Intermediate

Advanced Malware
Protection
Eric L. Howard Technical Marketing Engineer - @ericlhoward
BRKSEC-2139

Intermediate Advanced Malware Protection

BRKSEC-2139 Abstract
There is no question that the threat landscape has changed. Security professionals have moved from
defending against LOVELETTER and SQL Slammer to Zeus and CryptoLocker. The stimulating force
behind these threats have gone from mostly security researchers with intellectual curiosity to patient,
funded, and highly motivated individuals with well-defined targets. Viruses, Worms, Spyware, Adware,
and the like are all connected pieces of Crimeware infrastructure designed to ensure that breaches are
difficult to catch, allow for continuous access, while remaining hidden in plain sight.

Cisco Advanced Malware Protection [AMP] is designed to provide both defense and insight Before,
During, and After these breach attempts. If you have struggled with point of exposure, or the extent of
breach, this session will show how Cisco AMP helps to detect infections, understand scope, and initiate
remediation for protected systems no matter where they are at any moment.

Agenda

Introduction

Solving a difficult problem

Cisco Approach

How It Works

Demos

Technical Use Case

How To Get AMP

AMP Privacy

Conclusion

Threat Cycles over time

MALWARE /
APTs

VIRUSES

1985

MACRO
VIRUSES

1995

WORMS
HACKERS

2000

SPYWARE /
ROOTKITS

2005

2010
6

Ok, got it!

But
8

Why arent you stopping all

the malware??

Solving a Difficult Problem

10

How difficult to solve?

Confirm Infection

Notification

Quarantine

Triage

Confirm

Build Test
Bed

Cannot Identify Infection

Static
Analysis

Device
Analysis

Update Profile

Control Malware Proliferation

Remediate

Search
Network
Traffic

Network
Analysis

Search
Device
Logs

Scan
Devices

No Infection

Infection Identified

Stop

Analyze Malware

Proliferation
Analysis

Malware
Profile
Define
Rules
(from
profile)

Search for Re-infection

14

How do organizations address this difficult problem?

19

How do organizations address this difficult problem?

20

How do organizations address this?

21

How do organizations address this?

22

How do organizations address this?

Time

Tools
Expense

23

Cisco Approach

24

Marty Roesch
Vice-President & Chief Architect
Cisco, Security Business Group

25

Do Security Different!

Plan A: Prevention
Speed: Real-time, dynamic
decisions trained on real-world
data
High accuracy, low false positives
/ negatives

Raise the bar, reduce attack

surface

Plan B: Retrospection
Track system behaviors
regardless of disposition
In-flight correction (SPERO FXTrees)
Contain & correct damage, expel
embedded intruders

Reveals malicious activity

Mode: Constant Security control

Mode: Continuous Incident

Response

How It Works

27

Endpoint
(Windows, Mac, Linux)
Exposes all File + Network Activity
Traps fingerprint & attributes
Traps Traffic Flow tuples
Containment

Mobile Connector
(Android)

ASA & FirePower Appliances

WSA/ESA

Detection of Files
cNc Protocol Analysis
IP and URL Reputation Analysis
Exploit-kit Detection
DNS Sinkholing

Detection of Files
IP and URL Reputation Analysis
SSL/TLS Decryption
Proxy & MTA

App installs

Web-based Manager

Big Data Analytics

Machine Learning
Collective Security Intelligence
Dynamic File Analysis Sandbox
Detection Publishing
Reputation Data
Transaction Processing
Reporting
Continuous Analysis

How does it work? [High-Level]

Network/Content AMP

Detection
Services & Data
Analytics

AMP for hosts, servers

and mobile devices

Firesight Management Console

Web-based Manager [SaaS]

Sensor

Malware
license

No agent required

Trap File I/O

Trap Connection I/O
Builds fingerprints & attributes
Queries cloud for file deposition
Handles host-based remediation
29

Plan A: The Prevention Framework

1-to-1 Signatures

Device Flow
Correlation

SPERO

Ethos

IOCs

Dynamic
Analysis

Advanced
Analytics

30

The Prevention Framework: 1-to-1 Signatures

Traditional technology. All vendors use at some level

SHA-256

Cloud-Enabled Coverage

Full Signature Database Protection

Signatures (also called one-to-one):

A very simple approach that
ostensibly represents the approach
taken by every vendor at one
level.
Specific file matches

Custom Detection Capabilities

Can be easily evaded by elementary file

changes.

31

How to generate 1-to-1 Signatures

Windows

Md5deep

http://md5deep.sourceforge.net

UNIX / Mac OS X / Linux

sha(1)
Part of the Base/Core OS
GNU Coreutils

Programmatic tools

Python - hashlib
Perl Digest::SHA / Digest::SHA::PurePerl
33

Prevention Framework: Ethos Engine

ETHOS = Fuzzy Fingerprinting using

static/passive heuristics

Polymorphic variants of a threat that often

have the same structural properties

Not concerned with binary contents

Higher multiplicity

Capture original and variants

34

Ethos/Fuzzy Fingerprint Demo

35

Prevention Framework: Ethos Engine

ETHOS = Fuzzy Fingerprinting

Ethos: A generic signature capability,

again ostensibly similar to the

Traditionally created manually

generic detection capabilities

that some vendors provide.

Best analysts = few generic

sigs/day

Directed at families of malware

Automated generic signature

creation = SCALE

Can have more false-positives than 1-to-1

signatures

37

Fuzzy Fingerprinting Tools

ClamAV

http://www.clamav.net
sigtool

ssdeep

http://ssdeep.sourceforge.net

38

Prevention Framework: Spero Engine

SPERO = Machine Learning using active heuristics

Hypothesis
Featureprint

Data
Feature Vectors

Machine
Learning
Algorithm

Predictive
Model
Decision
Trees

Customer
Data

Expected Label
[Disposition]

Data

Labels

Performance
Monitoring
39

Machine Learning Phase 1

Hypothesis
CLEAN
Training
Data

Feature Vectors

Machine
Learning
Algorithm

DIRTY
Training
Data

Labels

Predictive
Model
Decision
Trees

DLLs Loaded
40

Machine Learning Phase 1

Hypothesis
CLEAN
Training
Data

Feature Vectors

Machine
Learning
Algorithm

DIRTY
Training
Data

Labels

Predictive
Model
Decision
Trees

Keyboard API?
41

Machine Learning Phase 1

Hypothesis
CLEAN
Training
Data

Feature Vectors

Machine
Learning
Algorithm

DIRTY
Training
Data

Labels

Predictive
Model
Decision
Trees

Odd Window Sizing

42

Machine Learning Phase 1

Hypothesis
CLEAN
Training
Data

Feature Vectors
DIRTY
Training
Data

Labels

Machine
Learning
Algorithm

Predictive
Model
Decision
Trees

System Environment Exports

43

Machine Learning Phase 2

Hypothesis

Machine
Learning
Algorithm

File
Featureprint

Predictive
Model
Decision
Trees

Performance
Monitoring

Customer
Data

Expected Label
[Disposition]

Clean
Unknown
Malware
44

Prevention Framework: Spero Engine

AMP Labels = Attributes derived

during execution

Network connections?
Non-standard protocols for an
application?
Hooking which APIs?
Filesystem changes?

Copies itself
Moving files

Launching other processes?

Machine Learning Decision Tree

Possible
malware

Possible
clean file

Confirmed
malware
Unknown
Unknown
Confirmed
clean file

Over 400 attributes analyzed to

identify malware
45

Prevention Framework: Spero Process

AMP Cloud

Logs
are
aggregated;
techniques
from
distributed
Cloud
server
computes
final
answer
Spero
Relevant
features
are
extracted
from
application
Compressed
feature
print
transmitted
to
the
Cisco
Feature
print
is
decompressed
and
using
a
vector
is
compressed
into
short
feature
print
New
software
application
arrives
on
ausing
machine
in and
the
6 computing, large-scale data mining, andaevaluated
2
4
7
5
3
1
machine
learning
other
technologies;
result
isalgorithm
communicated to the end
used
to
form
acompression
feature
vector
AMP
Cloud
machine
learning
model
using
custom
installed
base
techniques are used to generate a new model (from actual
user and logged.
in-field data!)
46

Prevention Framework: Spero Engine

Machine Learning

Automatically constructs a framework

Needs data to learn/adjust
Requires large sets of good data

Behavior modeling

Discover patterns better than human

analysts

0-day insight is the goal

Spero: A machine-learning based technology

that proactively identifies threats that were
previously unknown.
Uses active heuristics to
gather execution attributes
Needs good data in large sets
to tune

Built to identify new malware

47

Summary of Frontline Prevention engines

1-1 Signatures

Ethos

Spero

Capability

Unique file matching

Generic fingerprints

0-day detection w/o file

upload

Feature

Very fast protection across

all products

One fingerprint that can convict

multiple files/polymorphic
variants

Machine-learning
engines, providing
behavior-based
decisions

Detection
Delivery

Public Cloud
Private Cloud
Simple Custom Detection

Public Cloud
Private Cloud
Advanced Custom Detection

Public Cloud
Private Cloud

Usage Notes

Easily evaded

PE files
Can have FPs

Requires file structure

knowledge
Can have FPs

AMP for Endpoints

AMP for Endpoints

AMP for Networks
ESA/WSA/CWS +
AMP

Products Using
this capability

AMP for Endpoints

AMP for Networks
ESA/WSA/CWS + AMP
AMP Everywhere

48

AMP for Networks Inspection

AMP in the network inspection Path

49

When AMP Blocks Files & Malware

50

Prevention Framework: IOCs

IOC = Indicators of Compromise

Specific artifacts left on a system after

intrusion/breach

A language used to express threat

information. These information sets
describe how/where to detect the
signs an intrusion/breach

Can be host-based and/or networkbased artifacts, but scan actions

carried out on host

Wikipedia:
in computer forensics is an artifact
observed on a network or in operating
system that with high confidence
indicates a computer intrusion.
http://en.wikipedia.org/wiki/Indicator_of_compromise

OpenIOC 1.1 derived

51

Prevention Framework: IOCs

Cisco
AMP Cloud

4
2 3

IOCs
Customer Created
Shared Content

Events Returned to Console

52

53

Prevention Framework: IOCs

1
Cisco
AMP Cloud

IOCs
Customer Created
Shared Content

Events Returned to Console

2 3

54

Endpoint IOCs: Where do they come from?

Cisco

Talos & RET Teams

Community

https://www.iocbucket.com/

Intelligence

Sites/Feeds
Sharing Orgs

http://www.isaccouncil.org/

Integration

w/ Threat Intel
55

Protection Framework: IOCs

Uses host resources

[memory/CPU/Disk] to scan for artifacts

Allow for correlated artifact searching to

pinpoint breach

**Not real-time**

Custom IOCs Supported

Community for Information Sharing to

come

Indicators of Compromise: A system to

describe the artifacts of compromise, and the
methods to detect them.
Very-High confidence
indicators

FileItem, RegistryItem, EventLogItem,

ProcessItem, ServiceItem, etc
http://www.openioc.org

56

Prevention Framework: Device Flow Correlation

Device Flow Correlation [DFC]
Timestamp
Device
IP/Port/Protocol
Destination
IP/Port/Protocol
URLs / Domains

File downloads

57

Prevention Framework: Device Flow Correlation

Device Flow Correlation: A kernel level view
into Network I/O. Allows blocking or alerting
on network activity, traced back
to the initiating process.

Internal and External Networks

monitored

IP Reputation Data

URL / Domain logging

Dropper Detection/Removal in
unknown files

Cisco provided Intelligence:

Generic CnC Servers,
Phishing Hosts,
ZeroAccess CnC Servers, etc

Flow points = extra telemetry data,

not disposition specific

Customdefined lists

58

Prevention Framework: Advanced Analytics

Context from Spectrum Techniques

Dropkick

Recon

Examines dropped file relationships

over a 24 hour period
Age of a file in an entire install base

Prevalence

Frequency of file execution inside the

organization

Advanced Analytics: A set of multi-faceted

engines that provide large-data context
Beyond single host
Beyond single file
Can uncover new threats
missed by a narrow focus

59

Advanced Analytics - Prevalence

60

Advanced Analytics - Prevalence

61

Prevention Framework: Dynamic Analysis Sandbox

Least Privileged

Outside-In approach

External kernel monitor

Dynamic disk analysis shows
modications to the physical disk
[e.g MBR]
User interaction
Video capture & playback
Process Info
Artifacts
Network trac

I/O

No presence in the VM
Dynamic analysis includes

I/O Calls

Ring3

Applications

Ring 2

(Mostly Unused)

Ring 1

Device Drivers

Ring 0

GuestOS

Ring -1

Instrumented Hypervisor
Hardware

Most Privileged
62

Prevention Framework: Dynamic Analysis

AMP Threat Grid

Average sample analysis = 7.5 minutes

Malware Sample Interaction [defeat

CAPTCHAs

Video recording of malware actions

Watch from the inside, from the outside

More than just a sandbox

Dynamic Analysis: High-fidelity security

intelligence, analysis reports, and decision
support
Threat scores provide context
beyond typical good/bad
decisions
Key tool for SOC, Incident Response, and
Security Intelligence teams.

63

AMP Threat Grid Demo

64

65

Plan A: The Prevention Framework

1-to-1 Signatures

Device Flow
Correlation

Spero

Ethos

IOCs

Dynamic
Analysis

Advanced
Analytics

Prevention Eventually Fails

66

Plan B: The Retrospection Framework

Retrospective Security

Continuous Protection
67

Plan B: Retrospection Framework

Typical Analysis
file

Analysis Stops After

Initial Disposition

time

Actually
Disposition = BAD
too late!

Sandboxed;
Disposition = CLEAN

Sleep techniques
Unknown protocols
Encryption
Performance

Continuous Analysis

file

Analysis
Continues

Initial
Disposition = CLEAN

time

When you cant

detect 100%,
visibility is critical

Retrospective Alert sent later

when Disposition = BAD
68

File Lookup and Retrospection

Connectors

Cisco
TALOS Cloud

File Query
(Connector ID, SHA, SPERO, ETHOS, DFC)

SHA Conviction

Response Disposition
File Query
(Connector ID, SHA, SPERO)

1-to-1 Signatures
Fuzzy Fingerprinting

Machine Learning

Response Disposition

DFC

Changed Disposition

Retrospective
Queue

Retrospective Query (PING2)

Advanced Analytics
Dynamic Analysis

Retrospective Security

Does not use disposition of files or

reputation of connections as an action
marker log everything we can

Retrospective Engine: A technology that

provides the ability to look back over
collected data to provide new insight.

Uncover 0-day entry points

Telemetry data = Behavior modeling for

cloud-based IOCs

New Intelligence can

highlight existing issues.
Enables Continuous IR
capabilities

Host behavior record for breach timeline

and environment prevalence

70

AMP for Networks

Demo

71

AMP for Endpoints

Demo

73

Technical Use Case Study: Threat Hunting

New threat uncovered in the wild

TALOS Threat Research

Multiple samples correlated

DGA cracked
TALOS Threat Research

Cloud IOCs created in

advance of domain registrations
75

Threat Hunting with a Generic IOC Event

Between: 2014/12/29-11:23:08 UTC AND 2014/12/29-11:23:08 UTC
{"bg":"4750adf7-0fa7-4ebf-be8bd44bd250f51c","tid":1107296274,"ts":1419852189,"tsns":347000000,"ag
g":[],"fg":"7e9d7d2a-b554-50f4-3ebb-d275f6f9aa30","ag":"e75f997caf6e-489c-a5fdb9e2c15e3ade","id":1419852189347000727,"data":{"id":"dcc66a98-565841d4-a1ca-887933a8b24f","short_description":"Generic Botnet
Communication","description":"Accessed URL matches characteristics
of several malware
families.","authored_by":"FireAMPQA","authored_date":"2014-0113T17:29:20","links":"\n
1.0\n
","tser":[1419852188,1419852188],"ts":1419852188,"shd":null,"shp":"
78617ddf9a0067a32cb5d87a796c93a9618ac006ccdcb3c7c824fdeb6ec5fd59","
ip":5.149.251.132","p":80,"url":http://poppingx.com/and/gate.php}}

76

Use Case:
Threat Hunting with a Generic IOC Event

Can begin search using any data from the IOC Event

Device Trajectory can be used to determine host details

Link between processes, File name, Location on disk

File Trajectory can be used to focus on the threat

SHA, URL, IP Address

Malware Gateway, Threat Details, File Analysis

Custom Detection to control files

Remediate without escalation, Quickly quarantine files, Immediate protection across all
systems

77

Retrospection Framework: Trajectory

Email drops
photo.zip as an
attachment

photo.exe drops
several additional
components

Beacons to the site

listed in our cracked
DGA - IOC Events

explorer.exe called to
extract contents

Outlook.exe is running

photo.exe was executed

photo.exe contacts
a website via http

Executes a file named

csrss.exe in the Outlook
TMP directory

78

How is it deployed?
79

How do I get AMP?

AMP for Networks/Content

AMP for Endpoints

No installation needed

Get cloud account

Capabilities are included on Network

and Content platforms

Download full installer for software

management tools [SCCM, GPO, etc]

License at platform manager [e.g.

FMC] is needed to enable features

Subscription is needed for cloud

queries

Subscription is needed for cloud

queries

80

AMP Appliance Throughput

AMP8360

Model
7150

Throughput
500 Mbps

8050
8150
8350

1 Gbps
2 Gbps
5 Gbps

8360
8370

10 Gbps
15 Gbps

8390

20 Gbps

AMP8370

AMP8390

On-Premises Appliance
Powerful security and compliance

Local malware analysis backed by full power of Cisco AMP Threat Grids cloud
For regulatory and policy compliance, all data remains on premises
Continuous, one-way stream of federated data from Cisco AMP Threat Grid helps ensure full context
Consistent user experience from cloud to appliance (UI, API, etc.)

TG5000:
Up to 1500 sample analysis / day
Cisco UCS C220 M3 Chasis (1U)
6 x 1TB SAS HDD with LSI hardware RAID
TG5500:
Up to 5000 sample analysis / day
Cisco UCS C220 M3 Chasis (1U)
6 x 1TB SAS HDD with LSI hardware RAID

Endpoint Installer

83

Installation Preparation - IMPORTANT

Connectivity

Exclusions

Cloud Connectivity is required for

updated protection

Exclusions can help us coexist

Exclude protection and quarantine

directories for other security tools
Other tools have to exclude our install
directories

Proxy servers?
Firewall rules?
SSL proxies?

Some vendor tools do not coexist

well today, configuration assistance
advised

Carbon Black
ZoneAlarm
AppGuard
85

Cloud Connections

Event Server enterprise-event.eu.amp.sourcefire.com

Management Server enterprise-mgt.eu.amp.sourcefire.com

Policy Server policy.eu.amp.sourcefire.com.s3.amazonaws.com

Endpoint IOC downloads endpoint-ioc-prod-eu.s3.amazonaws.com

File Lookups cloud-ec.eu.amp.sourcefire.com

Error Reporting crash.eu.amp.sourcefire.com

Submission Server submit.eu.amp.sourcefire.com

Update Server for TETRA update.immunet.com

87

Exclusions

Default Exclusions should cover

many existing tools

CSIDL values

Wildcards

88

AMP Privacy

Talos

Files to be analysed
Files hashes
Federated Data

Customer Premise
AMP Threat Grid
Dynamic Analysis
Appliance

Cisco AMP
Private Cloud
Appliance 2.x

Cisco ASA with

FirePOWER Services

Cisco
FirePOWER Sensor

Cisco Email
Security Appliance

Cisco Web
Security Appliance

Endpoint

89

Summary

Cisco Advanced Malware Protection provides both Prevention AND

Retrospection capability for Content Gateways, Network Inspection Points, and
Endpoints

Not Anti-Virus, but a way to address the unknown threats that exist in the
environment

Removes the Persistence from Advanced Persistent Threats

Every organization WILL suffer a breach

90

Other great sessions

Related Sessions

BRKSEC-2053 -- Using AMP Everwhere and AMP Threat Grid to defeat malware
attacks
BRKSEC-2056 -- Threat Centric Network Security
BRKSEC-2058 -- A Deep Dive into using the Firepower Manager

All sessions recorded and placed on Cisco Live 365 site w/ PDFs

91

Download the Annual Security Report

Cisco 2016 Annual Security

Report
Now available:
cisco.com/go/asr2016

92

Call to Action

Visit the World of Solutions for

Cisco Campus AMP for Networks / AMP for Endpoints / AMP Threat Grid
Walk in Labs
Technical Solution Clinics

Meet the Engineer

Lunch and Learn Topics

DevNet zone related sessions

Complete Your Online Session Evaluation

Please complete your online session

evaluations after each session.
Complete 4 session evaluations
& the Overall Conference Evaluation
(available from Thursday)
to receive your Cisco Live T-shirt.

All surveys can be completed via

the Cisco Live Mobile App or the
Communication Stations

Thank you

95

96