“Cisco Advanced Protection against WannaCry”

"A false sense of security is worse than a true sense of insecurity"

Senad Aruc Nils Roald Consulting Systems Engineer Advanced Threats Group Advanced Threats Group North Sales Leader Hello world this is ‘WannaCry’

• New variant began compromising systems on May 12 • Exploits MS17-010 using tools leaked by Shadow Brokers Why defense in-depth was useless against WannaCry?

Known threats are blocked

Good files make ? Unknown threats are it through passed to the next system ? Current defense in- ü ? depth approach is built on binary ü ? detection ü ?

ü ?

ü ?

ü ?

NGFW NGIPS ESA WSA Endpoint ISR

Single points of inspection have their limitations Propagation-Infection Vector’s

Scans IP subnet

445 TCP

ETERNALBLUE DOUBLEPULSAR Scans external IPs

So far there is more than 400 unique samples in the wild! Race against time.. Campaign start timer: 00:01

Cisco AMP4EP customer ETERNALBLUE DOUBLEPULSAR with more than 10K connectors. RCE/Exploit Attacker

AMP / File Low Prevalence - ACTIVE GET/WannaCry

AMP AMP AMP AMP AMP WannaCry Compromised Server

AMP AMP AMP AMP AMP

unknown 7.min sha256

ThreatGrid Malware = AMP Cloud Sandbox Velocity of Propagation

Honeypot 445 TCP Connections Kill Switch Domain DNS Queries Infection Process

Check kill switch (http GET)

DOUBLEPULSAR installsDEMO Scan 445 TCP ETERNALBLUE mssecsvc.exe Creates service drops mssecsvc2.0 & executes Encrypts files RSA 2048 tasksche.exe

drops drops taskse.exe @wannadecr [email protected]

Deletes taskdl.exe executes temp files .exe Mitigation

• Apply the MS17-010 to your systems • has released this update for XP/Server 2003 systems • Block ALL Inbound/Outbound SMB traffic • ports 139, 445 • Snort Rules • 42329-42332 DoublePulsar (April 25) • 42340 SMB (April 25) • 41978 Samba buffer overflow (March 14) Prevention • Use an actively supported that receives security updates • Implement an effective patch management process • Implement a disaster recovery plan to back-up/restore systems AMP Public Cloud & Threat Grid SaaS CISCO TALOS CISCO

Threat Grid AMP Appliance Disposition Lookup Content Security Firepower

Static/Dynamic Analysis

ESA WSA NGFW NGIPS Retrospective Security

On-Premise AMP for Endpoint Continuous Monitoring (Move, Copy, Execute) CUSTOMER SITE CUSTOMER Outbreak ControlsISE Vulnerable Applications AMP AMP File Low Prevalence AMP Private Automatic and Manual Dynamic Analysis Cloud Elastic Search VMWare ESXi OpenIOCs AMP AMP

Windows, Mac OSX , Linux RedHat/CentOS, Android Helping you detect and mitigate threats that have evaded your defenses

Make the unknown, See once, block Accelerate security known everywhere response Detect and mitigate threats in your Make the See once, Accelerate unknown, block security environment faster known everywhere response

Sent information from internal server No threat symptoms displayed

IoC ? identified

? Compromised Threat Customer data Origin Contained Launched Threat malicious file downloads AMP continuously records all activity Initial device compromised

In most networks, there’s no way to see threat With AMP, trace back threat activity and remediate progression or origin incidents quickly Supercharge your existing security Make the See once, Accelerate unknown, block security infrastructure known everywhere response

Protect, detect, and respond across your environment Sandboxing AMP AMP Cloud

Automatically block threats seen outside NGFW NGIPS Endpoint WSA your network

ESA ISR 3rd party products

APIs Augment the Talos API functionality of Cisco integration and 3rd party products AMP makes everything in your network better Empower your team to act faster and Make the See once, Accelerate unknown, block security decrease the impact of an incident known everywhere response

Accelerate investigations and reduce management complexity Understand which alerts need further investigation with precision

Eliminate time-consuming and error-prone tasks

Automate intelligence- driven security responses What about the integration and automatization efforts?

Threat Malware Intel SIEM Analysis

Network edge Datacenter Branch Routers Email Gateways Endpoint With AMP, you get both across your entire environment

Threat Grid Talos AMP Cloud

NGFW NGIPS ISR CES / ESA WSA / SIG Endpoint AMP’s secrets External (Talos) vs internal (AMP) threat intelligence?

External Thief House Solution Integration: Cisco Portfolio Event ISE Cloudloc Threat Intel Stealthwatch k Policy Context Umbrella Network ISR/ASR

Meraki Advanced Malware

Threat Grid Email

WWW NGFW/ Web NGIPS Solution Integration: Rapid Threat Containment

Automatically Defend Against Threats with Firepower and ISE

Corporate user FMC aggregates FMC alerts ISE. Based on the new Device is downloads file, not and correlates ISE then changes policy, network quarantined for knowing it’s sensor data the user’s/device’s enforcers remediation or actually malicious access policy to automatically mitigation suspicious restrict access • 22,000+ AMP Customers (~29K w/ Meraki) • 1,500+ New AMP Customers added each Quarter AMP • 2,200+ Total AMP for Endpoints Customers by the numbers • 7M+ Active AMP for Endpoints connectors • 40+ AMP for Endpoints Customers with 10K+ connectors • Largest AMP for Endpoints Customer has 100K+ deployed • ~14% EDR Market Share (Gartner EDR Market Guide)

• AMP Cloud (N.A.) • Peak queries per second: 134 Thousand PC Mac • Peak queries per day: 5 Billion

Research & Efficacy Data:

Linux Mobile • 43% of Threat Grid detections did not exist in VirusTotal at time of detection • 35% of Talos detections did not exist in VirusTotal at time of detection • 21% of all AMP detections in December were retrospective Q/A

IDC Names Cisco AMP for Endpoints a Leader

IDC research states Cisco AMP AMP is rated number one provides “comprehensive protection AMP achieved a 99.2% security effectiveness against targeted attacks” amongst rating in recent tests by NSS Labs. other benefits in their latest report.

News: Security Cisco AMP for Endpoints Meets PCI and HIPAA Requirements for Compliance Cisco AMP Threat Grid Unified Malware Analysis and Threat Intelligence Platform

1001 1101 1110011 0110011 101000 01101001 00 1101 1110011 0110011 101000 0110 00 Low Prevalence, AMP Threat Grid platform 101000 0110 00 0111000 111010011Actionable101000 101 0110 threat 1100001 00 content 0111000 110 and 111010011 101 1100001Actionable 110 Intelligence Suspicious, or Unknown intelligencecorrelates is generated the sample that can Files1100001110001110 1001 1101 1110011101000be packaged 0110 0110011result 00 withand 0111000 101000 integratedmillions 0110111010011 in to00 101 1100001 110 a varietyof other of existing samples systems and or Analyst or system (API) submits usedbillions independently. of artifacts Threat Score / Behavioral Indicators suspicious sample to Threat Grid Big Data Correlation Threat Feeds An automated engine observes, deconstructs, and analyzes using multiple techniques Cisco® AMP Threat Grid Actionable threat content and platform correlates the sample Sample and Artifact Intelligence Database intelligence is generated that result with millions of other can be utilized by AMP, or packaged and integrated into samples and billions of a variety of existing systems artifacts or used independently. § “Outside looking in” approach § Cloud Power and Scale § Proprietary techniques for static § Context-based Malware Analytics and dynamic analysis § Premium & Custom Threat Feeds § 400+ Behavioral Indicators § Two-way Rest API for Integration § “Glovebox” remote interaction Proactive Protection Tools Prevent

Close attack pathways, uncover stealthy malware, and reverse-analyze suspicious threats.

Our vulnerabilities feature shows you, across all of your endpoints, all the software on your system that’s vulnerable to malicious Vulnerabilities attacks, so you can patch them and close any potential attack pathway.

Our low prevalence feature shows you applications on endpoints Low Prevalence that are flying under the radar, and lets you take a closer look to see if there’s any malicious behavior happening.

Built-in sandboxing capabilities powered by Threat Grid let you submit a file for analysis against over 700 behavioral indicators so Built-In Sandboxing you can see what that file is trying to do and if it’s bad. Then AMP will automatically block and quarantine the file.