Post on 14-Aug-2015
transcript
June 2015 Product Manager
Cognitive Threat Analytics Behavioral Breach Detection & Security Intelligence Interchange via TAXII/STIX API
Petr Cernohorsky
2 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
There’s a new cyber-threat reality
Hackers will likely command and control
your environment via web
You’ll most likely be infected via email
Your environment will get breached
3 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Only Cisco Cloud Web Security Premium delivers full threat visibility
BEFORE Discover Enforce Harden
DURING Detect Block
Defend
AFTER Scope
Contain Remediate
Web Filtering
Web Reputation
Application Visibility & Control
Anti-Malware
Outbreak Intelligence
File Reputation (AMP)
Dynamic Malware Analysis (AMP)
File Retrospection (AMP)
Cognitive Threat Analytics (CTA)
4 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Web Reputation
Web Filtering Application
Visibility & Control
Before
X X X
Cisco Cloud Web Security (CWS) Talos
www
Roaming User Branch Office
www www
Allow Warn Block Partial Block Campus Office
ASA Standalone WSA ISR G2 AnyConnect Admin
Traffic Redirections
www
HQ
Reporting
Log Extraction
Management
STIX / TAXII (APIs) CTA
Anti-Malware
File Reputation
Webpage Outbreak
Intelligence
After During
X
www.website.com
X X
Dynamic Malware Analysis
File Retrospection
Cognitive Threat Analytics
CWS PREMIUM CTA Layered Detection Engine
Layer 1 CTA
Anomaly detection
Trust modeling
Layer 2
Event classification Entity modeling
CTA Layer 3
Relationship modeling
CTA 1K
incidents per day
After
10B requests per day
Recall Precision
Anomalous Web requests (flows)
Threat Incidents (aggregated events)
Malicious Events (flow sequences)
5 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Layer 1
During After
Layer 2
AMP
CTA
CWS PREMIUM AMP
CTA Layer 3
File Reputation Anomaly detection
Trust modeling Event classification Entity modeling
Dynamic Malware Analysis
File Retrospection
Relationship modeling
CTA
Identify suspicious traffic with Anomaly Detection
Normal
Unknown
Anomalous HTTP(S) Request
HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request HTTP(S)
Request HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request HTTP(S)
Request HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request HTTP(S)
Request HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request HTTP(S)
Request HTTP(S) Request
HTTP(S) Request
HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
Anomaly Detection
10B+ requests are processed daily by 40+ detectors
Each detector provides its own anomaly score
Aggregated scores are used to segregate the normal traffic
6 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Layer 1
During After
Layer 2
AMP
CTA
AMP
CTA Layer 3
File Reputation Anomaly detection
Trust modeling Event classification Entity modeling
Dynamic Malware Analysis
File Retrospection
Relationship modeling
CTA
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
Reduce false positives with Trust Modeling
Anomalous
Normal
Unknown
Unknown
Normal
Unknown
Unknown
Unknown
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request HTTP(S)
Request
HTTP(S) Request
HTTP(S) Request HTTP(S)
Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request HTTP(S)
Request HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request HTTP(S)
Request
HTTP(S) Request
HTTP(S) Request HTTP(S)
Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request HTTP(S)
Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request HTTP(S)
Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request HTTP(S)
Request HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request HTTP(S)
Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
Trust Modeling
HTTP(S) requests with similar attributes are clustered together
Over time, the clusters adjust their overall anomaly score as new requests are added
7 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Layer 1
During After
Layer 2
AMP
CTA AMP
CTA Layer 3
File Reputation Anomaly detection
Trust modeling Event classification Entity modeling
Dynamic Malware Analysis
File Retrospection
Relationship modeling
CTA
Categorize requests with Event Classification
Keep as legitimate
Alert as malicious
Keep as suspicious
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
Media website
Software update Certificate status check
Tunneling Domain generated algorithm Command and control
Suspicious extension
Repetitive requests
Unexpected destination
Event Classification
100+ classifiers are applied to a small subset of the anomalous and unknown clusters
Requests’ anomaly scores update based on their classifications
8 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Layer 1
During After
Layer 2
AMP
CTA
CWS PREMIUM AMP
CTA Layer 3
File Reputation Anomaly detection
Trust modeling Event classification Entity modeling
Dynamic Malware Analysis
File Retrospection
Relationship modeling
CTA
Attribute anomalous requests to endpoints and identify threats with Entity Modeling
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
THREAT
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
THREAT HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
THREAT
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
THREAT
HTTP(S) Request
THREAT
Entity Modeling
A threat is triggered when the significance threshold is reached
New threats are triggered as more evidence accumulates over time
9 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Layer 1
During After
Layer 2
AMP
CTA
CWS PREMIUM AMP
CTA Layer 3
File Reputation Anomaly detection
Trust modeling Event classification Entity modeling
Dynamic Malware Analysis
File Retrospection
Relationship modeling
CTA Company B
Company C
Determine if a threat is part of a threat campaign with Relationship Modeling
Attack Node 1
Attack Node 2
Company A Company A Company A Phase 1 Phase 2 Phase 3
Threat Type 1
Threat Type 1
Threat Type 2
Incident Incident
Incident
Incident
Similarity Correlation Infrastructure Correlation
Company B
Company C
Company B
Company C
Incident Incident
Incident Incident
Incident
Incident
Incident
Incident
Global behavioral similarity
Local behavioral similarity Local &
global behavioral similarity
Shared threat infrastructure
Entity Modeling
10 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
CWS Proxy
How CTA analyzes a threat 0
+
Webrep
AV
domain age: 2 weeks
0
domain age: 2 weeks -
domain age: 3 hours
- domain age: 1 day
Domain Generation Algorithm (DGA)
Data tunneling via URL (C&C)
DGA
C&C
DGA
DGA
DGA
C&C
Attacker techniques: Active channels
11 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Utilizing a layered detection engine CWS PREMIUM
CTA Layered Detection Engine
Layer 1 CTA
Anomaly detection
Trust modeling
Layer 2
Event classification Entity modeling
CTA Layer 3
Relationship modeling
CTA
After
Recall Precision
Anomalous Web requests (flows)
Threat Incidents (aggregated events)
Malicious Events (flow sequences)
Incidents Data
Correlation & Memory
Filtering
Trust Modeling
Unsupervised Learning
Classification / Layer 1
Tunneling via URL
Generated Domain
Data Exfiltration
Supervised Learning
Classification / Layer 2
Threat 1
Threat 2
Threat N
Individual Detectors
Detection
Agent 1
Agent 2
Agent 3
Agent N
12 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
CTA presents results in two categories Confirmed Threats
Confirmed Threats - Threat Campaigns • Threats spanning across multiple users • 100% confirmed breaches • For automated processing leading to fast reimage / remediation • Contextualized with additional Cisco Collective Security Intelligence
13 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
CTA presents results in two categories Detected Threats
Detected Threats – One-off Threats • Unique threats detected for individuals • Suspected threat confidence and risk levels provided • For semi-automated processing • Very little or no additional security context exists
14 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Here’s an example of how it works
Near real-time processing
1K-50K incidents per day 10B requests per day +/- 1% is anomalous 10M events per day
HTTP(S) Request
Classifier X
Classifier A
Classifier H
Classifier Z
Classifier K
Classifier M
Cluster 1
Cluster 2
Cluster 3
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request HTTP(S)
Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
Cluster 1
Cluster 2
Cluster 3
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request HTTP(S)
Request
HTTP(S) Request
HTTP(S) Request HTTP(S)
Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request HTTP(S)
Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
Anomaly Detection Trust Modeling Classification Entity Modeling Relationship Modeling
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
HTTP(S) Request
CONFIRMED threats (spanning multiple users)
DETECTED threats (unique)
15 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Breach Detection: Ransomware 1
Feb 25 Mar 1 Mar 21 Mar 24 Mar 25 Apr 4
Threat activity continuously detected by CTA !
CTA Detection
AV removing trojan
AV signatures updated & trojan
removed
Worm removed by daily scan
CryptoLocker confirmed & endpoint
sent for reimage
Example
< Malware operational for more than 20 days >
Time
AV removing worm & signatures found
outdated
16 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
1Example
Local Context First detected in your network on Mar 11, 2015 and last observed on Apr 14, 2015. Total of 3 users have shown threat behavior in last 45 days.
Global Context Also detected in 5+ other companies affecting 10+ other users.
Threat related to the Zeus Trojan horse malware family which is persistent, may have rootkit capability to hide its presence, and employs various command-and-control mechanisms. Zeus malware is often used to track user activity and steal information by man-in-the-browser keystroke logging and form grabbing. Zeus malware can also be used to install CryptoLocker ransomware to steal user data and hold data hostage. Perform a full scan for the record and then reimage the infected device.
9 THREAT 100% confidence AFFECTING 3 users
17 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
AFFECTING winnt://emea\user1
Amazon.com, Inc
LeaseWeb B.V.
intergenia AG
Qwest communication..
95.211.239.228
85.25.116.167
54.240.147.123
54.239.166.104
63.234.248.204
54.239.166.69
63.235.36.156
54.240.148.64
6 Http traffic to ip addr…
6 Http traffic to ip addr…
6 Http traffic to ip addr…
6 Http traffic to ip addr…
Activities (8) Domain (8) IPs (8) Autonomous systems (5)
9 Url string as comm…
9 Url string as comm…
6 Http traffic to ip addr…
6 Http traffic to ip addr…
95.211.239.228
85.25.116.167
54.239.166.69
63.235.36.156
54.240.148.64
54.240.147.123
54.239.166.104
Amazon.com Tech Tel…
63.234.248.204
1Example
http://95.211.239.228/MG/6XYZCn5dkOpx7yzQbqbmefOBUM9H97ymDGPZ+X8inI56FK/0XHGs6uRF5zaWKXZxmdVbs91AgesgFarBDRYRCqEi+a8roqlRl77ZucRB4sLOlkpoG5d44OZ95VO6pVjtKVAj0SIOXHGFTr7+w5jqe46Kz4//NDHGJw6C2L2hCLEExuNJaeA9wtSRmOgxVg9NhpJXK7oD8dTDoGOD46zWaWDDpQ9zNdmhNtmOfeWA3xxgZ9KzDpd7SVUnzATdD3E1USpWmkpsYsGkTE8fVQ692WQd8h2cRp+KHDg8F2ECZlcDXGOPQPU9TrWFw…
Encrypted Command & Control
9 THREAT 100% confidence
18 C97-733731-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
19 C97-733731-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
CTA Exports STIX / TAXII API
TAXII Log Adapter: https://github.com/CiscoCTA/taxii-log-adapter
STIX formatted CTA threat intelligence
Poll Service
Transform
Adapter CTA
Incident
20 C97-733731-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
CTA Exports STIX Sample Message Payload
1 CTA CONFIRMED threat campaign
2 CTA CONFIRMED or DETECTED threat incident
3 Malicious events (flow sequences)
4 Anomalous web requests
1
2
3
4
21 C97-733731-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
CTA Exports
id="cta:package-1412045744-4e3681cb-c188-4893-84bc-500aac2da0a0” timestamp="2014-11-14T07:20:00.300Z" version="1.1.1"> <stix:STIX_Header> <stix:Information_Source> <stixCommon:Tools> <cyboxCommon:Tool id="cta:tool-CTA"> <cyboxCommon:Name>Cognitive Threat Analytics</cyboxCommon:Name> <cyboxCommon:Vendor>Cisco</cyboxCommon:Vendor> </cyboxCommon:Tool> <cyboxCommon:Tool id="cta:tool-AMP"> <cyboxCommon:Name>Advanced Malware Protection</cyboxCommon:Name> <cyboxCommon:Vendor>Cisco</cyboxCommon:Vendor> </cyboxCommon:Tool> </stixCommon:Tools> </stix:Information_Source> </stix:STIX_Header> <stix:Incidents> <stix:Incident xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="incident:IncidentType" id="cta:incident-1412045744-1412045744_f8bae03fb2ff7164a0536a67766e_malware$7Ctransferring+data+through+url_0.75"> <incident:Title>malware|transferring data through url </incident:Title> <incident:Time> <incident:First_Malicious_Action>2014-11-09T22:09:37.149Z</incident:First_Malicious_Action> </incident:Time> <incident:Victim> <stixCommon:Name>f8bae03fb2ff7164a0536a67766e</stixCommon:Name> </incident:Victim> <incident:Leveraged_TTPs> <incident:Leveraged_TTP> <stixCommon:TTP xsi:type="ttp:TTPType"> <ttp:Title>favicon</ttp:Title> </stixCommon:TTP> </incident:Leveraged_TTP> <incident:Leveraged_TTP> <stixCommon:TTP xsi:type="ttp:TTPType"> <ttp:Title>data tunneling over https</ttp:Title> https://github.com/STIXProject/stix-viz
STIX Language Mapping
22 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential