Escolar Documentos
Profissional Documentos
Cultura Documentos
Advanced Malware
Protection
Eric L. Howard Technical Marketing Engineer - @ericlhoward
BRKSEC-2139
Cisco Advanced Malware Protection [AMP] is designed to provide both defense and insight Before,
During, and After these breach attempts. If you have struggled with point of exposure, or the extent of
breach, this session will show how Cisco AMP helps to detect infections, understand scope, and initiate
remediation for protected systems no matter where they are at any moment.
Agenda
Introduction
Cisco Approach
How It Works
Demos
AMP Privacy
Conclusion
MALWARE /
APTs
VIRUSES
1985
MACRO
VIRUSES
1995
WORMS
HACKERS
2000
SPYWARE /
ROOTKITS
2005
2010
6
10
Notification
Quarantine
Triage
Confirm
Build Test
Bed
Static
Analysis
Device
Analysis
Update Profile
Search
Network
Traffic
Network
Analysis
Search
Device
Logs
Scan
Devices
No Infection
Infection Identified
Stop
Analyze Malware
Proliferation
Analysis
Malware
Profile
Define
Rules
(from
profile)
19
20
21
22
Time
Tools
Expense
23
Cisco Approach
24
Marty Roesch
Vice-President & Chief Architect
Cisco, Security Business Group
25
Do Security Different!
Plan A: Prevention
Speed: Real-time, dynamic
decisions trained on real-world
data
High accuracy, low false positives
/ negatives
Plan B: Retrospection
Track system behaviors
regardless of disposition
In-flight correction (SPERO FXTrees)
Contain & correct damage, expel
embedded intruders
How It Works
27
Endpoint
(Windows, Mac, Linux)
Exposes all File + Network Activity
Traps fingerprint & attributes
Traps Traffic Flow tuples
Containment
Mobile Connector
(Android)
WSA/ESA
Detection of Files
cNc Protocol Analysis
IP and URL Reputation Analysis
Exploit-kit Detection
DNS Sinkholing
Detection of Files
IP and URL Reputation Analysis
SSL/TLS Decryption
Proxy & MTA
App installs
Web-based Manager
Detection
Services & Data
Analytics
Sensor
Malware
license
No agent required
Device Flow
Correlation
SPERO
Ethos
IOCs
Dynamic
Analysis
Advanced
Analytics
30
SHA-256
Cloud-Enabled Coverage
31
Windows
Md5deep
http://md5deep.sourceforge.net
sha(1)
Part of the Base/Core OS
GNU Coreutils
Programmatic tools
Python - hashlib
Perl Digest::SHA / Digest::SHA::PurePerl
33
Higher multiplicity
34
35
37
ClamAV
http://www.clamav.net
sigtool
ssdeep
http://ssdeep.sourceforge.net
38
Data
Feature Vectors
Machine
Learning
Algorithm
Predictive
Model
Decision
Trees
Customer
Data
Expected Label
[Disposition]
Data
Labels
Performance
Monitoring
39
Feature Vectors
Machine
Learning
Algorithm
DIRTY
Training
Data
Labels
Predictive
Model
Decision
Trees
DLLs Loaded
40
Feature Vectors
Machine
Learning
Algorithm
DIRTY
Training
Data
Labels
Predictive
Model
Decision
Trees
Keyboard API?
41
Feature Vectors
Machine
Learning
Algorithm
DIRTY
Training
Data
Labels
Predictive
Model
Decision
Trees
Feature Vectors
DIRTY
Training
Data
Labels
Machine
Learning
Algorithm
Predictive
Model
Decision
Trees
Machine
Learning
Algorithm
File
Featureprint
Predictive
Model
Decision
Trees
Performance
Monitoring
Customer
Data
Expected Label
[Disposition]
Clean
Unknown
Malware
44
Network connections?
Non-standard protocols for an
application?
Hooking which APIs?
Filesystem changes?
Copies itself
Moving files
Possible
malware
Possible
clean file
Confirmed
malware
Unknown
Unknown
Confirmed
clean file
Logs
are
aggregated;
techniques
from
distributed
Cloud
server
computes
final
answer
Spero
Relevant
features
are
extracted
from
application
Compressed
feature
print
transmitted
to
the
Cisco
Feature
print
is
decompressed
and
using
a
vector
is
compressed
into
short
feature
print
New
software
application
arrives
on
ausing
machine
in and
the
6 computing, large-scale data mining, andaevaluated
2
4
7
5
3
1
machine
learning
other
technologies;
result
isalgorithm
communicated to the end
used
to
form
acompression
feature
vector
AMP
Cloud
machine
learning
model
using
custom
installed
base
techniques are used to generate a new model (from actual
user and logged.
in-field data!)
46
Machine Learning
Behavior modeling
Ethos
Spero
Capability
Generic fingerprints
Feature
Machine-learning
engines, providing
behavior-based
decisions
Detection
Delivery
Public Cloud
Private Cloud
Simple Custom Detection
Public Cloud
Private Cloud
Advanced Custom Detection
Public Cloud
Private Cloud
Usage Notes
Easily evaded
PE files
Can have FPs
Products Using
this capability
48
49
50
Wikipedia:
in computer forensics is an artifact
observed on a network or in operating
system that with high confidence
indicates a computer intrusion.
http://en.wikipedia.org/wiki/Indicator_of_compromise
Cisco
AMP Cloud
4
2 3
IOCs
Customer Created
Shared Content
52
53
IOCs
Customer Created
Shared Content
2 3
54
Cisco
Community
https://www.iocbucket.com/
Intelligence
Sites/Feeds
Sharing Orgs
http://www.isaccouncil.org/
Integration
w/ Threat Intel
55
**Not real-time**
56
File downloads
57
IP Reputation Data
Dropper Detection/Removal in
unknown files
Customdefined lists
58
Dropkick
Recon
Prevalence
59
60
61
Outside-In approach
I/O
No presence in the VM
Dynamic analysis includes
I/O Calls
Ring3
Applications
Ring 2
(Mostly Unused)
Ring 1
Device Drivers
Ring 0
GuestOS
Ring -1
Instrumented Hypervisor
Hardware
Most Privileged
62
63
64
65
Device Flow
Correlation
Spero
Ethos
IOCs
Dynamic
Analysis
Advanced
Analytics
Continuous Protection
67
time
Actually
Disposition = BAD
too late!
Sandboxed;
Disposition = CLEAN
Sleep techniques
Unknown protocols
Encryption
Performance
Continuous Analysis
file
Analysis
Continues
Initial
Disposition = CLEAN
time
Cisco
TALOS Cloud
File Query
(Connector ID, SHA, SPERO, ETHOS, DFC)
SHA Conviction
Response Disposition
File Query
(Connector ID, SHA, SPERO)
1-to-1 Signatures
Fuzzy Fingerprinting
Machine Learning
Response Disposition
DFC
Changed Disposition
Retrospective
Queue
Advanced Analytics
Dynamic Analysis
Retrospective Security
70
Demo
71
Demo
73
76
Use Case:
Threat Hunting with a Generic IOC Event
Can begin search using any data from the IOC Event
Remediate without escalation, Quickly quarantine files, Immediate protection across all
systems
77
Email drops
photo.zip as an
attachment
photo.exe drops
several additional
components
explorer.exe called to
extract contents
Outlook.exe is running
78
How is it deployed?
79
No installation needed
80
Model
7150
Throughput
500 Mbps
8050
8150
8350
1 Gbps
2 Gbps
5 Gbps
8360
8370
10 Gbps
15 Gbps
8390
20 Gbps
AMP8370
AMP8390
On-Premises Appliance
Powerful security and compliance
Local malware analysis backed by full power of Cisco AMP Threat Grids cloud
For regulatory and policy compliance, all data remains on premises
Continuous, one-way stream of federated data from Cisco AMP Threat Grid helps ensure full context
Consistent user experience from cloud to appliance (UI, API, etc.)
TG5000:
Up to 1500 sample analysis / day
Cisco UCS C220 M3 Chasis (1U)
6 x 1TB SAS HDD with LSI hardware RAID
TG5500:
Up to 5000 sample analysis / day
Cisco UCS C220 M3 Chasis (1U)
6 x 1TB SAS HDD with LSI hardware RAID
Endpoint Installer
83
Exclusions
Proxy servers?
Firewall rules?
SSL proxies?
Carbon Black
ZoneAlarm
AppGuard
85
Cloud Connections
87
Exclusions
CSIDL values
Wildcards
88
AMP Privacy
Talos
Files to be analysed
Files hashes
Federated Data
Customer Premise
AMP Threat Grid
Dynamic Analysis
Appliance
Cisco AMP
Private Cloud
Appliance 2.x
Cisco
FirePOWER Sensor
Cisco Email
Security Appliance
Cisco Web
Security Appliance
Endpoint
89
Summary
Not Anti-Virus, but a way to address the unknown threats that exist in the
environment
90
Related Sessions
BRKSEC-2053 -- Using AMP Everwhere and AMP Threat Grid to defeat malware
attacks
BRKSEC-2056 -- Threat Centric Network Security
BRKSEC-2058 -- A Deep Dive into using the Firepower Manager
All sessions recorded and placed on Cisco Live 365 site w/ PDFs
91
92
Call to Action
Thank you
95
96