Beruflich Dokumente
Kultur Dokumente
As attackers find new ways to target their victims, providing accurate threat
attribution is a critical element for an effective response aimed to contain and
anticipate future attacks.
However, the challenge is to reveal the thin red line connecting the indicators
hidden into events detected at different layers.
This session will explain how to leverage the integration between Cisco
Umbrella and Cisco AMP Threat Grid to bi-directionally link the malicious Internet
infrastructures used by criminals with security events detected at the endpoint
level
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
The world is full of obvious things which
nobody by any chance ever observes.
Sherlock Holmes
The Hound of the Baskervilles
Sir Arthur Conan Doyle
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
WHOAMI
CSE, passionate security enthusiast with
more than 15 years of experience.
Joined Cisco following the acquisition of
OpenDNS.
Author of hackmageddon.com, a blog
that publishes bi-weekly timelines and
statistics of the main cyber attacks.
Member of the ENISA Threat Landscape
Stakeholder Group.
Twitter: @paulsparrows
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Agenda
Introduction
What is Cisco Umbrella Investigate
What is Cisco AMP ThreatGrid
Advantages of the Integration
A Day in the Life of a Security Analyst
Linking the Dots
Conclusion
Umbrella: a Single Global
Recursive DNS Service
ISP? ISP1
Enterprise
Home location A
users Internal InfoBlox
appliance
Benefits
Global internet activity visibility Enterprise
Roaming location B
ISP? ISP2
laptops
Network security w/o adding latency Internal Windows
DNS server
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
With Data Centers Co-located at Major IXPs
25
data centers
worldwide
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Gather intelligence and enforce security at the DNS
layer
Recursive DNS
Any device Authoritative DNS
root
com.
domain.com.
User request patterns Authoritative DNS logs
Used to detect: Used to find:
Compromised systems Newly staged infrastructures
Command and control callbacks Malicious domains, IPs, ASNs
Malware and phishing attempts DNS hijacking
Algorithm-generated domains Fast flux domains
Domain co-occurrences Related domains
Newly registered domains
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Intelligence to see attacks before launched
Data
90B DNS requests resolved per day
Diverse dataset gathered across 85M users Security researchers
across 160 countries
Industry renown researchers across Cisco
Talos and Umbrella
Build models that can automatically
classify and score domains and IPs
Models
Dozens of models continuously analyze
millions of live events per second
Automatically score and identify malware,
ransomware, and other threats
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Detect/Prevent Attacks at Different Stages
Pre-Compromise
Compromise
Post-Compromise
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Our view of the internet
90B
requests
65M
daily active
12K 160+
enterprise countries
per day users customers worldwide
Determine guilt
by inference, 2M+ live events per second
or pattern
Existing statistical models New statistical models
Spike rank Live DGA prediction
Natural Language Processing rank Sender rank
Predictive IP space
pDNS, WHOIS & Threat Grid correlations
Geo-location & -diversity New security categories
Co-occurrence Newly Seen Domains
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Our efficacy
3M+
daily new
60K+
daily malicious destinations
7M+
malicious destinations while
domain names resolving DNS
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Agenda
Introduction
What is Cisco Umbrella Investigate
What is Cisco AMP ThreatGrid
Advantages of the Integration
A Day in the Life of a Security Analyst
Linking the Dots
Conclusion
Investigate: a powerful analysis tool to uncover
threats
Key points
Intelligence about domains, IPs,
and malware across the internet
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
And a single, correlated source of intelligence
Passive DNS database
WHOIS record data
Malware file analysis
ASN attribution
IP geolocation
Domain and IP reputation scores
Domain co-occurrences
Anomaly detection (DGAs, FFNs)
DNS request patterns/geo. distribution
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Agenda
Introduction
What is Cisco Umbrella Investigate
What is Cisco AMP ThreatGrid
Advantages of the Integration
A Day in the Life of a Security Analyst
Linking the Dots
Conclusion
Examine files with context-driven analysis
Static and Dynamic analysis execute automatically
Dynamic Analysis: Process tree visualization
Outside looking in approach
No presence in the VM
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Identify and Prioritize threats
Easy-to-understand Threat Scores guide decision making
450+ behavioral indicators (and growing) Prioritize threats with confidence
Malware families, malicious behaviors, and more Enhance SOC analyst and IR knowledge and effectiveness
Detailed description and actionable information (and security product)
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Leverage our global community and scale
Threat intelligence prepares you for tomorrows threats
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Agenda
Introduction
What is Cisco Umbrella Investigate
What is Cisco AMP ThreatGrid
Advantages of the Integration
A Day in the Life of a Security Analyst
Linking the Dots
Conclusion
Malware File Analysis Data
Powered by Cisco AMP Threat Grid
IP
ASN
DOMAIN
DNS
BGP
2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Speed Up Incident Response
Investigate + ThreatGrid: Complete View of Attackers Infrastructure
Artifacts IOCs IP
created identified ASN
DOMAIN
Investigate
AMP Threat Grid
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Agenda
Introduction
What is Cisco Umbrella Investigate
What is Cisco AMP ThreatGrid
A Day in the Life of a Security Analyst
Linking the Dots
Conclusion
Will It Be a Good Morning?
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Unfortunately It Looks Like Its Not!
Malicious Domains
Something Weird is Happening:
- Always the same two
domains
- At regular time intervals
There are also botnet
connections Someone got
infected off-network
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Challenges a Proper Incident Response?
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Lets Collect Some Information
Can I Identify the Patient Zero?
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Is the Attack Targeted?
Lets see how it compares with the global traffic
Global Traffic %
The Global Traffic % can
compare the local activity
with the global trends to
identify if the attack is
targeted or opportunistic.
Useful to determine the
priority for IR
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Well I am Unlucky
And I am getting the 50% of total requests
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Its time to Investigate
What Information can I collect to Remediate?
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Notifications
High Level Overview for the Domain
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
DNS Query Graph
The DNS Query Graph is scaled against total Internet traffic globally
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
A Bad Neighbour
Suspicious ASN Score
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
A Bad Infrastructure
Prefix Reputation
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
SecureRank 2
Ranking of a Domain Based on The Lookup Behavior of Client IP
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
How We Determine the Score of an IP/Prefix/ASN?
Say Thanks to the Bipartite Graph Theory
SecureRank
IP/Prefix/ASN Reputation Score
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
SecureRank and Bipartite Graph Theory
Destinations (Domains, IPs) Guilty by Inference
Bipartite Graphing of
Internet Activity DNS
DNS
DNS
DNS DNS
DNS
DNS
DNS
DNS
DNS
DNS
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Geo-Location
Ranking of a Domain Based on Where the Source Clients are Located
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
IP geo-location analysis
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Domain Generation Algorithms
There is an algorithm behind this and we will unmask it
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
DGA Section
DGA Score
This score is generated based
on the likeliness of the domain
name being generated by an
algorithm rather than a human.
This score ranges from -100
(suspicious) to 0 (benign)
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
DGA Detection
DGA Score
This score is generated based
on the likeliness of the domain
name being generated by an
algorithm rather than a human.
This score ranges from -100
(suspicious) to 0 (benign)
yfrscsddkkdl.com
N-gram analysis Entropy analysis
Do sets of adjacent qgmcgoqeasgommee.org Does the probability
letters match normal distribution of letters
language patterns? iyyxtyxdeypk.com appear random?
diiqngijkpop.ru
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Live DGA Prediction
Automated at an unparalleled scale
a.com + b.com b.com
fgpxmvlsxpsp.me[.]uk
DGA beuvgwyhityq[.]info
a1.com DGA gboondmihxgc.com
a2.com + pwbbjkwnkstp[.]com
bggwbijqjckk[.]me
b1.com yehjvoowwtdh.com
c2.com ctwnyxmbreev[.]com
Configs upybsnuuvcye[.]net
quymxcbsjbhh.info
Configs vgqoosgpmmur.it
c.com, d.com,
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Predictive Classifiers
The score is not considered authoritative over the block list,
This is Risky!
A classifier prediction is a score based
on all the features of the domain and is
not tied to any single one. It is
intended to be predictive and serves
as an indicator that the domain may
require further investigation.
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Predictive Detectors: NLPRank
Identifies malicious domain-squatting and targeted C2 or phishing domains
1 2 3 4
Analyse APT Patterns in domains Checked data & Built model and
reports used in attacks confirmed intuition continue to tune
https://blog.opendns.com/2016/11/11/phishfinder-hook-line-sinker/ BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Evolving the Recommender System to be Predictive
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Predictive Detectors: SPRank
Challenge: Build scalable detection models that are:
Generic to rapidly catch a large number of malware domains/IPs of various types
Specific to provide context and details about detected threats
Design detection that is immune to evasion and obfuscation by adversaries
Focus on below the recursive DNS layer
Inspect DNS query features that are harder to change at global scale
Assimilate DNS traffic patterns to sound waves
Detect domains that show spike in traffic over a short time window (e.g. 1 hour)
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Spike rank model
Patterns of guilt
DNS REQUESTS
of DNS request y.com is blocked before
volume data is it can launch full attack
gathered and
analyzed
DAYS
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
SPRank DNS Features
1A
15 MX
28 AAAA List of
0 Resolving
16 TXT Resolvers
99 SPF
255 ANY
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Exploit Kit VS Spam
Exploit kit: you.b4ubucketit.com. 0.0 45 45.0 40 11
{((ams),13),((cdg),1),((fra),3),((otp),1),((mia),6),((lon),
6),((nyc),1),((sin),3), ((pao),1),((wrw),3),((hkg),7)}
{((1),45)}
Spam: www.tzd.tcai006.net. 0.0 26 26.0 1 1 {((lon),
26)} {((1),26)}
Difference is: EK domains have traffic from multiple
IPs spread across several resolvers
Traffic to spam, casino sites comes from a single IP
46.30.43.20, AS35415, Webzilla, https://eurobyte.ru/
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Using SPRank in Combination with other Sources
(for instance Hashes)
2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
SP-Rank Model w/ Predictive IP Space Monitoring
Identifies that an attack is underway and then expands intelligence
SPRANK
RESEARCH IDEA:
DNS Request
MALICIOUS PREDICTIVE
Name DOMAINS IP SPACE
Patterns over Time
Filter
Can We Reuse used by MONITORING
Concepts
Spikethat
Analyze Sound
Detection
History
Filter
Q Phishing
Malvertising 340x
Waves in Real more domains
Time Exploit Kits
Record
Malware includes
Filter
(e.g. Pandoras domain
Music Genome shadowing
Project)
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
IP Range Fingerprinting
Scan neighboring range for open services & versions,
OS version
Certain attack IPs share identical fingerprints
If we detect first seed domains by acoustic or other
model, then block similar IPs before they start hosting
domains
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
IP Range Fingerprinting
The 5 IPs share the same fingerprint
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u2 (protocol 2.0)
80/tcp open http nginx web server 1.2.1
Service Info: OS: Linux
4 more IPs in /24 have same fingerprint with no hosted
domains at the time of discovery. However, they are set up
in bulk to host EK domains in the next days. EK domains
could appear shortly
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Co-Occurrences
Temporal Proximity of Related Malicious Domains
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Co-occurrence model
Domains guilty by inference
time - time +
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
The Co-Occurrence Probability Distribution Function
The histogram of |ti(c)tj(c)| for all clients
and all pairs of malicious domains (i,j)
appears to be gamma distributed.
This allows to calculate the probability that
two malicious domains are related.
The Co-Occurrence is the sum of this
probability for all the possible clients
connecting to both domains.
The model is normalized to take into
account legitimate co-occurrences (for
instance google-analytics).
https://labs.opendns.com/2013/07/24/co-occurrences/
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Correlating DNS, WHOIS, and BGP Data Sets
xxx@x.x
igh.biz 1.2.3.4 ns.dyn.com AS 346 AS 781
x
def.co
12
abc.org 00:36 11 JAN JAN
00:35 10 4.3.2.1 8.7.6.5
JAN
ok.com
00:34
bot.ru 2 FEB 4 FEB
bad.cn bot.ru
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Agenda
Introduction
What is Cisco Umbrella Investigate
What is Cisco AMP ThreatGrid
A Day in the Life of a Security Analyst
Linking the Dots
Conclusion
Now What?
The Umbrella detectors allow
to identify if a domain is
malicious (and block it)
thanks to the patterns related
to its global behaviour.
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
162.17.5.245 suspicious.com
Intelligence about
attackers file
other file system
.doc file modifies activity and
WINWORD.exe artifacts created
2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Associated Samples (Threat Grid Integration)
Available Even Without a ThreatGrid Account
Threat Score
This section of the Investigate
report contains the SHA256 of
file samples that contained that
internet destination in the
network connection section of
the ThreatGrid Report.
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
File Analysis Section
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
ThreatGrid Integration
ThreatGrid Integration
Ah, and by the way, I can
link Investigate with my
ThreatGrid Cloud based
account
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Virus Total Lookup
VirusTotal Link
I can quickly look it up on
Virus Total
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Behavioral Indicators
Human Readable
Malicious Indicators
I can quickly look it up on
Virus Total
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Lets Step Back a Little Bit
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
It's a Matter of Coincidences
7ssneqrtef[.]ru
gvaq70s7he[.]ru
disorderstatus[.]ru
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Agenda
Introduction
What is Cisco Umbrella Investigate
What is Cisco AMP ThreatGrid
A Day in the Life of a Security Analyst
Linking the Dots
Conclusion
Conclusions
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Video
Demo
Complete Your Online Session Evaluation
Please complete your Online
Session Evaluations after each
session
Complete 4 Session Evaluations &
the Overall Conference Evaluation
(available from Thursday) to receive
your Cisco Live T-shirt
All surveys can be completed via
the Cisco Live Mobile App or the
Dont forget: Cisco Live sessions will be available
Communication Stations for viewing on-demand after the event at
CiscoLive.com/Online
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Continue Your Education
Demos in the Cisco campus
Walk-in Self-Paced Labs
Lunch & Learn
Meet the Engineer 1:1 meetings
Related sessions:
Thursday, Feb 23, 2:30pm: BRKSEC-1980 - Introducing Cisco Umbrella for cloud based
threat protection
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Q&A
References
RSA 2016: https://www.rsaconference.com/events/us16/agenda/sessions/2336/using-large-scale-data-to-provide-attacker
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Thank You