DEVNET-1190Targeted Threat (APT) Defense for Hosted Applications

for Hosted Applications Targeted Threat Defense Dave Jones [email protected] June, 2015

2 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Why we are here?


Why am I here?


Why are we here?

Was looking like this:


Ask dave

5% of SySAdmin accounts or their laptops may be compromised at any moment


http://www.securityweek.com/research-finds-1-percent-online-ads-malicious

1% of 600K Add sites surveyed are hosting Malware


Top 10 varieties of threat actions over time Source: 2014 Verizon Data Breach Investigation Report


By the numbers Source Verizon 2015 DBIR


Source: Verizon 2015 DBIR


99.9% OF THE EXPLOITED VULNERABILITIES WERE COMPROMISED MORE THAN A YEAR AFTER THE CVE WAS PUBLISHED

Source: Verizon 2015 DBIR


Nation State Run Book


DataCenter

Infestation & Lateral Movement 1.  User desktop infected WCE or Mimikatz is

started

2.  Privileged user or Application logs in - WCE hijacks credentials

3.  Rootkit remotely installed on server in datacenter

4.  Super user performs task on datacenter server, malware hijacks credentials

5.  Malware spreads throughout datacenter

Malware details •  Targeting older software (Flash, Word, Acrobat

Reader, Java) •  Malware customized to avoid AV signatures •  Higher they get – the more unique the malware


DataCenter

Infestation - Remediation

1.  Super user logs in with SmartCard and has scoped access to other hosts

2.  Malware not propagated throughout data center

3.  Prevent privileged user or Application from logging into desktop.

4.  Privileged user instead logs into administrator station.

5.  Malware is not spread to data center

6.  Upgrade Applications and Operating System baseline and Train Users

7.  Initial attack fails


Controls


Secure Administration Controls

Security Control Point

Production Resources

Administration End point


•  Sandbox Detonation •  pDNS •  NetFlow •  Host Based IP/DS on low value computers •  Windows Event Logs •  Log all of these to the same place so they can be correlated

Monitoring and Detection


Control Use Cases


Blocking Lateral movement Scoped Access with GPOs


•  Registry keys created or modified •  Services running where file is outside of system32 •  Executable executed •  Accounts trying to log into hosts that they are not authorized to log

into

Security Configuration Management With Windows Event logs and App Locker


Network device product management

Only allow SSH From SCP

Programmatic Interface


MDM product management suite Client and Management Traffic over HTTPS

Client App

Admin UI

App Replication


Virtual Machine hosting product(s)

UCS

VMWare or OpenStack/KVM Tenant1 TenantX Tenant3 Tenant2

CSG Common Identity or DSX

Commodity dual

Internal Admin Token

ACLs Blocking Admin Ports

SCP

Web Server Plugin

Infra Admin

Internal Tenant

Partner

Authentication Mechanism


Mail Server product management

Only allow SSH From SCP

BSDi Mail Appliances Appliance

Mail Servers

Only allow PwrShell from Prov Box

Linux SCP


Application to Application


Simple Application Credential Management

Application 1 Application B

Logged Sudo Access to Credential


Remove the Credential From the Application

Get Creds



App to App - Target

OAuth Token request flow


TLS Encrypted Tunnel Machine Certificate

Machine Certificate

User JanDoe

Delegated JanDoe

Encrypted Storage


• HSM • TPM • USB • Files….

Certificate Storage


Best Practice - pxGrid


Certificates pxGrid Example


Cisco Platform Exchange Grid – pxGrid Network-Wide Context Sharing

That Didn’t Work So Well!

pxGrid Context Sharing

Single Framework

Direct, Secured Interfaces

I have NBAR info! I need identity…

I have firewall logs! I need identity…

SIO

I have sec events! I need reputation…

I have NetFlow! I need entitlement…

I have reputation info! I need threat data…

I have MDM info! I need location…

I have app inventory info! I need posture…

I have identity & device-type! I need app inventory & vulnerability…

I have application info! I need location & auth-group…

I have threat data! I need reputation…

I have location! I need identity…

BENEFITS of pxGrid, it can…

•  Establish that secure TLS tunnel for you

•  Be leveraged as your communications bus with XMPP Including discovery of services available

•  Verify Integrity of each endpoint communicating in the Grid

•  Be used without you writing *that* code


In Action

pxGrid

Radius

1.802.1X

User Session

Publish User SGT

Device Location

Auth

User Meta Data

User Group

ISE Server

Switch

Internet

FireSIGHT Management Center

Sensor

User Meta Data


•  development SDK and client information. https://developer.cisco.com/site/pxgrid/

pxGrid – More Information


Best Practice - SDN


Security Monitoring on Demand Solution: Topology Independent Investigation

Opportunity: Deliver scalable, topology-independent, automated means of capturing traffic and delivering into the appropriate incident response analysis tooling addressing •  East-West •  Branch Split Tunnel •  Inspection gap The How: Controller Managed access layer Automated Targeted Copy and Transport to Investigation Service with Declarative Control APIC-EM Solution: •  Context Informed Targeting through ISE context plus network filter •  Copy through ERSPAN •  Topology Independence – Routable Encapsulation •  Automation through Controller minimizing configuration risk •  Declarative Control – ISE session awareness APIC-DC Solution Concept: •  Targeted - Applied to the endpoint(s) wanting to monitor, not the

endpoint(s) EPG. Push XML to activate policy label for ‘this contract’ or ‘this graph’, etc.

•  Copy – introduce copy policy for full copy of requested traffic •  Topology Independence - Insert a service to process the copied

traffic •  Automation through APIC-DC Controller dynamically adding

investigation service in path or out of band •  APIC-DC providing Declarative Control

fireSIGHT ISE

Application

APIC-EM

SecOps

Internet

Lab

Intranet

SCP

Source: Ken Beck

SecOps

Technology

DEVNET-1190Targeted Threat (APT) Defense for Hosted Applications