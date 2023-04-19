Successfully reported this slideshow.
BRKSEC-3144.pdf

Apr. 19, 2023
Technology

Cisco Live BRKSEC 3144

Cisco Live BRKSEC 3144

Technology
BRKSEC-3144.pdf

  1. 1. Ben Greenbaum Cisco Security Integrations @secintsight BRKSEC-3144 A Deep Dive into Threat Grid Advanced File Analysis Malware Execution as a Service
  2. 2. Questions? Use Cisco Webex Teams to chat with the speaker after the session Find this session in the Cisco Events Mobile App Click “Join the Discussion” Install Webex Teams or go directly to the team space Enter messages/questions in the team space How 1 2 3 4 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Cisco Webex Teams BRKSEC-3144 3
  3. 3. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public • Introduction • System Overview • File Analysis • Malware Threat Intelligence • Deployment options • Portal Features • API • Conclusion & Resources 4 Agenda BRKSEC-3144
  4. 4. Introduction
  5. 5. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Your humble presenter… 6 BRKSEC-3144 • 20 years experience • Engineering, not marketing • SecurityFocus • Symantec • Financial Services • PayPal • Hedge Fund • 2 years at Cisco
  6. 6. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 7 BRKSEC-3144 Your humble product… • 2010 ThreatGRID founded • Core idea: marry crowd-sourced malware, advanced sandboxing, and big data threat intelligence. • 2014 Cisco purchases ThreatGRID • Shortly after acquiring SourceFire, including AMP (previously Immunet) • Immediate plan was to integrate with AMP • 2015 Integrations • Threat Grid integrated with AMP • Other 3rd party integrations • 2016-present • Many more integrations, both 3rd party and Cisco • Most notably Cisco Threat Response
  7. 7. System Overview
  8. 8. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Threat Grid Overview 9 BRKSEC-3144 Threat Intelligence • Threat Score • Behavior Indicators • Observables • Analysis Reports Malware Analysis • Automated Analysis • Static • Dynamic • Global Correlation Malware Analysis / Threat Intelligence An automated engine observes, deconstructs, and analyzes using multiple techniques 101000 0110 00 0111000 111010011 101 1100001 110 101000 0110 00 0111000 111010011 101 1100001 110
  9. 9. File Analysis
  10. 10. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public File Analysis: File Requirements Wide range of supported file types: (examples) • Executables • Java, Javascript • PDF, SWF • Office • ZIP • Scripts (BAT, PS1, VBS) • URLs 11 BRKSEC-3144 Limitations: • No TXT • Max 100MB • Max recursion level in ZIPs • Files must be provided by user
  11. 11. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public • Static Analysis • File on disc • Header details • AV engines • What it is/contains File Analysis: Static & Dynamic 12 BRKSEC-3144 • Dynamic Analysis • Execution/Detonation • Network Connections • File/System changes • Function/Library calls • What it does
  12. 12. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Counter-evasion techniques • No VM presence • Obscured VM “tells” • Configurable runtime • Network Exit Localization • Playbooks • Evasion BIs File Analysis Methods: Advanced Dynamic Techniques 13 BRKSEC-3144
  13. 13. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public File Analysis: Sample Sources • Manual user submissions • Automated submissions from: • Talos • in-field deployments of integrated Cisco products • relationships with ecosystem partners • Partnerships with industry researchers and sample providers • Internal harvesting (mostly limited to targeted attacks and other specific content) 14 BRKSEC-3144
  14. 14. Malware Threat Intelligence
  15. 15. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Threat Intelligence: Behavior Indicators 16 BRKSEC-3144 Detailed Intelligence about how malware behaves
  16. 16. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Threat Intelligence: Global Correlation 17 BRKSEC-3144 • Samples correlated with billions of malware artifacts • Global / historical context on threat landscape • “Wikipedia of Malware”
  17. 17. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Threat Intelligence: Privacy and Compliance • Encryption of all samples at rest • Multiple regional datacenters • NA(US) / EU(DE) • Bare Cisco Iron • Cloud Privacy Options: • Private tagging • Sample deletion • Threat Grid Appliance 18 BRKSEC-3144
  18. 18. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Threat Intelligence: Delivery 19 BRKSEC-3144 Sample and Artifact Intelligence Database Analysis and Search Results • User, org, or global analysis results per sample • Search across samples for key elements • Download artifacts, pcaps, etc Threat Intel Data Feeds • Threat feeds with context / metadata • Create custom feeds or download 15 curated batch feeds • Various formats (JSON, STIX, CSV, Snort)
  19. 19. Deployment Options
  20. 20. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Deployment: Options 21 BRKSEC-3144 Cloud • Global dataset • Full correlation Appliance • Privacy • Local correlation Installation Interface Integration Only • Automated interaction • Automated sample acquisition • Unified workflows Full Portal (UI/API) • Custom integrations • Full searching capabilities • Curated feeds
  21. 21. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Cloud Appliance Integration Samples analyzed in the cloud Samples analyzed on premise UI/API included Local data/intelligence only UI/API “Threat Grid Cloud Premium” Samples analyzed in the cloud Access to global data Deployment: Options 22 BRKSEC-3144 Installation Interface
  22. 22. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Deployment: Cloud vs. Appliance 23 BRKSEC-3144 Cloud Appliance Deployment Regional cloud data centers (NA & EU) Hardware UCS Appliance Sample Privacy Samples submitted as private or public Samples kept locally Analysis Privacy Public sample analysis available to all customers No data sent is sent to the Cloud Data Retention Up to 24 months At least 36 months under normal usage Scalability Organization license-based <=10K sample submissions/day (exceptions require PM approval) Appliance license: 500, 1.5K, 5K, 10K sample submissions/day; Clustering: up to 70k (2-7 appliances) Licensing Threat Grid Cloud, Advanced File Analysis packs, Portal Users Threat Grid Appliance license Integrations Threat Response, FMC, Email Security, WSA, Meraki, AMP4E Cloud, & more, & 3rd party FMC, Email Security, WSA, AMP4E Cloud/Private Cloud, & more, & 3rd party Release cycle Bi-weekly 2-6 weeks, lag VMs/Targets Win7 64-bit (2 profiles, +Jp / Kr), Win 10 Win7 64-bit, Win 10 Intel Pivoting / searching based on global data Pivoting / searching based on local data Feeds Curated intel feeds based on global data No curated feeds
  23. 23. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Threat Grid Deployment: AMP Integration 24 BRKSEC-3144 AMP AMP connector 2a: Disposition (✓/) [END] 2: Is it known ? n y 4: File type check ? y n 1: File Hash 4b: File Static Analysis Dynamic Analysis Scoring Queue 5: Poke: Threat Score and optional Disposition (?/) Other inputs 6: Disposition (✓/?/) 3a: Disposition (?) [END] 4a: [END] Disp Updater 3: Send to TG ? y n 3b: Disposition (?) (SEND)
  24. 24. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Supported Integrations & Partners 25 BRKSEC-3144 Select Recipe Integrations Select Threat Feed Integrations Threat Grid Integrations
  25. 25. Portal Features
  26. 26. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Deployment: Cloud UI 27 BRKSEC-3144
  27. 27. API
  28. 28. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public API Use Cases BRKSEC-3144 38 • Submit Samples for Analysis • Query Malware Intelligence • Retrieve Curated Intelligence Feeds • Usage Statistics and Data Threat Grid API Malware Analysis & Threat Intelligence
  29. 29. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Threat Grid API: Security Integration and Automation 39 BRKSEC-3144 ▪ Threat Grid’s REST API automates sample analysis, enrichment and reporting − Automate submission from numerous technologies (host or network) − Pull results into numerous technologies Your Existing Security Threat Content Enrichment Threat Intelligence Feeds Firewall Network Taps SIEM Log Mgmt Security Partners Endpoint Security Gateway, Proxy IPS/IDS Threat Grid Malware Analysis & Threat Intelligence
  30. 30. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Threat Grid APIs 40 BRKSEC-3144 • Data API • Entity search /search/ • search observables by specific criteria • Entity lookups /domains/, /urls/, /paths/, etc • pivot from a known observable to other related information in Threat Grid data • Sample mgmt: /samples/ • submit • retrieve data/analysis • raw observables feeds /samples/feeds/ • Get lists of observables associated with a filterable set of samples • Harvested from all sample activity, suspicious or not, therefore very high FP • Can filter to your user’s or your org’s samples only; eg “get all domains associated with samples my company submitted” • Results in JSON
  31. 31. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Threat Grid APIs 41 BRKSEC-3144 • Data API (continued) • Indicator of Compromise (IOC) feeds /iocs/feeds • Observables seen in conjunction with Behavior Indicators • Moderate FP level • Only those observables seen with a BI so there is at least some degree of suspicious behavior associated with the item • Also filterable to only your or your org’s samples • Results in JSON • User management API /users/ • Create users, set sample limits, etc
  32. 32. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Threat Grid APIs 42 BRKSEC-3144 • Curated feeds API /feeds/ • Based on specific, high confidence human-curated BIs • Whitelisted via TG and Talos intelligence • Much lower FP • Groups observables by IOC type (eg “DGA DNS domains”) • Not filterable by sample ownership – • But you could combine with IOC feeds to do so! • Least complex request structure • Made for integrations - available output formats: • JSON • CSV • Snort • STIX
  33. 33. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Threat Grid APIs Feed details summary: 43 BRKSEC-3144 Sample Feeds IOC feeds Curated Feeds Version /v2 /v2 /v3 Endpoint /samples/feeds/ /iocs/feeds/ /feeds/ Content All observables seen Observables seen in all BIs Observables seen as part of a trusted high confidence BI triggering FP rate* High Medium Low Pre-whitelisted No No Yes Filterable to only you/org? Yes Yes No Output Formats JSON JSON JSON/CSV/Snort/STIX** Request Complexity Low Low Lowest * The factual FP rate is 0; these were all seen. The functional FP rate, as an indicator of local compromise, is dependent on the details of the observation and varies from feed to feed. ** additional formats not available for all curated feeds
  34. 34. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public API Use Case: Curated Feeds 44 BRKSEC-3144 [prefix][FEED-NAME][_date].[FORMAT]?[api_key] DGA DNS as JSON: https://panacea.threatgrid.com/api/v3/feeds/dga-dns_2017-08-08.json Sinkholed IP/DNS as STIX: https://panacea.threatgrid.com/api/v3/feeds/sinkholed-ip-dns_2017-08-08.stix Dynamic DNS Domains as Snort rules: https://panacea.threatgrid.com/api/v3/feeds/dynamic-dns.snort?api_key=foo
  35. 35. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Scripting Example: Curated Feeds 45 BRKSEC-3144
  36. 36. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public API Use Case: Submit files for analysis 46 BRKSEC-3144 Threat Response Is file known? Threat Grid Was file seen recently? Threat Grid Submit file! No No
  37. 37. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public (Threat Response API?) • Access • Included with purchase of Threat Grid portal account • Time based tokens • Functions (partial list) • Look up observable reputations • Across all data sources • Unlimited lookups • Take common response actions • Quarantine file • Block domain 47 BRKSEC-3144
  38. 38. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Api Demo: TG Submit
  39. 39. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Api Demo: TG Submit
  40. 40. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Api Demo: TG Submit
  41. 41. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Api Demo: TG Submit secintsight:~$ crontab –l |grep TG 0*/5 * * * * /home/secintsight/scripts/spam2TG.sh Usage example: Analysis folder • Create a folder for all analysts to dump files of interest into, • Use script to pick them up and submit to TG. • Use POST parameters to set an email alert to owner of file when analysis is complete. • Could also have different folders for different options, OS language, network exit, etc. BRKSEC-3144 51
  42. 42. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Additional API Use Cases: 52 BRKSEC-3144 • Ensure/enforce that all manually submitted samples are set to private • Download network resources found in analysis of your org’s samples and compare to network logs • Add observable lookups to existing reputation checks • Set user’s passwords from password management system.
  43. 43. Conclusion
  44. 44. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Ben Greenbaum, Cisco TME, just now “Detonate your malware on our network, not yours” 54 BRKSEC-3144
  45. 45. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Security Breakout Friday 31 January 2020 55 BRKSEC-3144 start time length in hours BRKSEC-3229 ISE under magnifying glass. How to troubleshoot ISE 09:00 AM 2 BRKSEC-2140 2 birds with 1 stone: DUO integration with Cisco ISE and Firewall solutions 09:00 AM 1,5 BRKSEC-3005 Cryptographic Protocols and Algorithms - a review 09:00 AM 2 BRKSEC-3300 Advanced IPS Deployment with Firepower NGFW 09:00 AM 2 BRKSEC-3265 Fixing Email! - Cisco Email Security Advanced Troubleshooting 09:00 AM 1,5 BRKSEC-3200 Advanced IPv6 Security Threats and Mitigation 11:30 AM 2 BRKSEC-2036 Only if I Could go Back in Time and Prevent a Security Apocalypse! 11:30 AM 1,5 BRKSEC-2602 Cloud Managed Security Architecture and Design 11:30 AM 2 BRKSEC-3032 Firepower NGFW Clustering Deep Dive 11:30 AM 2
  46. 46. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Walk in Labs 56 BRKSEC-3144 LABSEC-1441 2FA for Administration with DUO LABSEC-1662 ISE Passive Identity Connector (ISE-PIC) with Active Directory WMI Provider LABSEC-1674 Beat the Encrypted traffic with Cisco StealthWatch ETA LABSEC-1947 SD-WAN Security : Connect to any cloud, anywhere, securely LABSEC-2211 AMP for Endpoint Deployment in VDI environment LABSEC-2212 Leveraging API on Threat Grid for malware analysis LABSEC-2504 Cisco Umbrella (Open DNS) Lab - Advanced LABSEC-2602 Cisco Threat Response(CTR) integration with Cisco Advanced Malware Protection (AMP) LABSEC-2811 Multi-SA Virtual Tunnel Interface – no more Crypto Maps LABSEC-2812 ISE integrations via pxGrid with FTD, WSA, StealthWatch LABSEC-4490 Firepower v6.5 and DUO Integration : Configuring and Troubleshooting DUO for Cisco AnyConnect VPN with Firepower Device Manager (FDM)
  47. 47. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Further Resources • Threat Hunting Workshops: http://cs.co/cisco-threat-hunting • Threat Grid video channel: http://cs.co/TGvideos • @secintsight on Twitter • Portal help 57 BRKSEC-3144
  48. 48. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Threat Grid API Resources • Threat Grid Section on Developer Network (DevNet) https://developer.cisco.com/threat-grid/ • Code examples in Cisco Security’s GitHub https://github.com/CiscoSecurity • Learning Labs http://learninglabs.cisco.com/labs • New API documentation in the portal https://panacea.threatgrid.com/mask/doc/main/api-getting-started.html • DevNet and speaker sessions at Cisco Live events worldwide Threat Hunting using APIs - DEVNET-2638 BRKSEC-3114 58
  49. 49. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Threat Grid on DevNet • The Threat Grid Microsite is now live! • https://developer.cisco.com/threat-grid/ • Documentation and training videos • Code examples link to GitHub • AMP for Endpoints also in progress…
  50. 50. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Cisco Security on GitHub 60 BRKSEC-3144 • API code for • Threat Grid • AMP • Threat Response • More to come! • Search for “Threat Grid” https://github.com/cisco-security
  51. 51. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Also, me on GitHub 61 BRKSEC-3144 Poorly coded hammers to get things done quickly • BIs – get all behavior indicators into csv • TGIFF – fetch intel feeds • TGsubmit – submit files • TSfetcher – get Threat Score details for bulk hash lists • anti-tedium – bulk user management https://github.com/bgreenba/Threat-Grid
  52. 52. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Learning Labs • http://learninglabs.cisco.com/labs • Search for Threat Grid • http://cs.co/DEVNET-2164 • Free! 62 BRKSEC-3144
  53. 53. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Product Documentation 63 BRKSEC-3144 • API code for • Threat Grid • AMP • Threat Response • More to come! • Search for “Threat Grid”
  54. 54. Complete your online session survey • Please complete your session survey after each session. Your feedback is very important. • Complete a minimum of 4 session surveys and the Overall Conference survey (starting on Thursday) to receive your Cisco Live t-shirt. • All surveys can be taken in the Cisco Events Mobile App or by logging in to the Content Catalog on ciscolive.com/emea. Cisco Live sessions will be available for viewing on demand after the event at ciscolive.com. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKSEC-3144 64
  55. 55. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Related sessions Walk-In Labs Demos in the Cisco Showcase Meet the Engineer 1:1 meetings Continue your education 65 BRKSEC-3144
  56. 56. Thank you Thank you

