在安全分析中構建、證明和擴展檢測.pdf

《在安全分析中構建、證明和擴展檢測.pdf》由會員分享，可在線閱讀，更多相關《在安全分析中構建、證明和擴展檢測.pdf（73頁珍藏版）》請在三個皮匠報告上搜索。

1、#CiscoLive#CiscoLiveRobert Harris,Technical Marketing EngineerBRKSEC-2931Building,Proving,and Extending Detectionsin Secure Analytics 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveYou can do more with yourSecure Analytics detectionsBRKSEC-29313 2023 Cisco and/or its affi

2、liates.All rights reserved.Cisco Public#CiscoLiveSession abstractDetections are the first half of the battle in Network Detection and Response(NDR),and they must grow to be kept current as tactics evolve over time.We will perform a deep dive into Secure Network Analytics(on premise)and Secure Cloud

3、Analytics(SaaS)to learn about the behind-the-scenes work involved in building new telemetry-based detections,testing detections with a variety of methods to prove an alert,leveraging Talos intelligence to build higher confidence,multi-telemetry ingest for extended detection efficacy and context,MITR

4、E ATT&CK mapping,and delivering better XDR outcomes with Cisco XDR.Participants should have a good understanding of network-based detections,NetFlow/IPFIX,and other forms of telemetry.BRKSEC-29314 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public10-minute car ride to Las Vegas airpor

5、tRideshare pickup is at the Mandalay Bay Convention Center entranceSync your watch via NTP129.6.15.27129.6.15.28129.5.15.29End of week reminderBRKSEC-29315 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnter your personal notes hereCisco Webex App Questions?Use Cisco Web

6、ex App to chat with the speaker after the sessionFind this session in the Cisco Live Mobile AppClick“Join the Discussion”Install the Webex App or go directly to the Webex spaceEnter messages/questions in the Webex spaceHowWebex spaces will be moderated by the speaker until June 30,2023.12346https:/

7、2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKSEC-29316 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIcons used in the presentationBRKSEC-29317Agenda 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBuilding new detectionsProving de

8、tectionsMulti-telemetry ingestExtended detectionsThreat intelligenceMITRE ATT&CK mappingCisco XDRWrap upBRKSEC-29318 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivewhoamiRobert HarrisFive years at CiscoSecure Analytics productsSecurity researcher before coming to Cisco13,

9、000 published threat intelligence articlesBoard of Directors for Angels Among Us Pet RescueRescue German Shepherd Dogs,travel,photography,high power rocketry,fishing,and enjoy the outdoorsBRKSEC-29319Building new detections 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveA

10、nalytics and Detections Anomaly detection through statistical learning Cloud specific behavior analysis Role-based analytics Data movement analyticsBehavioral analytics Alerts tailored to AWS,GCP and Azure Leverage native cloud security controls Detect security relevant configuration changes Assess

11、your cloud security postureCloud Alerts Malware classification Knowledge and correlation of global campaigns to local threats Threatening IP,URL and Domain Communication DetectionsTalos threat intelGlobal Threat Alerts Machine learning based threat detection Intel gathered from across the Cisco ecos

12、ystem Detect threats within encrypted traffic without decryptingBRKSEC-293111 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMore context,More context,better Detectionsbetter DetectionsNew Alerts and DetectionsDetection Update for Secure Cloud AnalyticsNew Enabled by Defa

13、ult AlertsAWS Repeated API FailuresAbnormal ISE UserISE Jailbroken DeviceISE Jailbroken DeviceMetasploit Executed5Improved Alerts4New Alerts3 New Observations2Improved ObservationsAzure Tranfer Data to Cloud AccountISE Suspecious ActivityISE Suspecious ActivityEmergent ProfileS3 Bucket Lifecycle Con

14、figuredNew AWS Lambda Invoke Permission AddedISE Session StartedISE Session StartedSuspecious Endpoint ActivitySuspecious Endpoint ActivityDrive by DownloadHeartbeatAWS New User Action4 4New detections based on Cisco ISE session telemetry and Cisco Secure Client Remote Worker Telemetry from Cisco Se

15、cure Client BRKSEC-293112 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOn-prem SPAN/TapONA SensorOn-prem NetFlow ONA CollectorAmazon VPC FlowLogsCloud CollectorAzure Network Security GroupsCloud CollectorGoogle VPC FlowLogsCloud CollectorExtract TelemetryTransform into

16、common formatStore in Amazon Simple Storage Service(S3)Load into Hot Storage Database(Amazon Redshift)Derive sub-tables(as needed)Read from Redshift or S3Run various Python-logic on data for analysisFor interesting parts generate Observations into front-endTelemetryAnalysisObservationAlertOn-prem Ne

17、tFlow CTB CollectorBRKSEC-293113 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveConverged AnalyticsCloud first development of new detections,increasing new alert velocityHolistic detection coverage for all Secure Analytics customersUnified detections messageDelivering MIT

18、RE ATT&CK framework mappings with alertsCloud first alert developmentEnabling On-prem usersBRKSEC-293114 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveComprehensive Hybrid Cloud protection through detectionsAbnormal UserAWS EC2 Startup Script ModifiedAWS Lambda Invocatio

19、n SpikeAWS Snapshot ExfiltrationAzure Exposed ServicesAzure Transfer Data To Cloud AccountGeographically Unusual AWS/Azure API UsageUnusually Large EC2 Instance+40 more detectionsPublic Cloud AlertsPotentially Harmful Hidden File ExtRepeated Watchlist CommunicationsSuspicious User AgentTalos Intelli

20、gence Watchlist HitsUnusual External ServerUnusual File Extension from New External Server+72 on-prem detectionsFirewall loggingPrivate Network/On-premThe efficacy of all SCA alerts stands at approximately 96%,with a monthly customer response rate on over 5000 alerts!Amplification AttackExceptional

21、Domain ControllerGeographically Unusual Remote AccessLDAP Connection SpikeMeterpreter C&C SuccessPotential Data/Database ExfiltrationProtocol ForgeryRepeated Umbrella Sinkhole CommunicationsUnusual DNS ConnectionVulnerable Transport Security Protocol+60 more detectionsBRKSEC-293115 2023 Cisco and/or

22、 its affiliates.All rights reserved.Cisco Public#CiscoLiveCustom detection specific to your environment Network segmentation visibility Detect unauthorized traffic flows Verify network security complianceCustom Security Events in Secure Network AnalyticsPCIServersAccountData basePoS ServiceBRKSEC-29

23、3116 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTips for building Custom Security EventsStart with your critical assetsConsider technical and administrative controlsModel around the actual expected behaviorRun a flow search first to avoid floodsStart the name with“CSE

24、:”or“.CSE:”Include a good descriptionBRKSEC-293117 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveGlobal Threat Alerts Malware installation through Log4ShellBRKSEC-293118 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveGlobal Threat Alerts-Log4S

25、hell vulnerability scan BRKSEC-293119Converged Analytics demoCustom Security Events demoProving detections 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveChallenges of demonstrating detectionsMixing tests with production dataCan skew baseline dataSome detections take time

26、 to fireActual attacks might be impracticalMight violate administrative policiesSome attacks render systems vulnerableCompliance reasonsBRKSEC-293123 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecure Analytics detections demo seriesShowcase alerting through product de

27、monstration of real-world attacksComprehensive package covering a specific alert lifecycle and expert insightsAvailable in the Secure Analytics Detections Demo playlist onhttp:/cs.co/SecureAnalyticsVideosBRKSEC-293124 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRecomme

28、ndations for a testing platformTest outside production environment if possibleSecure Network Analytics run VE appliances that mimic productionSecure Cloud Analytics stand up a testing portalGenerate background trafficConsider feeding with production trafficUse a subset of traffic related to use case

29、sEasy with UDP Director or Cisco Telemetry BrokerMatch your production configurationsMake it easy to replaceBRKSEC-293125 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMethods we use to prove detectionsReal world attack toolstcpreplay with PCAPs of NetFlow recordsScripts

30、 to generate flow recordsInternally built toolsManual triggersBRKSEC-293126Proving detections demoMulti-telemetry ingest 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecure Network Analytics ingest and visibilityVPC,NSG flow logsSecure Network AnalyticsOn-prem Network T

31、elemetryAdminData centerNetworkUsersOn-premises networkRemote WorkersCampus/BranchPublic CloudsCisco Firewall Log DataEndpointData(NVM)Under investigationBRKSEC-293129 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecure Cloud Analytics ingest and visibilitySensor pod in

32、 K8Public CloudsVPC,GCP,NSG flow logs and via CSP APIs(CloudTrail,Cloudwatch,Advisor,GuardDuty and dozens more)Secure Cloud AnalyticsServerlesscontainer virtualizationPrivateCloudAdminData centerNetworkUsersOn-premises networkSecure Analytics Sensor Mirror/SPANFirewall/SyslogNetFlow/IPFIXISECisco Te

33、lemetry BrokerAnyConnect/NVMCatalyst9200/9300/9800BRKSEC-293130 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveExtensible Telemetry IngestAnyConnect Secure MobilityClientIdentity Services EngineAHGA/ADC*Proxy Integration*SecureWebApplianceOtherWeb ProxiesETA Capable Devic

34、esSecure FirewallFlowSensorNetFlow Enabled DevicesIPAM DBThreat IntelNetworkTelemetry*On-prem offering delivered through Advanced ServicesHTTP(S)RequestsHTTP(S)ResponsesHTTP(S)URLCustom HTTP(S)HeadersUsernameTLS VersionKey ExchangeAuthentication Alg.MACUsernameMAC AddressTrustSec Groups OS TypeProce

35、ss nameProcess hashProcess accountParent process nameParent process hashOS VersionConnected interface.Flow Action Translated Port/IPSYSLOGMalware eventsFile eventsL7 ApplicationHTTP RequestsHTTP Responses SRT/RTTTCP Flags PayloadSRC/DST IP AddressSRC/DST PortBytes/Pkts SentBytes/Pkts Received(Netflo

36、w,IPFIX)Host GroupsVPC flow log trans-formation via CTBBRKSEC-293131 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOn PremOn PremSingle NodeMax 20,000 eps at 25 days retentionData StoreMax 100,000 eps over 30 days retentionSecurity Analytics and LoggingSaaSSaaSCloud rete

37、ntion,scale as you grow100,000 eps per SEC,scalable90 days retention by default,extendable to 1,2 or 3 yearsEasily expand available event history and meet your industrys compliancestandards with scalable Cisco FTD and ASA Firewall log retentionBRKSEC-293132 2023 Cisco and/or its affiliates.All right

38、s reserved.Cisco Public#CiscoLiveGet additional context with NVM using Data StoreUser Endpoints with AnyConnect Secure Mobility ClientStart Time*End Time*Source IP*Source Port*Destination IP*Destination Port*Bytes Sent*Bytes Received*Packet Count*(derived)Protocol*Interface Info UIDInterface IndexIn

39、terface TypeInterface NameInterface Details ListInterface Mac Addr.UDIDUserUser Account TypeAgent VersionVirtual Station NameOS NameOS VersionOS EditionSystem ManufacturerSystem TypeProcess Account*Process Account TypeProcess IDProcess Name*Process Hash*Process PathProcess ArgsParent Process IDParen

40、t Process AccountProcess AccountParent Process Name*Parent Process Hash*Parent Process PathParent Process ArgsHost NameDNS SuffixModule Name ListModule Hash ListParent Process NameParent Process HashFlow CollectorData StoreNVM Telemetry Session Interface User OS Process*NVM telemetry records availab

41、le within non-Data Store deploymentsBRKSEC-293133 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveYou can do more with yourSecure Analytics detectionsBRKSEC-293134Extended detections 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhat are extend

42、ed detections?Small signal amplificationAdding contextCorrelating events and detectionsCross-domain detectionsDetections that require multiple sourcesAdding priority to important alertsDetections on new telemetry sourcesBRKSEC-293136 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#

43、CiscoLiveAlert Chains group related alertsBRKSEC-293137 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAlert Chains cluster at a glanceBRKSEC-293138 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAlert Chains alert timelineBRKSEC-293139 2023 Ci

44、sco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAlert Chains connection graphBRKSEC-293140 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRapid detectionsDelivery mechanism to get our market leading detection capabilities to customers fasterMulti-telem

45、etry types for cross-domain detections with complex Boolean rule logicRapid Detections is the first implementation to push new detections in a timely fashionBRKSEC-293141Threat intelligence 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBot Infected Host-Attempted C&C Act

46、ivityBot Infected Host-Successful C&C ActivityBot Command&Control ServerConnection From TOR AttemptedConnection From TOR SuccessfulConnection To TOR AttemptedConnection To TOR SuccessfulSecure Network Analytics threat intel security eventsInside TOR Entry DetectedInside TOR Exit DetectedConnection F

47、rom Bogon Address AttemptedConnection From Bogon Address SuccessfulConnection To Bogon Address AttemptedConnection To Bogon Address SuccessfulBRKSEC-293143 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecure Cloud Analytics threat intel alertsTalos Intelligence Watchlis

48、t Hits Device exchanged a significant amount of traffic with multiple addresses on the integrated Cisco Talos IP Watchlist.This alert uses the Watchlist Interaction observation.Repeated Watchlist Communications-Device has established periodic connections with any watchlisted IP(either in a user-defi

49、ned or integrated watchlist).This alert uses the Watchlist Interaction and Heartbeat observations and may indicate a device is compromised.BRKSEC-293144 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecure Cloud Analytics threat intel alerts continuedPublic Facing IP Wat

50、chlist Match-A public-facing IP in your network was discovered on a watchlist(either explicitly or implicitly via a domain name).This alert uses the Public Facing IP Watchlist Match observation.Alerts have no baseline history requirementsAll three are enabled by defaultBRKSEC-293145 2023 Cisco and/o

51、r its affiliates.All rights reserved.Cisco Public#CiscoLiveBuild your own threat intel alertsSecure Network AnalyticsBuild custom Outside Hosts host groupsBuild Custom Security Events for these host groupsAdd additional elements for bi-directional trafficSecure Cloud Analytics User Watchlist HitIPs

52、and Domains WatchlistThird Party WatchlistBRKSEC-293146Threat intel demoMITRE ATT&CK mapping 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIntroduction to the MITRE ATT&CK frameworkCovers Enterprise,Mobile,and ICSEnterprise matrix has 14 tactic categoriesTechniques roll

53、up into categoriesFurther broken down into sub-techniquesBased on real world attacksChanges over time with versionsAccepts contributions from the fieldCommon language for security practitionersBRKSEC-293149 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveProper use of MITR

54、E ATT&CK mappingDont fall into the coverage map trap!Visibility does not ensure detectionTechniques can have many varietiesBRKSEC-293150 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAlerts with MITRE ATT&CK Tactics and TechniquesSingle menu for all alert configurationAl

55、ert on whats important to you Alert on whats important to you with the option to enable or disable specific alertsHoverHover for a brief description or click click to pivotto pivot to MITRE for more informationUnderstand how alerts map to MITRE Tactics and TechniquesUnderstand how alerts map to MITR

56、E Tactics and TechniquesSecure Cloud Analytics mapping to the MITRE ATT&CK Enterprise MatrixSource of the telemetrySource of the telemetryTelemetry source of the alert98%+98%+of Secure Cloud Analytics alerts are mapped to the MITRE ATT&CK frameworkPriorityPriorityBRKSEC-293151 2023 Cisco and/or its

57、affiliates.All rights reserved.Cisco Public#CiscoLiveMITRE ATT&CK framework mappings95%new and existing alerts mapped to MITRE ATT&CK frameworkLinks provided to MITRE Tactics and TechniquesPushed to SecureX with IncidentsShared interfaceBRKSEC-293152 2023 Cisco and/or its affiliates.All rights reser

58、ved.Cisco Public#CiscoLiveSecure Network Analytics MITRE ATT&CK mappingBRKSEC-293153 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecure Cloud Analytics MITRE ATT&CK mappingBRKSEC-293154MITRE ATT&CK mapping demoCisco XDR 2023 Cisco and/or its affiliates.All rights reser

59、ved.Cisco Public#CiscoLiveCisco XDR unlocks value for your organizationUnified in one location forvisibility Maximized operationalefficiencyIntegrated and open forsimplicityintegrationsbuilt-in,pre-built or customribbon&sign-onnever leaves you maintains contextdashboard customizable for what matters

60、 to youthreat response is at the core of the platformorchestration drag-drop GUI for no/low codedevice insights device inventory with the contextual awarenessBRKSEC-293157 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAccelerate investigation With Cisco XDRAggregate and

61、query global intel and local context in one viewVisualize the impact of threats across your environmentUnderstand the chronological order of sightings via the timelineTake immediate response actions such as isolating a host or blocking an attackerBRKSEC-293158 2023 Cisco and/or its affiliates.All ri

62、ghts reserved.Cisco Public#CiscoLiveAutomatically Create IncidentsWith XDR AnalyticsXDR AnalyticsCreate incidents automatically in Incident Manger as part of alert settingsConfigure severity and publication settings in Secure Cloud AnalyticsManually promote alerts as part of XDR Analytics alert work

63、flowCisco XDRIncidentsBRKSEC-293159 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePowerful,flexible automationResponseAutomation rulesAnd moreAnalyst triggers a workflow from within the incident manager or a pivot menuAn incident matches a pre-defined rule and a workflow

64、 is triggeredWorkflows triggered by users,APIs,webhooks,schedules,and moreBRKSEC-293160Wrap Up 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveYou can do more with yourSecure Analytics detectionsBRKSEC-293162 2023 Cisco and/or its affiliates.All rights reserved.Cisco Publi

65、c#CiscoLiveToday we coveredBuilding and proving detectionsMulti-telemetry and extended detectionsThreat intelligenceMITRE ATT&CK frameworkCisco XDRTakeaways to do more with your detectionsBRKSEC-293163 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Learning and Cert

66、ificationsFrom technology training and team development to Cisco certifications and learning plans,let us help you empower your business and for Learning with Pay for Learning with Cisco Learning Credits Cisco Learning Credits(CLCs)are prepaid training vouchers redeemed directly with Cisco.Cisco Tra

67、ining BootcampsIntensive team&individual automation and technology training programsCisco Learning Partner ProgramAuthorized training partners supporting Cisco technology and career certificationsCisco Instructor-led and Virtual Instructor-led trainingAccelerated curriculum of product,technology,and

68、 certification coursesCisco Certifications and Specialist CertificationsAward-winning certification program empowers students and IT Professionals to advance their technical careersCisco Guided Study Groups180-day certification prep program with learning and supportCisco Continuing Education Program

69、Recertification training options for Cisco certified individualsLearnCisco U.IT learning hub that guides teams and learners toward their goalsCisco Digital LearningSubscription-based product,technology,and certification trainingCisco Modeling LabsNetwork simulation platform for design,testing,and tr

70、oubleshootingCisco Learning Network Resource community portal for certifications and learningTrainCertifyBRKSEC-293164 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveReferencesSecure Network Analytics Security Events and Alarm CategoriesSecure Cloud Analytics Alerts and O

71、bservationsSecure Analytics Detections Demo Series on YouTubeSecure Network Analytics MITRE ATT&CK mappingSecure Cloud Analytics MITRE ATT&CK mappingBRKSEC-293165 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFill out your session surveys!Attendees who fill out a minimum

72、 of four session surveys and the overall event survey will get Cisco Live-branded socks(while supplies last)!These points help you get on the leaderboard and increase your chances of winning daily and grand prizesAttendees will also earn 100 points in the Cisco Live Challenge for every survey comple

73、ted.BRKSEC-293166 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicContinue your educationVisit the Cisco Showcase for related demosBook your one-on-oneMeet the Engineer meetingAttend the interactive education with DevNet,Capture the Flag,and Walk-in LabsVisit the On-Demand Library f

74、or more sessions at www.CiscoL 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-293168 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePlease Fill Out The Survey!BRKSEC-293169Thank you#CiscoLiveQ&A time 2023 Cisco and/or its affiliates.All

75、rights reserved.Cisco Public#CiscoLive72Gamify your Cisco Live experience!Get points Get points for attending this session!for attending this session!Open the Cisco Events App.Click on Cisco Live Challenge in the side menu.Click on View Your Badges at the top.Click the+at the bottom of the screen and scan the QR code:How:123472 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKSEC-2931#CiscoLive