Cisco Rapid Threat Containmnet

Jim KotantoulasConsulting Systems Engineer – Security May 2016

Cisco RapidThreat Containment

2C97-736203-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Cisco Rapid Threat Containment: Agenda

RTC Overview

Cisco pxGrid – secure information sharing

Dynamic Segmentation using TrustSec

RTC using Netflow/Stealthwatch and FirePower

RTC with Nessus

Demo


Malware Threats Are Growing in…

• Organizations often have 40 to 60+ disparate security solutions

• But they don’t – and often can’t – work together

• 17,000 alerts received onaverage per week

• 19% prove reliable

• Security teams have time to investigate just 4% of warnings1

• The longer threats stay undetected, the greater for damage

• But current industry average detection time: 200 days

• Average cost per data breach: $3.8 million2

Stealth SpeedSophistication

Office

Breach


Malware Preys on Dis-Integrated Security Infrastructure

Too Little TimeToo Much Manual Effort

Too Much Information


Advanced Malware Requires Advanced Threat Detection and Response

Malware defense should be:

Automated Advanced Scalable Accelerated


What If You Could…?

Improve Threat Visibility and Detection Across the Network

Speed Time to Containment

Lower Operational Overhead and Costs


Protect Automatically with Rapid Threat Containment Cisco FireSIGHT Management Center (FMC) and Cisco Identity Service Engine (ISE)

Benefits

Detect Threats EarlyFireSIGHT scans activity and publishes eventsto ISE

Automate Endpoint ContainmentISE alerts the network of suspicious activity according to policy

Integrate Best-of-Breed SecurityGrowing ecosystem of threat defense partners integrate with ISE


Rapid Threat Containment in Action

Cisco security sensors scan the user activity and downloaded file. FMC aggregates and correlates sensor data

Device is quarantined for remediation or mitigation—access is denied per security policy

Based on the new policy, network enforcers automatically restrict access

FMC detects flagrantly suspicious file and alerts ISE. ISE then changes the user’s/device’s access policy to suspicious

Corporate user downloads file, not knowing it’s actually malicious

Automatically Defend Against Threats with FMC and ISE


Differentiated Threat Defense

Advanced, AutomatedMalware Detection

Contextual Visibilityto Understand and

Contain Threats Faster

Continually UpdatedThreat Intelligence

PervasiveNetwork Enforcement

Your Cisco Network asSecurity Sensor and Enforcer


What You Gain

Improved Threat Visibility and Detection Effectiveness

Faster Time-to-Containment

Lower Costs


Cisco Rapid Threat Containment Solution

• Cisco ASA with Firepower Services

• Firepower NGIPS Appliances

• Cisco AMP for Networks

• Firepower on Cisco ISR

• Cisco FireSIGHTManagement Center

• Automated Contextual Analysis and Threat Qualification

• Continuous Threat Intelligence Updates to Threat Sensors

• Cisco FireSIGHT and Cisco ISE Automate Containment

• Policy Enforcement from Cisco TrustSec, Downloadable ACL,or VLAN

Threat Visibility Automated Enforcement

AdvancedThreat Sensors


Cisco RTC protects across the full attack continuum

DURINGDetect Block Defend

AFTERScope

ContainRemediate

BEFOREDiscoverEnforceHarden

NGFW

AnyConnect

ISE & TrustSec

NGIPS ISE & TrustSec

NGISR Cloud Access Security

TalosAdvanced Malware Protection

Under the Covers with Cisco pxGrid (Platform Exchange Grid)



Context is the Currency of the Solution Integration Realm…but it’s not easy to execute

I have NBAR info!I need identity…

I have firewall logs!I need identity…

I have sec events!I need reputation…

I have NetFlow!I need entitlement…

I have MDM info!I need location…

I have app inventory info!I need posture…

I have identity & device-type!I need app inventory & vulnerability…

I have threat data!I need reputation…

I have location!I need identity…

But Integration Burden is on IT

Departments

We Need to Share

Context & Take Network

Actions

I have reputation info!I need threat data…

I have application info!I need location & auth-group…SIO


I have reputation info!I need threat data…


I have app inventory info!I need posture…

I have application info!I need location & auth-group…SIO

pxGridContext SharingEvent Response

Context is the Currency of the Solution Integration Realm…but it’s not easy to execute…but pxGrid accomplishes this

I have NBAR info!I need identity…

I have firewall logs!I need identity…

I have sec events!I need reputation…

I have NetFlow!I need entitlement…

I have identity & device-type!I need app inventory & vulnerability…

I have threat data!I need reputation…

I have location!I need identity…


Cisco pxGrid: Overview

Solve integration nightmare by using a single secure framework for “contextual” data sharing.

Provide contextual information to Cisco platforms, SIEM & 3rd party applications to increase accuracy and collaboration of security events.

Provide contextual data to Cisco platforms to identify policy, take proactive actions or share common policy objects, which greatly extends policy management.

A scalable and secure means to share information (i.e. Pub/Sub/Query) in network ecosystem

What is pxGrid?• pxGrid is a common method for network and security devices to share data with

other devices through a secure publish and subscribe mechanism.

Why do we need pxGrid?


BENEFITS

ISE Ecosystem – Built Using Cisco pxGridThe 1-2-3 Formula… ISE Integrates with IT Platforms to do 3 Things

ISE Makes Customer IT Platforms User/Identity,

Device and Network Aware

ISE Shares User/Device & Network Context with IT

Infrastructure

1ISE ECO-PARTNER

CONTEXT

Puts “Who, What Device, What Access” with Events. Way Better than Just IP Addresses!

Make ISE a Better Network Policy Platform for Customers

ISE Receives Context from Eco-Partners to Make Better

Network Access Policy

2ISE ECO-PARTNER

Creates a Single Place for Comprehensive Network Access Policy thru Integration

CONTEXT

3 Help Customer IT Environments Reach into the Cisco Network

ECO-PARTNER ISE

CISCO NETWORK

MITIGATE

Decreases Time, Effort and Cost to Responding to Security and Network Events

ACTION


pxGrid – Industry Adoption Critical Mass30 Partner Product Integrations and 12 Technology Areas in First Year of Release

pxGrid-Enabled ISE Partners:• RTC: Cisco FirePower, Bayshore, E8, Elastica,

Hawk, Huntsman, Infoblox, Invincea, Lancope, LogRhythm, NetIQ, Rapid7, SAINT, Splunk, Tenable

• Firewall: Check Point, Infoblox, Bayshore• DDI: Infoblox• Cloud: Elastica, SkyHigh Networks• Net/App: LiveAction, Savvius• SIEM/TD: Splunk, Lancope, NetIQ, LogRhythm,

FortScale, Rapid7• IAM: Ping, NetIQ, SecureAuth• Vulnerability: Rapid7, Tenable, SAINT• IoT Security: Bayshore Networks• P-Cap/Forensics: Emulex• Cisco: WSA, FirePower, ISE

Other ISE Partners:• SIEM/TD: ArcSight, IBM QRadar, Tibco LogLogic,

Symantec • MDM/EMM: Cisco Meraki, MobileIron, AirWatch,

JAMF, SOTI, Symantec, Citrix, IBM, Good, SAP, Tangoe, Globo, Absolute

Firewall & Access Control

VulnerabilityAssessment

Packet Capture& Forensics

SIEM &Threat Defense

IAM & SSO

Cisco pxGridSECURITY THRU

INTEGRATION

Net/App Performance

IoT Security

Cisco ISECisco WSA

Cloud AccessSecurity

Cisco FirePOWER

Rapid Threat Containment (RTC)

DDI

?


ISE as pxGrid Controller

pxGrid – How it Works, Why It Matters…Authenticate Authorize Publish Discover Subscribe Query

I have sec events!I need identity & device…


pxGridContextSharing

Authorize Authorize

Publish PublishDiscover TopicI have location!

I need app & identity… Discover Topic

I have application info!I need location & device-type

Continuous FlowDirected Query

Authorize

Publish

Discover TopicI have identity & device!I need geo-location & MDM…

Continuous Flow

Directed Query

Continuous FlowDirected Query


pxGrid Architecture & Components

pxGrid Controller

pxGrid Controller Responsible for Control Plane:• Establishing the “grid” instance• Authenticating clients on to the grid• Authorizing what clients can do on the grid• Maintaining directory of context information “topics”

available on the grid

pxGrid Client

pxGrid Clients (Eco-Partner Platforms) Responsible for:• Utilizing pxGrid Client Libraries (in SDK) to communicate with the

pxGrid Controller• If sharing contextual information, publishing it to a “topic”• If consuming contextual information, subscribing to appropriate “topic”• Filtering “topics” to exclude unwanted information• Ad-hoc query to “topics”

pxGrid Client

GCL GCL

GCL


• Quarantine devices or spawn investigations of events from:o Cisco FirePower and 3rd party products, such as SIEM and vulnerability management systems

• Enlist other Cisco infrastructure in the network response – such as dynamic ACLs on switches and ASA or increase IPS inspection levels

Network mitigation action – from 3rd party console

pxGrid ANC API

ISE as unifiedpolicy point

SGT

CoA

User/Device Quarantine

Dynamic ACLs, Increase Inspection

pxGrid Adaptive Network Control – Enables Rapid Threat ContainmentNetwork-as-an-Enforcer - Makes Cisco Infrastructure a Unified Event Response Network

Dynamic Segmentation using TrustSec



© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Segmentation is a Powerful Security Tool

“Network segmentation… is one of the most effective controls an agency can implement to mitigate the second stage of a network intrusion, propagation or lateral movement”

“Good network and role segmentation will do wonders for containing an incident.”“Effective network segmentation… reduces the extent to which an adversary can move across the network”

“Segregate Networks, limit allowed protocols usage and limit users’ excessive privileges.”

2014 DATA BREACHINVESTIVATIONS REPORT

The Untold Story of the Target AttackStep by StepAortato Labs, August 2014



Policy and Segmentation (The Challenge)

Voice FN Suppliers Guest

Access Layer

Core \ Aggregation LayerVLAN Addressing DHCP Scope

Redundancy Routing Static Filtering

Simple Segmentation with 2 VLANsMore Policies using more VLANs

Design needs to be replicated for floors, buildings, offices, and other facilities. TCO can be extremely high ACL

Employees



Cisco SGT TrustSec Solution SGT (The Solution)Data Center Firewall

Voice FN Researchers Guest

Retaining Initial VLAN / IP Subnet Design

Benefits of TrustSec Deployment

Every Packet has Embedded Identity No L2 VLAN or L3 IP Dependencies Regardless of Topology or Location

Policy stays with Users, Devices, and Applications

Operational Efficiency Reduces Firewall Policy Changes Simplified ACL and Firewall Rule

Management Optimizes Firewall for Improved

Throughput & Performance Uses both SGACL and SGFW for Policy

and Segmentation

Threat Containment Prevents Lateral Movement of

Malware Changes a User or App Role based on

3rd Party Threat Entail received

Staff



Drivers for TrustSec Adoption

Mitigate Risk Reducing attack surface with segmentation

Preventing lateral movement of threats

Increase SecOps efficiency

Manage security using logical groupsnot IP addresses/VLANs

Meet Compliance Objectives

Authorize access tocompliance-critical apps


ATTACK CONTINUUM

BEFORE AFTERDURING

TrustSec ISE

Network as an Enforcer

Segment to limit attack surface

Quarantine based on detection transparently to the host

Control lateral movementAllow remediation of quarantined systems



TrustSecBeneath The Surface



The TrustSec Concept

Users, Devices

Switch Router DC FW DC Switch HR Apps

SGT Propagation

PCI Apps SGT = 4

SGT = 10

ISE DirectoryClassification

SGT:5

Enforcement

NK1V

Classification of systems/users based on context (user role, device, location, access method)

Context (user role) manifests as a Security Group Tag (SGT) Firewalls, routers and switches use SGT to make packet blocking decisions Classify once & reuse the result multiple times



TrustSec Classification



TrustSec Classification Types

Dynamic Classification Static Classification• IP Address• VLANs• Subnets• L2 Interface• L3 Interface• Virtual Port Profile• Layer 2 Port

Lookup

Common Classification for User Devices

Common Classification for Servers, Topology-based policy, etc.

802.1X Auth

MAC Auth Bypass

Web AuthSGT



Dynamic Classification with ISENETWORK / USER

CONTEXT

How

WhatWho

WhereWhen

Access Policy

CompromisedDevice

CXO LevelSecure Access

BYOD Employee

User

Guest Visitor

INTEGRATED PARTNER ECOSYSTEM

MINIMIZE NETWORK UNKNOWNS REDUCE YOUR ATTACK SURFACE

ENFORCE THE RIGHT LEVEL OF ACCESS CONTROL CONTAIN MALICIOUS NETWORK THREATS


Dynamic Classification with ISE Policy

Employee AccessMatch Condition- SSID = Corporate-WiFi- Certificate-based

Authentication- Posture Status = Compliant- Profile = Corp Laptop- Windows AD Group =

Employee

Classification Result: Employee_SGT

Built-in attribute dictionary to create detailed condition statements, deriving security group assignments based on context



TrustSec Propagation



Propagating Security Group Tags via the Network

WAN(GETVPNDMVPN

IPSEC, OTP) Switch Router Router Firewall DC Switch vSwitch ServerUser

SGT over Ethernet SGT over EthernetSGT over WAN

ClassificationSGACLClassification

WAN Switch Router Router Firewall DC Switch vSwitch ServerUser

ClassificationSGFWClassification

SXP SXP

TrustSec Enabled -

on Legacy Networks using

SXP

End to End TrustSec -Capable

Networks using Inline Tagging

SXP and inline tagging submitted to the IETF: https://datatracker.ietf.org/doc/draft-smith-kandula-sxp/Open Source SXP implementation now available: https://github.com/opendaylight/sxp

https://wiki.opendaylight.org/images/6/6c/SXP_Specification_and_Architecture_v00.pdf

https://github.com/opendaylight/sxp



SGT Transport Mechanism

WLC FW

Campus AccessNon-SGT capable

Core DC CoreEnterprise Backbone

DC Access

Hypervisor SW

TOR

IP Address SGT SRC

10.1.100.98 50 Local

SXP IP-SGT Binding Table

SXP

SGT=50

ASIC ASICOptionally Encrypted

Inline SGT Tagging

SGT=50

ASIC

L2 Ethernet FrameSRC: 10.1.100.98

IP Address SGT

10.1.100.98 50SXP

10.1.100.98

Inline Tagging (data plane):If Device supports SGT in its ASIC

SXP (control plane):Shared between devices that do not have

SGT-capable hardware



Faster, and most scalable way to propagate SGT within LAN or Data Center

SGT embedded within Cisco Meta Data (CMD) in Layer 2 frame

Capable switches understands and process SGT in line-rate

Protected by enabling MACsec (IEEE802.1AE) – optional for capable hardware

No impact to QoS, IP MTP/Fragmentation

L2 Frame Impact: ~20 bytes 16 bits field gives ~ 64,000 tag space Non-capable device drops frame

with unknown Ethertype

Inline SGT Tagging – Data Plane Propagation

CRC

PAYLOAD

ETHTYPE

CMD

802.1QSource MAC

Destination MACEthernet Frame

EtherType:0x8909SGT Value:16bits

CMD EtherType

Version

Length

SGT Option Type

Cisco Meta Data

SGT Value

Other CMD Option

CRC

PAYLOAD

ETHTYPE

CMD

802.1Q

Source MACDestination MACMACsec Frame

802.1AE Header

802.1AE Header

AES-

GCM

128

bit

Encr

yptio

n



SGT Exchange Protocol (SXP) – Control Plane Propagation

38

SXP very simple to enable SGT propagation without hardware dependencies Propagation from access edge to enforcement device Can be deployed side by side with Inline SGT’s

Uses TCP for transport protocol Two roles: Speaker (initiator) and Listener (receiver) Developed for migration to support 3rd vendor network

devices as well as Cisco’s legacy infrastructure

SW

SW RT

SW

SXP(Aggregation)SXP

SXP

Speaker Listener



SXP Connection Types – Speaker & Listener Roles

Single-Hop SXP

Non-TrustSec Domain

SXP

SXP Enabled Switch/WLCSGT Capable HW

Multi-Hop SXP SXP

SGT Capable HWSXPEnabled SW

Speaker -Classifier

Listener –

Enforcer

SXP

SXP

SXP Enabled SW/WLC

SXP Enabled SW/WLC

Speaker -Classifier

Speaker -Classifier

Listener –Enforcer/

Propagator

Speaker–Enforcer/

Propagator

Listener –

Enforcer



SXP WAN Aggregation Option

SGT Capable EnforcementSwitch or Firewall

Speakers & Listeners

SXP Listeners

SGT Capable EnforcementSwitch or Firewall

SXP Speakers

IP Address SGT

10.1.10.1 Production User – 10

10.1.10.10 Developer - 20

IP Address SGT


10.1.254.10 Developer – 20

IP Address SGT


10.1.10.10 Developer - 20


10.1.254.10 Developer - 20

IP Address SGT


10.1.10.10 Developer - 20


10.1.254.10 Developer - 20

Aggregators handling SXP control planeNot in the traffic path

All bindings received at DC EdgePeer only with the aggregators



TrustSec Enforcement



Security Group Access Control List (SGACL) SGACL is an access

control list to filter traffic based on security group

SGACL’s enforce policy based on Egress Data Flow

No IP address in syntax IP version agnostic

(supports IPv4 & IPv6)

permit tcp dst eq 110permit tcp dst eq 143permit tcp dst eq 25permit tcp dst eq 465permit tcp dst eq 585permit tcp dst eq 993permit tcp dst eq 995deny all log

Permit_Mail_Traffic



Can still use Network Object (Host, Range, Network (subnet), or

FQDN)AND / OR the SGT

Switches inform the ASA of Security Group membership

Security Group definitions from ISE

Trigger FirePower services by SGT

policies

Security Group Firewall (SGFW)

Reduces Firewall Policy Changes

Simplified ACL and Firewall Rule Management



TrustSec Platform Support



TrustSec Platform Support Classification SGT Propagation Policy Enforcement

Catalyst 2960-S/-C/-Plus/-X/-XRCatalyst 3560-E/-C/-XCatalyst 3750-E/-X

Catalyst 4500E (Sup6E/7E)Catalyst 4500E (Sup8)Catalyst 6500E (Sup720/2T)

Catalyst 3850/3650WLC 5760

Wireless LAN Controller 2500/5500/WiSM2

Nexus 7000

Nexus 5500

Nexus 1000v (Port Profile)

ISR G2 Router, CGR2000

Catalyst 2960-S/-C/-Plus/-X/-XRCatalyst 3560-E/-C/, 3750-ECatalyst 3560-X, 3750-XCatalyst 3850/3650Catalyst 4500E (Sup6E)Catalyst 4500E (7E, 8), 4500XCatalyst 6500E (Sup720)Catalyst 6500E (2T), 6800WLC 2500, 5500, WiSM2WLC 5760Nexus 1000vNexus 6000/5600 Nexus 5500/22xx FEXNexus 7000/22xx FEX ISRG2, CGS2000 ASR1000ASA5500 Firewall

SXP

SXP

IE2000/3000, CGS2000

ASA5500 (VPN RAS)

SXP SGT

SXP

SXP SGT

SXP

SXP SGT

SXP

SXP

SXP SGT

SXP SGT

SXP SGT

SXP

GETVPN. DMVPN, IPsec

• Inline SGT on all ISRG2 except 800 series:

Catalyst 3560-XCatalyst 3750-X

Catalyst 4500E (7E)Catalyst 4500E (8E)Catalyst 6500E (2T)Catalyst 6800

Catalyst 3850/3650WLC 5760

Nexus 7000

Nexus 5600

Nexus 1000v

ISR G2 Router, CGR2000

ASA 5500 FirewallASAv Firewall

ASR 1000 RouterCSR-1000v Router

SXP

SGT

SGFW

SGFW

SGFW

SGACL

SGACL

SGACL

SGACL

SGACL

SGACL

SXP SGT

SXP SGT

Nexus 6000

Nexus 6000 Nexus 5500

Nexus 5600SXP SGT

SGT

GETVPN. DMVPN, IPsec

SGT



TrustSec Main Deployment Scenarios

User to Data Center Access

ControlData Center

Segmentation

Campus and Branch

Segmentation

• Context-based access control• Compliance requirements PCI,

HIPAA, export controlled information

• Merger & acquisition integration, divestments

• Server zoning & Micro-segmentation• Production vs. Development Server

segmentation• Compliance requirements, Classified

Systems, PCI, HIPAA• Firewall rule automation

• Line of business segregation• PCI, HIPAA and other compliance

regulations• Malware Propagation

control/quarantine


© 2015 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialVLAN: Data-1VLAN: Data-2

User to Data Center Access Control using SGACL on Cisco Switches

Switch

Data Center

DC Switch

ApplicationServers

ISEEnterpriseBackbone

Remediation

Switch

Voice Employee Supplier Non-CompliantVoiceEmployeeNon-Compliant

SharedServices

Employee TagSupplier TagNon-Compliant Tag

Regardless of topology or location, policy (Security Group Tag) stays with users, devices, and servers

TrustSec simplifies ACL management for intra/inter-VLAN traffic


© 2015 Cisco and/or its affiliates. All rights reserved. Cisco ConfidentialVLAN: Data-1VLAN: Data-2

User to Data Center Access Control using SGFW on Cisco ASA’s

Switch

Data Center

DC Firewall

ApplicationServers


Inspection

Switch


SharedServices

Employee TagSupplier TagNon-Compliant Tag

Regardless of topology or location, policy (Security Group Tag) stays with users, devices, and servers

TrustSec simplifies ACL management for intra/inter-VLAN traffic



Data Center Segmentation with TrustSecWeb

Servers

DatabaseServers

MiddlewareServers Storage



Micro-Segmentation using SGACLs on Nexus 1000v

VMVM VM VM

Nexus1000V VEM

Server

VMVM VM VM

Nexus1000V VEM

Server

Hypervisor Hypervisor

Finance Application

Nexus 1000V VSM

ISE

PAC

N1000V:Assigns SGT based

on Port-profile

Assignments

Finance Application

PCI PCI

PCI

Dev Dev

N1000v with Inline tagging/SXP and SGACL Enforcement

51C97-736203-00 © 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Campus & Branch Segmentation with TrustSec

VLAN: Data-1VLAN: Data-2

Switch

Data Center

DC Switch

ApplicationServers


Switch


SharedServices

Employee Tag

Supplier Tag

Non-Compliant Tag

If access-layer devices understand SGTs:

Segment traffic based on classified group (SGT), not based on topology (VLAN, IP subnet)

Micro-Segmentation in LAN (segment devices even in same VLAN)

Using Cisco Netflow and Stealthwatch


Cisco Confidential 53© 2015 Cisco and/or its affiliates. All rights reserved.

Visibility and Containment through NetFlow

10.1.8.3

172.168.134.2

InternetFlow Information PacketsSOURCE ADDRESS 10.1.8.3

DESTINATION ADDRESS 172.168.134.2

SOURCE PORT 47321

DESTINATION PORT 443

INTERFACE Gi0/0/0

IP TOS 0x00

IP PROTOCOL 6

NEXT HOP 172.168.25.1

TCP FLAGS 0x1A

SOURCE SGT 100

: :

APPLICATION NAME NBAR SECURE-HTTP

RoutersSwitches

NetFlow provides• Trace of every conversation in your

network• An ability to collect record everywhere

in your network (switch, router, or firewall)

• Network usage measurement• An ability to find north-south as well

as east-west communication• Light weight visibility compared to

SPAN based traffic analysis• Indications of Compromise (IOC)• Security Group Information


StealthWatch: System Overview

NetFlow / NBAR / NSEL

NetworkDevices

StealthWatchFlowCollector

• Collect and analyze• Up to 4,000 sources• Up to 240,000 FPS

sustained

SPANStealthWatchFlowSensor

GenerateNetFlow

Non-NetFlowCapable Device

• Management and reporting

• Up to 25 FlowCollectors• Up 6 million FPS globally

StealthWatchManagement

Console


Conversational Flow RecordWho

WhoWhat

When

How

Where

• Highly scalable (enterprise class) collection

• High compression => long term storage

• Months of data retention

55

More context


Behavioral and Anomaly Detection ModelBehavioral Algorithms Are Applied to Build “Security Events”

SECURITYEVENTS (94 +)

ALARMCATEGORY RESPONSE

Addr_Scan/tcpAddr_Scan/udpBad_Flag_ACK**Beaconing HostBot Command Control ServerBot Infected Host - Attempted Bot Infected Host - SuccessfulFlow_Denied..ICMP Flood..Max Flows InitiatedMax Flows Served.Suspect Long FlowSuspect UDP ActivitySYN Flood.

Concern

Exfiltration

C&C

Recon

Data Hoarding

Exploitation

DDoS Target

Alarm Table

Host Snapshot

Email

Syslog / SIEM

Mitigation

COLLECT AND ANALYZE FLOWS

FLOWS


StealthWatch Alarm Categories

Each category accrues points.


Data Hoarding

58

Target Data Hoarding:• Unusually large amount of data

outbound from a host to multiple hosts

Suspect Data Hoarding:• Unusually large amount of

data inbound from other hosts

Cisco Confidential 59© 2015 Cisco and/or its affiliates. All rights reserved. 59

Suspect Data Hoarding

Data Hoarding:• Unusually large amount of data inbound to a host from

other hosts• Policy and behavioral


Network as a Sensor: Cisco StealthWatch

pxGridReal-time visibility at all network layers

• Data Intelligence throughout network

• Assets discovery• Network profile• Security policy monitoring• Anomaly detection• Accelerated incident response

Cisco ISEMitigation Action

Context InformationNetFlow


Rapid Threat Containment

Employee

Employee

Supplier

Quarantine

SharedServer

Server

High RiskSegment

Internet

StealthWatch

Event: TCP SYN ScanSource IP: 10.4.51.5Role: SupplierResponse: Quarantine

ISEChange Authorization

PxGr

id

Quarantine

Network Fabric


Quarantine from StealthWatch


AnyConnect NVM (4.2) Extending network visibility to the endpoint

Expected StealthWatch support June 2016

IPFIX record to include:• Unique Device ID• Device Name• Domain\User Name• Local/Target DNS• Process Name• Process Identifier• Parent Process Name• Parent Process Identifier


ProxyWatch (StealthWatch 6.7)Collection of logs from Web Proxies:• Cisco WSA, Blue Coat, Squid,

McAfee

Visibility through the proxy

Collect contextual data and associate with the flow:• URL • User name

Required fields: • timestamp• x-elapsed-time• c-ip• c-port• cs-bytes• s-ip• s-port• sc-bytes• cs-username• s-computerName• cs-url

Using Cisco FirePower NGFW/NGIPS



Enable Rapid Threat Containment With Cisco Firepower Management Center (FMC) and Identity Service Engine (ISE)

Rapid Threat Containment with FMC and ISEBenefits

• Integrate with Cisco Advanced Malware Protection (AMP) for malware protection

• Trigger quarantine actions, per policy with Cisco FireSight and ISE integration

• Admit or deny access to classified portals

Capabilities

FMC detects suspicious file and alerts ISE using pxGrid by changing the Security Group Tag (SGT) to suspicious

Access denied per security policy

Automate alertsLeveraging ISE ANC to alert the network of suspicious activity according to policy

Detect threats earlyFireSight scans activity and publishes events to pxGrid

Corporate user downloads file

FMC scans the user activity and file

Based on the new tag, ISE enforces policy on the network


Remediation Module from Talos Labs


• Quarantine- quarantines an endpoint based on source ip address

• portBounce- temporarily bounces the endpoint or host port

• Terminate- terminates the end-user session

• Shutdown- initiates a host port shutdown, this will insert a “shutdown” command on the switch port configuration

• reAuthenticate- reAuthenticates the end-user

• UnQuarantine- unquarantines the endpoint

Remediation Options


Fully Supported on FMC 5.4 and ISE 1.3+ • Uses pxGrid + Endpoint Protection Services (EPS)

• Note: ANC is Next Gen version of the older EPS• EPS functions are still there for Backward Compatibility

• Loads as a Remediation Module on FMC • Remediation Module Takes Action via the EPS call through pxGrid

• Supported on FMC 6.1as an integrated solution. No more remediation module

Rapid Threat Containment with Firepower Management Center and ISE


FireSIGHT Management Center + pxGrid Workflow


FMC

Sensor

PC

ISE+pxGrid

www.yahooo.com/cmd.exe

intrusion event

User Authenticates (log-on, log-off)

triggers intrusion event and correlation event

matches quarantineremediation response

FireSIGHT Management CenterCorrelation pxGrid QuarantinePolicy

ANC Quarantine Mitigation ActionRequest

FireSIGHT Management Center (FMC) + pxGrid ANC Quarantine Mitigation Workflow Action


FMC

Sensor

PC

ISE+pxGrid

RemediationServer

connection event remediation URL

User Authenticates (log-on, log-off)

triggers connection event rule

matches unquarantinemitigation response

FireSIGHT Management CenterCorrelation pxGrid UnQuarantinePolicy

ANC UnQuarantine Mitigation ActionRequest

FireSIGHT Management Center (FMC) + pxGrid ANC UnQuarantine Mitigation Workflow Action

Using Tenable Nessus



RTC with Tenable Nessus

Use cases


78© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Data Breach Anatomy

Enterprise Network

Attacker

Perimeter(Inbound)

Perimeter(Outbound)

Research targets(SNS)

1

C2 Server

Spear Phishing([email protected])

2

http://welcome.to.jangle.com/exploit.php

Victim clicks link unwittingly 3

Bot installed, back door established and receives commands from C2 server

4

Scan LAN for vulnerable hosts to exploit & retain alternative back door + find privileged users

5

Privileged account found. Occupy directory service. Access to database backup, then copy them to staging server

6

Admin Node

Zip data, slice it to multiple files, and send those out to external site over HTTPS

7

System compromised and data breached. Retain backdoor to collect more targeted data, otherwise erase all traces or wipe whole disk (e.g. Shamoon malware)

8


Threat Defense with TrustSec

Enterprise Network

Attacker

Perimeter(Inbound)

Perimeter(Outbound)

Research targets(SNS)

1

C2 Server

Spear Phishing([email protected])

2

http://welcome.to.jangle.com/exploit.php

Victim clicks link unwittingly 3

Bot installed, back door established and receives commands from C2 server

4

TrustSec prevents workstation-to-workstation scanning, OS Finger printing, exploitation, and privilege escalation

5

Admin NodeLeverage TrustSec to slow

down attack activities


Workstation-to-Workstation Traffic Control

1 Scan for open ports / OS

Distribution Switch

Access Switch

BYOD Device PC

AP

Wireless Segment Wired Segment

2 Exploits vulnerability

Pawned PC

Employee Tag

Anti-Malware-ACL deny icmp deny udp src dst eq domain deny tcp src dst eq 3389 deny tcp src dst eq 1433 deny tcp src dst eq 1521 deny tcp src dst eq 445 deny tcp src dst eq 137 deny tcp src dst eq 138 deny tcp src dst eq 139 deny udp src dst eq snmp deny tcp src dst eq telnet deny tcp src dst eq www deny tcp src dst eq 443 deny tcp src dst eq 22 deny tcp src dst eq pop3 deny tcp src dst eq 123

Sample ACEs to block PtH (SMB over TCP) used for privilege escalation

SGACL Policy

Replaces Private Isolated / Community VLAN functionality with centrally provisioned policy

Supports mobile devices (with DHCP address). Statically defined ACL cannot support same level of policy


RTC Use CasesDynamic Segmentation using TrustSec

1100

0011

1000

110000111000

110000111000

Ops

Backbone

ThreatDetection

SIEM

Floor 1 SW

Floor 2 SW

Data Center

DC FW

Sinkhole

High Security

DB

ISE

OS Type: Windows XP EmbeddedUser: MaryAD Group: EmployeeAsset Registration: YesMAC Address: aa:bb:cc:dd:ee:ff

TSServer

GFEWorkstation

PxGrid/EPS

Change SGT to:Non-Compliant

Source: SourcefireEvent: TCP SYNC ScanSource IP: 1.2.3.4Response: Quarantine

Security Group = Non-Compliant

Contain and/or use Non-Compliant

tag for further forensics

Non-Complianttag follows compromised endpoint

Anti-Malware-ACL deny icmp deny udp src dst eq domain deny tcp src dst eq 3389 deny tcp src dst eq 1433 deny tcp src dst eq 1521 deny tcp src dst eq 445 deny tcp src dst eq 137 deny tcp src dst eq 138 deny tcp src dst eq 139 deny udp src dst eq snmp deny tcp src dst eq telnet deny tcp src dst eq www deny tcp src dst eq 443 deny tcp src dst eq 22 deny tcp src dst eq pop3 deny tcp src dst eq 123

SGACL Policy

Demo



Demo Network Architecture

Cisco Rapid Threat Containmnet

Technology

Transcript of Cisco Rapid Threat Containmnet