41f74e7/html5/thumbnails/1.jpg)
Ács GyörgyTechnical Solution Architect - Security
Praktikus malware analízis – hogyan lehetne elemezni egy malware-t?
![Page 2: Praktikus malware analízis –hogyan lehetne elemezni egy · Talos or other intel sources Threat Response automatically queries Cisco Security and 3rd party products via APIs to](https://reader033.vdocuments.mx/reader033/viewer/2022060223/5f07ed537e708231d41f74e7/html5/thumbnails/2.jpg)
Mit fogunk most csinálni?
![Page 3: Praktikus malware analízis –hogyan lehetne elemezni egy · Talos or other intel sources Threat Response automatically queries Cisco Security and 3rd party products via APIs to](https://reader033.vdocuments.mx/reader033/viewer/2022060223/5f07ed537e708231d41f74e7/html5/thumbnails/3.jpg)
Typical CIO question to InfoSec
A CIO just asked me about a new banking Trojan… I had no answer…
“I need to know now… are we impacted?”
![Page 4: Praktikus malware analízis –hogyan lehetne elemezni egy · Talos or other intel sources Threat Response automatically queries Cisco Security and 3rd party products via APIs to](https://reader033.vdocuments.mx/reader033/viewer/2022060223/5f07ed537e708231d41f74e7/html5/thumbnails/4.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Investigation Steps
1. Search security blogs for latest threat information
2. Find indicators of compromise (IoCs) to search3. Search security operations systems looking for activity
associated with IoCs
4. Verify existing threats are blocked
5. Investigate related activity to trace the threat6. Investigate and block any new threats related to the activity
4
![Page 5: Praktikus malware analízis –hogyan lehetne elemezni egy · Talos or other intel sources Threat Response automatically queries Cisco Security and 3rd party products via APIs to](https://reader033.vdocuments.mx/reader033/viewer/2022060223/5f07ed537e708231d41f74e7/html5/thumbnails/5.jpg)
Introducing Cisco Threat Response
Out-of-box integrations
Get more from your Cisco Security investments when they
are already working together
Designed for your SOC
Reduce the burden on your other security products and
make them work better
No additional cost
Get it today with integrated Cisco Security product licenses
Save time and effort
Reduce the burden on your other security products and
make them work better
![Page 6: Praktikus malware analízis –hogyan lehetne elemezni egy · Talos or other intel sources Threat Response automatically queries Cisco Security and 3rd party products via APIs to](https://reader033.vdocuments.mx/reader033/viewer/2022060223/5f07ed537e708231d41f74e7/html5/thumbnails/6.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Observables
6
Cisco Threat Response supports the quick investigation of cyber Observables, which might be domain names, IP addresses, file hashes, PKI certificate serial numbers, and even specific devices or users.
The first thing that Cisco Threat Response does with an observable is determine its disposition by aggregating what is known about that observable from the various enrichment modules configured.
The disposition tells the Incident Responder whether the observable is:• Clean (explicitly whitelisted)• Malicious (explicitly blacklisted)• Suspicious (potentially harmful)• Unknown (not currently associated with a known disposition)
Unknown observables are not enriched.
![Page 7: Praktikus malware analízis –hogyan lehetne elemezni egy · Talos or other intel sources Threat Response automatically queries Cisco Security and 3rd party products via APIs to](https://reader033.vdocuments.mx/reader033/viewer/2022060223/5f07ed537e708231d41f74e7/html5/thumbnails/7.jpg)
Cisco Threat Response - API integration
CiscoThreat Response
NGFW(firepower)
EMAIL(ESA)
Sandbox(ThreatGrid) Remediation
DNS(umbrella)
Talos / virustotal
APIsupport
netflow*(future)
Endpoint(AMP4E)
WEB(WSA)
browser plugin
![Page 8: Praktikus malware analízis –hogyan lehetne elemezni egy · Talos or other intel sources Threat Response automatically queries Cisco Security and 3rd party products via APIs to](https://reader033.vdocuments.mx/reader033/viewer/2022060223/5f07ed537e708231d41f74e7/html5/thumbnails/8.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Target
![Page 9: Praktikus malware analízis –hogyan lehetne elemezni egy · Talos or other intel sources Threat Response automatically queries Cisco Security and 3rd party products via APIs to](https://reader033.vdocuments.mx/reader033/viewer/2022060223/5f07ed537e708231d41f74e7/html5/thumbnails/9.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
SightingA record of the appearance of a cyber observable at a given date and time.
Can optionally be related to Indicators, providing threat intelligence context about the observable.
![Page 10: Praktikus malware analízis –hogyan lehetne elemezni egy · Talos or other intel sources Threat Response automatically queries Cisco Security and 3rd party products via APIs to](https://reader033.vdocuments.mx/reader033/viewer/2022060223/5f07ed537e708231d41f74e7/html5/thumbnails/10.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
IndicatorDescribes a pattern of behavior or a set of conditions which indicate malicious behavior.
Some indicators are more indicative than others of malicious behavior, so knowing exactly which bad behaviors an observable are exhibiting can help an incident responder decide what to do next.
Cisco Threat Response uses a large collection of malware indicators from the AMP Global Intelligence threat archive, Threat Grid, and other sources.
![Page 11: Praktikus malware analízis –hogyan lehetne elemezni egy · Talos or other intel sources Threat Response automatically queries Cisco Security and 3rd party products via APIs to](https://reader033.vdocuments.mx/reader033/viewer/2022060223/5f07ed537e708231d41f74e7/html5/thumbnails/11.jpg)
11BRKSEC-3889
![Page 12: Praktikus malware analízis –hogyan lehetne elemezni egy · Talos or other intel sources Threat Response automatically queries Cisco Security and 3rd party products via APIs to](https://reader033.vdocuments.mx/reader033/viewer/2022060223/5f07ed537e708231d41f74e7/html5/thumbnails/12.jpg)
Demo
12
BRK
![Page 13: Praktikus malware analízis –hogyan lehetne elemezni egy · Talos or other intel sources Threat Response automatically queries Cisco Security and 3rd party products via APIs to](https://reader033.vdocuments.mx/reader033/viewer/2022060223/5f07ed537e708231d41f74e7/html5/thumbnails/13.jpg)
13
additional details
![Page 14: Praktikus malware analízis –hogyan lehetne elemezni egy · Talos or other intel sources Threat Response automatically queries Cisco Security and 3rd party products via APIs to](https://reader033.vdocuments.mx/reader033/viewer/2022060223/5f07ed537e708231d41f74e7/html5/thumbnails/14.jpg)
14
![Page 15: Praktikus malware analízis –hogyan lehetne elemezni egy · Talos or other intel sources Threat Response automatically queries Cisco Security and 3rd party products via APIs to](https://reader033.vdocuments.mx/reader033/viewer/2022060223/5f07ed537e708231d41f74e7/html5/thumbnails/15.jpg)
15
pivoting further
![Page 16: Praktikus malware analízis –hogyan lehetne elemezni egy · Talos or other intel sources Threat Response automatically queries Cisco Security and 3rd party products via APIs to](https://reader033.vdocuments.mx/reader033/viewer/2022060223/5f07ed537e708231d41f74e7/html5/thumbnails/16.jpg)
16
![Page 17: Praktikus malware analízis –hogyan lehetne elemezni egy · Talos or other intel sources Threat Response automatically queries Cisco Security and 3rd party products via APIs to](https://reader033.vdocuments.mx/reader033/viewer/2022060223/5f07ed537e708231d41f74e7/html5/thumbnails/17.jpg)
Use Case: Hunt for Infected Hosts
Olympic Distroyer
![Page 18: Praktikus malware analízis –hogyan lehetne elemezni egy · Talos or other intel sources Threat Response automatically queries Cisco Security and 3rd party products via APIs to](https://reader033.vdocuments.mx/reader033/viewer/2022060223/5f07ed537e708231d41f74e7/html5/thumbnails/18.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hunting Workflow (1)1
Talos or other intel sources User learns about a threat
from an intel source and wants see if the threat exist in the environment
![Page 19: Praktikus malware analízis –hogyan lehetne elemezni egy · Talos or other intel sources Threat Response automatically queries Cisco Security and 3rd party products via APIs to](https://reader033.vdocuments.mx/reader033/viewer/2022060223/5f07ed537e708231d41f74e7/html5/thumbnails/19.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hunting Workflow (2)1
Talos or other intel sources Threat Response automatically
queries Cisco Security and 3rd
party products via APIs to enrich investigation
2
ThreatGridTALOSVirusTotal
Threat IntelligenceWhat do you know about these observables (IP, Hash, URL, etc.)?
AMP Umbrella EMAIL StealthWatch** NGFW
Threat Investigation• Have we seen these observables? • Which end-points interacted with the threat?
![Page 20: Praktikus malware analízis –hogyan lehetne elemezni egy · Talos or other intel sources Threat Response automatically queries Cisco Security and 3rd party products via APIs to](https://reader033.vdocuments.mx/reader033/viewer/2022060223/5f07ed537e708231d41f74e7/html5/thumbnails/20.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Hunting Workflow (3)1
Talos or other intel sources
Pivot to get more specific as needed for investigation
2 3
AMPThreatGrid Umbrella SMA*TALOSVirusTotal
StealthWatch** NGFW
![Page 21: Praktikus malware analízis –hogyan lehetne elemezni egy · Talos or other intel sources Threat Response automatically queries Cisco Security and 3rd party products via APIs to](https://reader033.vdocuments.mx/reader033/viewer/2022060223/5f07ed537e708231d41f74e7/html5/thumbnails/21.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Some IR Starts with Researchhttps://blog.talosintelligence.com/2018/02/olympic-destroyer.html
![Page 22: Praktikus malware analízis –hogyan lehetne elemezni egy · Talos or other intel sources Threat Response automatically queries Cisco Security and 3rd party products via APIs to](https://reader033.vdocuments.mx/reader033/viewer/2022060223/5f07ed537e708231d41f74e7/html5/thumbnails/22.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Start a New Investigation
• Copy and paste the entire list of IOCs from the Talos blog into the Investigation pane
https://visibility.amp.cisco.com/#/investigate
![Page 23: Praktikus malware analízis –hogyan lehetne elemezni egy · Talos or other intel sources Threat Response automatically queries Cisco Security and 3rd party products via APIs to](https://reader033.vdocuments.mx/reader033/viewer/2022060223/5f07ed537e708231d41f74e7/html5/thumbnails/23.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
…or Start a New Investigation with browser plugins
Browser pluginFirefox and Chrome
![Page 24: Praktikus malware analízis –hogyan lehetne elemezni egy · Talos or other intel sources Threat Response automatically queries Cisco Security and 3rd party products via APIs to](https://reader033.vdocuments.mx/reader033/viewer/2022060223/5f07ed537e708231d41f74e7/html5/thumbnails/24.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Investigation Datahttps://visibility.amp.cisco.com/#/investigate
![Page 25: Praktikus malware analízis –hogyan lehetne elemezni egy · Talos or other intel sources Threat Response automatically queries Cisco Security and 3rd party products via APIs to](https://reader033.vdocuments.mx/reader033/viewer/2022060223/5f07ed537e708231d41f74e7/html5/thumbnails/25.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Activity in the Organization
• Three groups of data on the Relations Graph• One Clean SHA within
the organization• One Malicious SHA
within the organization• Eight Malicious SHAs
that are have not been found within the organization
https://visibility.amp.cisco.com/#/investigateMalicious
SHA within the Org
Clean SHA within the
Org
MiscMalicious
SHAs
![Page 26: Praktikus malware analízis –hogyan lehetne elemezni egy · Talos or other intel sources Threat Response automatically queries Cisco Security and 3rd party products via APIs to](https://reader033.vdocuments.mx/reader033/viewer/2022060223/5f07ed537e708231d41f74e7/html5/thumbnails/26.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Overview of a Clean SHA
• Things to note• The Parents of the SHA• The Previous File
Names of the SHA• The File Paths of the
SHA• The Target of the SHA
https://visibility.amp.cisco.com/#/investigate
![Page 27: Praktikus malware analízis –hogyan lehetne elemezni egy · Talos or other intel sources Threat Response automatically queries Cisco Security and 3rd party products via APIs to](https://reader033.vdocuments.mx/reader033/viewer/2022060223/5f07ed537e708231d41f74e7/html5/thumbnails/27.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Overview of a Malicious SHA
• Things to note• The File Name and
File Path of the SHA• A Clean SHA became
a Malicious one• The Target of the
Malicious SHA
https://visibility.amp.cisco.com/#/investigate
![Page 28: Praktikus malware analízis –hogyan lehetne elemezni egy · Talos or other intel sources Threat Response automatically queries Cisco Security and 3rd party products via APIs to](https://reader033.vdocuments.mx/reader033/viewer/2022060223/5f07ed537e708231d41f74e7/html5/thumbnails/28.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Examine the Sightings Timelinehttps://visibility.amp.cisco.com/#/investigate
Hover over Events on the Timeline for additional details
![Page 29: Praktikus malware analízis –hogyan lehetne elemezni egy · Talos or other intel sources Threat Response automatically queries Cisco Security and 3rd party products via APIs to](https://reader033.vdocuments.mx/reader033/viewer/2022060223/5f07ed537e708231d41f74e7/html5/thumbnails/29.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Focus on the Malicious SHA (1)
• Target computer name
• Malware file name
• File path on the Target computer
• Hash of the Malicious SHA
https://visibility.amp.cisco.com/#/investigate
![Page 30: Praktikus malware analízis –hogyan lehetne elemezni egy · Talos or other intel sources Threat Response automatically queries Cisco Security and 3rd party products via APIs to](https://reader033.vdocuments.mx/reader033/viewer/2022060223/5f07ed537e708231d41f74e7/html5/thumbnails/30.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Judgements About the Malicious SHA
• Both AMP and Threat Grid helped with this Judgement
https://visibility.amp.cisco.com/#/investigate
![Page 31: Praktikus malware analízis –hogyan lehetne elemezni egy · Talos or other intel sources Threat Response automatically queries Cisco Security and 3rd party products via APIs to](https://reader033.vdocuments.mx/reader033/viewer/2022060223/5f07ed537e708231d41f74e7/html5/thumbnails/31.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Indicators About the Malicious SHA
• Threat Grid intelligence fed the AMP Global Intelligence engine for this Indicator
https://visibility.amp.cisco.com/#/investigate
![Page 32: Praktikus malware analízis –hogyan lehetne elemezni egy · Talos or other intel sources Threat Response automatically queries Cisco Security and 3rd party products via APIs to](https://reader033.vdocuments.mx/reader033/viewer/2022060223/5f07ed537e708231d41f74e7/html5/thumbnails/32.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Sightings About the Malicious SHA
• Recent sightings of this Malicious SHAhttps://visibility.amp.cisco.com/#/investigate
• These were caught (Detected and Quarantined) by AMP
Pivot directly into AMP
![Page 33: Praktikus malware analízis –hogyan lehetne elemezni egy · Talos or other intel sources Threat Response automatically queries Cisco Security and 3rd party products via APIs to](https://reader033.vdocuments.mx/reader033/viewer/2022060223/5f07ed537e708231d41f74e7/html5/thumbnails/33.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
AMP – Legacy Device Trajectory
• AMP for Endpoints saw the creation of the Malware file from a Clean one
• AMP Quarantined the Malicious file
https://console.amp.cisco.com/...
![Page 34: Praktikus malware analízis –hogyan lehetne elemezni egy · Talos or other intel sources Threat Response automatically queries Cisco Security and 3rd party products via APIs to](https://reader033.vdocuments.mx/reader033/viewer/2022060223/5f07ed537e708231d41f74e7/html5/thumbnails/34.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
AMP – New Device Trajectory (1)https://console.amp.cisco.com/...• Apr 12, ~1930
![Page 35: Praktikus malware analízis –hogyan lehetne elemezni egy · Talos or other intel sources Threat Response automatically queries Cisco Security and 3rd party products via APIs to](https://reader033.vdocuments.mx/reader033/viewer/2022060223/5f07ed537e708231d41f74e7/html5/thumbnails/35.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
AMP – New Device Trajectory (2)https://console.amp.cisco.com/...• Powershell downloaded a file
![Page 36: Praktikus malware analízis –hogyan lehetne elemezni egy · Talos or other intel sources Threat Response automatically queries Cisco Security and 3rd party products via APIs to](https://reader033.vdocuments.mx/reader033/viewer/2022060223/5f07ed537e708231d41f74e7/html5/thumbnails/36.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
AMP – New Device Trajectory (3)https://console.amp.cisco.com/...• Microsoft Word launched the Powershell
![Page 37: Praktikus malware analízis –hogyan lehetne elemezni egy · Talos or other intel sources Threat Response automatically queries Cisco Security and 3rd party products via APIs to](https://reader033.vdocuments.mx/reader033/viewer/2022060223/5f07ed537e708231d41f74e7/html5/thumbnails/37.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
AMP – New Device Trajectory (4)https://console.amp.cisco.com/...• 1930: The file created by Powershell was quarantined
![Page 38: Praktikus malware analízis –hogyan lehetne elemezni egy · Talos or other intel sources Threat Response automatically queries Cisco Security and 3rd party products via APIs to](https://reader033.vdocuments.mx/reader033/viewer/2022060223/5f07ed537e708231d41f74e7/html5/thumbnails/38.jpg)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
AMP – New Device Trajectory (5)https://console.amp.cisco.com/...• 1949: Discovered and immediately quarantined our OLD friend
![Page 39: Praktikus malware analízis –hogyan lehetne elemezni egy · Talos or other intel sources Threat Response automatically queries Cisco Security and 3rd party products via APIs to](https://reader033.vdocuments.mx/reader033/viewer/2022060223/5f07ed537e708231d41f74e7/html5/thumbnails/39.jpg)
Thank you