10. Plan A: The Prevention Framework
1-to-1 Signatures
Ethos
Spero
IOCs
Dynamic
Analysis
Advanced
Analytics
Device Flow
Correlation
11. The Prevention Framework: 1-to-1 Signatures
• Traditional technology. All vendors use at some level
– SHA-256
– Cloud-Enabled Coverage
– Full Signature Database Protection
– Custom Detection Capabilities
Signatures (also called one-to-one):
A very simple approach that
ostensibly represents the approach
taken by every vendor at one
level.
Specific file matches
Can be easily evaded by elementary file
changes.
12. Prevention Framework: Ethos Engine
• ETHOS = Fuzzy Fingerprinting
using static/passive heuristics
– Polymorphic variants of a threat that
often have the same structural
properties
– Not concerned with binary contents
– Higher multiplicity
• Capture original and variants
– Traditionally created manually
– Best analysts = few generic
sigs/day
– Automated generic signature
creation = SCALE
Ethos: A generic signature capability,
again ostensibly similar to the
generic detection capabilities
that some vendors provide.
Directed at families of malware
Can have more false-positives than 1-to-1
signatures
13. Prevention Framework: Spero Engine
• Machine Learning
– Automatically constructs a framework
– Needs data to learn/adjust
– Requires large sets of good data
• Behavior modeling
– Discover patterns better than human
analysts
• 0-day insight is the goal
Spero: A machine-learning based technology
that proactively identifies threats that were
previously unknown.
Uses active heuristics to
gather execution attributes
Needs good data in large sets
to tune
Built to identify new malware
14. Prevention Framework: Device Flow Correlation
• Internal and External Networks
monitored
• Timestamp
• IP Address/Protocol/Port
• IP Reputation Data
• URL / Domain logging
• File downloads
• Dropper Detection/Removal in
unknown files
• Flow points = extra telemetry data,
not disposition specific
Device Flow Correlation: A kernel level view
into Network I/O. Allows blocking or alerting
on network activity, traced back
to the initiating process.
Cisco provided Intelligence:
Generic CnC Servers,
Phishing Hosts,
ZeroAccess CnC Servers, etc
Custom–defined lists
15. Prevention Framework: Advanced Analytics
Context from Spectrum Techniques
• Dropkick
– Examines dropped file relationships
over a 24 hour period
• Recon
– Age of a file in an entire install base
• Prevalence
– Frequency of file execution inside the
organization
Advanced Analytics: A set of multi-faceted
engines that provide large-data context
Beyond single host
Beyond single file
Can uncover new threats
missed by a narrow focus
16. Dynamic Analysis: High-fidelity security
intelligence, analysis reports, and decision
support
Threat scores provide context
beyond typical good/bad
decisions
Key tool for SOC, Incident Response, and
Security Intelligence teams.
Prevention Framework: Dynamic Analysis
AMP Threat Grid
• Average sample analysis = 7.5
minutes
• Malware Sample Interaction [defeat
CAPTCHAs
• Video recording of malware actions
• Watch from the inside, from the
outside
• More than “just a sandbox”
17. Plan A: The Prevention Framework
1-to-1 Signatures
Ethos
Spero
IOCs
Dynamic
Analysis
Advanced
Analytics
Device Flow
Correlation
All Methods < 100% Detection
18. Plan B: The Retrospection Framework
Retrospective Security
Continuous Protection
19. Plan B: Retrospection Framework
Continuous Analysis
time
Initial
Disposition = CLEAN
file
• When you can’t
detect 100%,
visibility is critical
x
Retrospective Alert
sent later when
Disposition = BAD
Analysis
Continues
time
Sandboxed;
Disposition = CLEAN
file • Sleep techniques
• Unknown protocols
• Encryption
• Performance
x
Actually…
Disposition = BAD
… too late!
Typical Analysis
Analysis Stops After
Initial Disposition
21. Endpoint
(Windows, Mac)
• Exposes all File + Network Activity
• Traps fingerprint & attributes
• Traps Traffic Flow tuples
• Containment
Web-based Manager
Mobile Connector
(Android)
• App installs
ASA & FirePower Appliances
• Detection of Files
• cNc Protocol Analysis
• IP and URL Reputation Analysis
• Exploit-kit Detection
• DNS Sinkholing
• Big Data Analytics
• Machine Learning
• Collective Security Intelligence
• Dynamic File Analysis Sandbox
• Detection Publishing
• Reputation Data
• Transaction Processing
• Reporting
• Continuous Analysis
WSA/ESA
• Detection of Files
• IP and URL Reputation Analysis
• SSL/TLS Decryption
• Proxy & MTA
Kako funkcioniše na proizvodima
22. Host-based AMP
• Small (Size of a print driver)
• Watches for move/copy/execute
• Traps fingerprint & attributes
• Queries cloud for file deposition
Web-based Manager [SaaS]
Sensor
Firesight Console
No agent
required
Malware
license
Detection
Services & Big
Data analytics
#
✔✖
#
Network/Content AMP AMP for hosts, servers
and mobile devices
24. How Cisco AMP Works: Network File Trajectory Use
Case
25.
26. An unknown file is present on
IP: 10.4.10.183, having been
downloaded from Firefox
27. At 10:57, the unknown file is
from IP 10.4.10.183 to IP:
10.5.11.8
28. Seven hours later the file is
then transferred to a third
device (10.3.4.51) using an
SMB application
29. The file is copied yet again
onto a fourth device
(10.5.60.66) through the
same SMB application a half
hour later
30. The Cisco Collective Security
Intelligence Cloud has
learned this file is malicious
and a retrospective event is
raised for all four devices
immediately.
31. At the same time, a device
with the FireAMP endpoint
connector reacts to the
retrospective event and
immediately stops and
quarantines the newly
detected malware
32. 8 hours after the first attack,
the Malware tries to re-enter
the system through the
original point of entry but is
recognized and blocked.
37. Summary
• Cisco Advanced Malware Protection provides both Prevention AND
Retrospection capability for Content Gateways, Network Inspection Points, and
Endpoints
• Not Anti-Virus, but a way to address the unknown threats that exist in the
environment
• Every organization WILL suffer a breach
Notas del editor
This use case gives a great view of a file being introduced, retrospective events occurring, quarantining, and future events being blocked. This is a great illustration of the correlation between end-point and network data.
<click>
This is the actual program view, showing the path of a file across multiple devices. By hovering over an event you can see details like where the file came from originally, when was it downloaded, what type of even it is, the program name. All this information is just a mouse hover away.
<click>
Here we see the first event, a file with an unknown disposition is present on IP: 10.4.10.183
<click>
It enters the network by being transmitted from 10.4.10.183 to 10.5.11.8 and the file still has a disposition of unknown. We did not know it was bad. But we do know that it was introduced by a user using downloading this file over HTTP using the application Firefox a web-browser. That file then sat on 10.5.11.8.
<click>
After a period of inactivity, the file transmits down to machine 10.3.4.51 over SMB, the application protocol listed in the grey box. So it starts transmitting using internal Microsoft file-sharing protocols. This file has not yet been identified as malware and so its disposition is still unknown.
<click>
The file copies itself onto a fourth machine a half hour later using the same application protocol.
<click>
At 6:14, We see a retrospective event turn up. So it appears for 4 machines at the same time. Our disposition thus far has gone from something we think is unknown to now known malware. So we've alerted each of these four machines and the defense center, that malware has been found in the environment to enable the user to track how that file propagated the around the network and understand the scope of the breech.
<click>
This machine here, 10.5.11.8, we can see that it has the fire app, endpoint connector installed. We know this because immediately after that retrospective event was raised the endpoint quarantined file. So by having the connector on the endpoint you have the ability to clear up and remediate and quarantine that infection on the end-point near in real time
<click>
Later the file once again tried to move around the network. This time once again, by someone trying to send the file over HTTP using the application Firefox. This time, because the file is now known to be malware, this transmission was blocked.
<click>