Implementing Cisco Cyber Security Operations

2019 CLUS Implementing Cisco Cyber Security Operations

Paul Ostrowski / Patrick Lao / James Risler Cisco Security Content Development Engineers

LTRCRT-2222

2019 CLUS Cisco Webex Teams

Questions? Use Cisco Webex Teams to chat with the speaker after the session How 1 Find this session in the Cisco Live Mobile App 2 Click “Join the Discussion” 3 Install Webex Teams or go directly to the team space 4 Enter messages/questions in the team space

Webex Teams will be moderated cs.co/ciscolivebot#LTRCRT-2222 by the speaker until June 16, 2019.

• Goals and Objectives

• Prerequisite Knowledge & Skills (PKS)

• Introduction to Security Onion

• SECOPS Labs and Topologies

• Access SECFND / SECOPS eLearning Lab Training Environment

• Lab Evaluation

• Cisco Cybersecurity Certification and Education Offerings

2019 CLUS LTRCRT-2222 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4 Goals and Objectives: • Today's organizations are challenged with rapidly detecting cybersecurity breaches in order to effectively respond to security incidents. Cybersecurity provides the critical foundation organizations require to protect themselves, enable trust, move faster, add greater value and grow. • Teams of cybersecurity analysts within Security Operations Centers (SOC) keep a vigilant eye on network security monitoring systems designed to protect their organizations by detecting and responding to cybersecurity threats.

• The goal of Cisco’s CCNA Cyber OPS (SECFND / SECOPS) courses is to teach the fundamental skills required to begin a career working as an associate/entry-level cybersecurity analyst within a threat centric security operations center.

• This session will provide the student with an understanding of Security Onion as an open source network security monitoring tool (NSM). The student will also explore common attack vectors, malicious activities, and patterns of suspicious behaviors typically encountered within a threat- centric Security Operation Center (SOC).

• We will provide you 30 days of continued access to the SECFND and SECOPS Training Portal.

• This training is NOT focused on Cisco’s family of security products and solutions.

• This topic lists the skill, knowledge, and attitudes that students must possess to benefit fully from the labs. It includes recommended Cisco learning offerings that the learner may complete to benefit fully from the labs.

• Recommended Prerequisite Skills

• The knowledge, skills, and attitudes that a student is expected to have before attending this course are as follows:

• Understanding Cisco Cybersecurity Fundamentals (SECFND)

• Learning Resources for Prerequisite Skills

• Cisco learning offerings that contribute to recommended knowledge, skills, and attitudes:

• CCNA Cyber Ops SECFND #210-250 Official Cert Guide, by Omar Santos, Joseph Muniz, Stefano De Crescenzo

• CCNA Cyber Ops SECOPS #210-255 Official Cert Guide, by Omar Santos, Joseph Muniz

Cisco 2018 Annual Cybersecurity Report Highlights The Cisco 2018 Annual Cybersecurity Report, highlights findings and insights derived from threat intelligence and cybersecurity trends observed over the past 12-18 months from threat researches and six technology partners: Anomali, Lumeta, Qualys, Radware, SAINT, and TrapX.

Also, included in the report are results of the annual Security Capabilities Benchmark Study (SCBS), which this year surveyed 3,600 chief security officers (CSOs) and security operations (SecOps) managers from 26 countries about the state of cybersecurity in their organizations.

The financial cost of attacks is no longer a hypothetical number:

• According to study respondents, more than half of all attacks resulted in financial damages of more than US $500,000, including, but not limited to, lost revenue, customers, opportunities, and out- of-pocket costs.

Source: https://newsroom.cisco.com/press-release-content?type=webcontent&articleId=1911494

2019 CLUS LTRCRT-2222 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 10 Cisco 2018 Annual Cybersecurity Report Highlights Supply chain attacks are increasing in velocity, complexity These attacks can impact computers on a massive scale and can persist for months or even years. Defenders should be aware of the potential risk of using software or hardware from organizations that do not appear to have a responsible security posture.

• Two such supply chain attacks in 2017, Nyetya and Ccleaner, infected users by attacking trusted software.

o Nyetya (also known as NotPetya) arrived in June 2017 This wiper malware also masqueraded as ransomware and it used the remote code execution vulnerability nicknamed “EternalBlue,” as well as the remote code execution vulnerability “EternalRomance” (also leaked by Shadow Brokers), and other vectors involving credential harvesting

o Ccleaner arrived in September 2017, involved the download servers used by a software vendor to distribute a legitimate software package known as CCleaner.7 CCleaner’s binaries, which contained a Trojan backdoor, were signed using a valid certificate, giving users false confidence that the software they were using was secure.

Source: https://newsroom.cisco.com/press-release content?type=webcontent&articleId=1911494

2019 CLUS LTRCRT-2222 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 11 Cisco 2018 Annual Cybersecurity Report Highlights Security is getting more complex, scope of breaches is expanding Defenders are implementing a complex mix of products from a cross-section of vendors to protect against breaches. This complexity and growth in breaches have many downstream effects on an organization's ability to defend against attacks, such as increased risk of losses.

• In 2017, 25 percent of security professionals said they used products from 11 to 20 vendors, compared with 18 percent of security professionals in 2016.

• Security professionals said 32 percent of breaches affected more than half of their systems, compared with 15 percent in 2016.

Trends in malware volume have an impact on defenders' time to detection (TTD)

• The Cisco median TTD of about 4.6 hours for the period from November 2016 to October 2017 — well below the 39-hour median TTD reported in November 2015, and the 14-hour median reported in the Cisco 2017 o Annual Cybersecurity Report for the period from November 2015 to October 2016. • The use of cloud-based security technology has been a key factor in helping Cisco to drive and keep its median TTD to a low level. Faster TTD helps defenders move sooner to resolving breaches.

Source: https://www.cisco.com/c/dam/m/digital/elq- cmcglobal/witb/acr2018/acr2018final.pdf?dtid=odicdc000016&ccid=cc000160&oid=anrsc005 679&ecid=8196&elqTrackId=686210143d34494fa27ff73da9690a5b&elqaid=9452&elqat=2

• A Network Security Monitoring (NSM) tool is software that collects, maintains, processes, and presents network security monitoring data (security related events).

• The Security Operations Center (SOC) analyst will examine data produced by the network security monitoring tool. Without NSM data, SOC analysts could not perform their job effectively. Without NSM tools, SOC analysts would not have network data to analyze.

• An NSM can enhance network visibility by using context-rich telemetry and threat-based intelligence collected from within the network infrastructure.

• Security Onion is an open source Linux distribution that focuses on NSM. Security Onion is used for log management, intrusion detection and network security event monitoring. The distribution is managed by Security Onion Solutions. Many of the tools that comprise the Security Onion NSM have broad community support.

• Security Onion Solutions provides a straightforward package to install the network security monitoring space. Security Onion Solutions also offers training and support services for the distribution.

• Security Onion can be deployed as a simple standalone system where one network interface card (NIC) is used for management and one or more additional NICs are used for monitoring security events on the network.

• Security Onion can also scale using a distributed deployment where one system acts as the master server and the monitoring duties are spread across multiple sensor systems.

• Full packet captures: • Netsniff-ng

• Network-based (NIDS) and Host-based (HIDS) Intrusion Detection Systems: • NIDS: • Rules-driven NIDS Alerts from Snort or Suricata in passive mode (not NIPS inline mode) • Analysis-driven NIDS from Zeek (Bro) Network Security Monitor (traffic is captured via SPAN, TAP port or packet broker)

- Zeek v2.6.2 (Bro) is a protocol parsing engine that provides three key network security capabilities: Traffic Logging (generates comprehensive, protocol specific network traffic logs for 35+ protocols: DNS, HTTP, files), Automated Analysis (traffic analysis using Bro scripts), and File Extraction (extracts & re-assembles any file type off the wire) • HIDS: Wazuh (wah-zoo) replaced OSSEC and is used to monitor/defend Security Onion. Add Wazuh agents to endpoint hosts

• Syslog data received by Zeek (Bro) or syslog-ng

• Powerful Data Analysis Tools:

• Sguil Analyst Console / Squert PHP Web Interface / Kibana (Squert & Kibana can pivot to CapMe to retrieve full packet captures) • Wireshark • NetworkMiner • ELSA / Elastic Stack® (ELK)

• CyberChef Source: https://github.com/Security-Onion-Solutions/security-onion/wiki/IntroductionToSecurityOnion

The Security Onion architecture is more robust than is conveyed in the figure above. The figure serves to introduce the complexity of and interactions between the NSM tools in Security Onion. The tools in the bottom row are largely dedicated to the collection and production of raw NSM data. The tools/components in the middle row are associated with the optimization and maintenance of the data. For example, Zeek (Bro), Wazuh (OSSEC), and syslog-ng all produce flat files with one log entry per line. The ELSA system takes this raw data and organizes it into a relational MySQL database, using high-performance Sphinx indexing. The tools listed in the top row are responsible for the presentation of the data to the SOC analyst.

2019 CLUS LTRCRT-2222 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 16 Security Onion with Elastic Stack® Security Onion Migrated from ELSA to the Elastic Stack® (“Hybrid Hunter”) The new Elastic Stack® components are comprised from Docker container images based on CentOS 7: Elastic Stack® Core Components: Elastic Stack® Auxiliary Components: Beats® - lightweight data shipper server agent Curator - Manage indices through scheduled maintenance. that sends specific types of operational data to Logstash and Elasticsearch ElastAlert - Query Elasticsearch and alert on user-defined anomalous behavior or other interesting bits of information. Logstash® - Data ingestion engine, parsing and format logs. FreqServer -Detect DGAs and find random file names, script names, process names, service names, workstation names, Elasticsearch® - Ingest and index logs, large TLS certificate subjects and issuer subjects, etc. scalable search engine based on Apache Lucene. DomainStats - Get additional info about a domain by providing Kibana® - offers web based visualizations of additional context, such as creation time, age, reputation, etc. ingested log data and data exploration. ELSA reached End Of Life status on October 9, 2018. Security Onion will not provide any updates or support for ELSA. Source: https://github.com/Security-Onion-Solutions/security-onion/wiki/Elastic-Architecture

2019 CLUS LTRCRT-2222 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 17 Security Onion with Elastic Stack® A Very Brief Introduction to Linux (Docker) Containers Linux containers are standalone, lighter virtualization alternatives to virtual machines that include code, system tool libraries, and settings in a ‘portable’ capsule or bottle. • Containers are isolated from each other and bundle their own application, tools, libraries, and configuration files. • Containers can communicate with each other through overlay network subsystems. • All containers are run by a single host operating-system kernel and are thus, more lightweight than virtual machine images. Containers rely on the host kernel's functionality and use resource isolation for CPU and memory resources and separate namespaces to isolate the application's view of the operating system. • Unlike a virtual machine image, which requires a hypervisor (VMware, Virtual Box), containers do not utilize a hypervisor. Containers are created from images that can either be stateful (using persistent storage) or stateless. • Why the change from Ubuntu DEB packages (used in Security Onion) to Docker images? o Docker images are easier to build & maintain and will allow support for other distros, like CentOS. Fun Fact: there is no formal definition of a Linux “container.” Most people identify a Linux container with keywords like: LXC, libvirt, Docker, Kubernetes, namespaces, cgroups, CoreOS rkt, BDS jails, Zones

Source: https://en.wikipedia.org/wiki/Docker_(software)

• argus - http://www.qosient.com/argus/ "Argus is a data network transaction auditing tool that categorizes network packets that match the libpcap filter expression into a protocol-specific network flow transaction model. Argus reports on the transactions that it discovers, as periodic network flow data, that is suitable for historical and near real- time processing for forensics, trending and alarm/alerting."

• barnyard2 - http://www.securixlive.com/barnyard2/ "Barnyard2 is an open source interpreter for Snort unified2 binary output files. Its primary use is allowing Snort to write to disk in an efficient manner and leaving the task of parsing binary data into various formats to a separate process that will not cause Snort to miss network traffic."

• Bro (Zeek) - http://zeek.org/ ”Zeek (Bro) provides a comprehensive HIDS/NIDS platform for network traffic analysis." https://github.com/Security-Onion-Solutions/security-onion/wiki/Bro

• CapME - http://chaosreader.sourceforge.net/ CapMe will download a pcap file and view a pcap transcript rendered with tcpflow and Zeek (Bro) (especially helpful for dealing with gzip encoding)