Hunting the Hackers: How Cisco Talos is Leveling Up Security

Transcript

1. Kate Nolan Samir Sapra Research Engineer{s} February 17, 2016 Hunting

   the Hackers: How Talos is leveling up security

2. LET’S TALK ABOUT THE THREAT LANDSCAPE

3. THREAT LANDSCAPE 1.5 Million

4. THREAT LANDSCAPE

5. THREAT LANDSCAPE 19.7 Billion 7.2 Trillion TOTAL THREAT BLOCKS 181

   Million Spyware Blocks 82 Thousand Virus Blocks 818 Million Web Blocks DAILY WEB BREAKDOWN

6. THREAT LANDSCAPE

7. Cloud to Core Coverage web requests a day 16 BILLION

   email messages a day 600 BILLION AMP queries a day 13 BILLION

8. THREATS DON’T GO AWAY. HOW DO WE ADDRESS IT?

9. •  WEB: Reputation, URL Filtering •  END POINT: ClamAV • 

   CLOUD: FireAMP & ClamAV detection content •  EMAIL: Reputation, AntiSpam, •  NETWORK: Snort Subscription Rule Set, Detection & Prevention Content Cloud to Core Coverage

10. Cloud to Core Coverage Talos is divided into 5 departments

    •  Data Analytics & Correlation •  Threat Actor Attribution •  Detection & Prevention Content •  Vulnerability Research •  Malware Research •  Discovery •  Triage •  Exploit Development •  Threat Reports •  Media Relations •  Intelligence Systems •  Engine Development

11. Threat Intelligence and Analytics {or how to piss off the

    bad guys with data}

12. Finding the needle Triaging new threats for detection Actor attribution

    and tracking

13. Types of data? •  file samples {over 1M a day}

    •  dynamic analysis {~100k runs/day} •  network related {whois, DNS, IP, etc} •  IPS/IDS telemetry •  spam •  hunting data/ actor tracking Sources of data? •  feeds {paid, customer, partner} •  customer telemetry •  self-generated intelligence •  open source intelligence •  twitter feeds •  forum postings Piles of data

14. Why Elasticsearch?

15. Sandbox data Dynamic malware analysis (ie. ThreatGrid, Cuckoo) - automated

    & user submitted runs - each run has a score, above a certain threshold is ‘bad’ - reports track: processes (registry, mutexes, files opened) dropped files IP addresses domains Indicators of Compromise (IOCs) ES Stats: 10 nodes 3 TB 100k reports/day ~8 months of data

16. Sandbox Hunting Examples •  Domain Generating Algorithms •  Malware Family

    Clustering based of IOCs or WordPress domains •  Connecting runs to a CIDR netblock •  Find new samples of malware based on mutex behavior •  Detecting new Exploit Kits by behavior identified in data in elasticsearch

17. An example query to hunt for Exploit kits Used in

    scripts for automated detection { "query" : { "bool" : { "must" : [ ”match”:{"ioc" :"Benign windows process is dropping new PE files”} "match” :{"processes.parent_name": "iexplore.exe" }, "match": {"processes.name" : "iexplore.exe" } ], “should” : [ “range” : {“score” : {“gte” : 10, “lte” : 99}} ] }}}

18. Honeypot data Honeypots are decoy systems to gather an attackers

    attempts Many Types of Honeypots •  ssh •  industrial systems •  telnet •  Exploit kit •  Gas pump •  Cisco router •  Elasticsearch "_index": "logstash-telnet-sqs-2016.02.10", "_type": "telnet-sqs", "_source": { "Event.Type": "ConnectionLost", "@timestamp": "2016-02-10T23:51:10.000Z", "Event.Session": "1272f0ccd05111e5bb400242a c110001", "Net.IP.Src": "117.158.195.59", "User.Name": "admin", "User.Pass": "1234", "Net.Port.Src": 23, "@version": "1", "type": "telnet-sqs",

19. Top 10 Passwords and Usernames

20. Queries run against the elasticsearch honeypot

21. Other Elasticsearch stacks File metadata Spam corpus IPS telemetry

22. SSHPSYCHOS If it doesn’t work you’re just not using enough

    BRUTEFORCE

23. SSH Psychos Update SSHPsycho

24. SSH Psychos SSHPsychos •  Brute Force SSH Attacks until password

    guess •  300K Unique Passwords •  Login from different address space •  Drop DDoS Rootkit on server •  Accounted for 1/3 of all SSH Traffic ON THE INTERNET SSH Brute Force Attempts 1 103.41.124.0/23 2 3 23.234.60.140

25. Takedown

26. VICTORY After Action »  Engaged Level 3 and another major

    ISP »  Sudden Pivot »  Null Routed »  Effectively limited »  Download blocked by standard technology

27. Takedown »  http://blogs.cisco.com/security/talos/sshpsychos »  http://blog.level3.com/security/breaking-botnets-how-level-3-and-cisco- worked-together-to-improve-the-internets-security-and-stop-sshpsychos/ »  … or just

    search for “ssh psychos”

28. SSHPsychos + Elasticsearch

29. Why?

30. ChinaZ and The Donger

31. Questions?

32. talosintel.com blogs.cisco.com/talos @talossecurity