惡意軟件執行即服務：深入了解 CSMA 高級文件分析.pdf

《惡意軟件執行即服務：深入了解 CSMA 高級文件分析.pdf》由會員分享，可在線閱讀，更多相關《惡意軟件執行即服務：深入了解 CSMA 高級文件分析.pdf（68頁珍藏版）》請在三個皮匠報告上搜索。

1、#CiscoLive#CiscoLiveBrian McMahon,TMEBRKSEC-2101Secure Malware Analytics Advanced File AnalysisMalware Execution as a Service 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnter your personal notes hereCisco Webex App Questions?Use Cisco Webex App to chat with the speake

2、r after the sessionFind this session in the Cisco Live Mobile AppClick“Join the Discussion”Install the Webex App or go directly to the Webex spaceEnter messages/questions in the Webex spaceHowWebex spaces will be moderated by the speaker until June 9,2023.12343https:/ 2023 Cisco and/or its affiliate

3、s.All rights reserved.Cisco PublicBRKSEC-21013 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive$whoamiBrian McMahon Technical Marketing Engineer(TME),Threat Detection and Response(TD&R)Team focus:Cisco Secure Endpoint,Malware Analytics,SecureX/XDRFirst Cisco job:TAC 1996-1

4、999Cisco Security Business Group since 2010CCIE:So old,it no longer exists(#4205 ISP-Dial)Other experience includes multiple startups and several years as a full-time community college instructor(CIS and Cisco Networking Academy)First incident response:circa 1993 on a VAXcluster4BRKSEC-2101Agenda 20

5、23 Cisco and/or its affiliates.All rights reserved.Cisco PublicIntroductionFile AnalysisMalware Threat IntelligenceDeployment optionsPortal FeaturesAPIConclusion&ResourcesBRKSEC-21015Introduction 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecure Malware Analytics Over

6、viewThreat Intelligence Threat Score Behavior Indicators Observables Analysis ReportsMalware AnalysisAutomated AnalysisStaticDynamicGlobal CorrelationMalware Analysis /Threat IntelligenceAn automated engine observes,deconstructs,and analyzes using multiple techniques101000 0110 00 0111000 111010011

7、101 1100001 110101000 0110 00 0111000 111010011 101 1100001 110BRKSEC-21017File Analysis 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFile Analysis:What Can I Submit?Wide range of supported file types:(examples)ExecutablesJava,JavascriptPDF,SWFMS Office Archives(ZIP,7Z,

8、GZ,TAR,BZ2)Scripts(BAT,PS1,VBS)URLsLimitations:No.TXT files,no DOS executablesMax 250 MB,no empty filesZIP archives limited to 255 files,and should not be greater than 600 MB when unzippedSee online help for the most current restrictionsBRKSEC-21019Image File:Otlet&Wouters-Manuel de la bibliothque p

9、ublique,1930(page 106 crop).jpg(Public Domain)https:/commons.wikimedia.org/wiki/File:Otlet_%26_Wouters_-_Manuel_de_la_bibliothque_publique,_1930_(page_106_crop).jpg 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveStaticStatic AnalysisAnalysisFile on diskHeader detailsAV en

10、ginesWhat it is/containsis/containsFile Analysis:Static&DynamicDynamicDynamic AnalysisAnalysisExecution/DetonationNetwork ConnectionsFile/System changesFunction/Library callsWhat it doesdoesBRKSEC-210110Image:Bolex 16 mm film camera(Public Domain)https:/commons.wikimedia.org/wiki/File:BolexH16.jpgIm

11、age:Microscope(inverted),National Cancer Institute(Public Domain)https:/commons.wikimedia.org/wiki/File:Microscope_(inverted).jpg 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFile Analysis:Sample SourcesManual user submissionsAutomated submissions from:Talosin-field dep

12、loyments of integrated Cisco productsrelationships with ecosystem partnersPartnerships with industry researchers and sample providersInternal harvesting(mostly limited to targeted attacks and other specific content)BRKSEC-210111 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Cisco

13、LiveCounter-evasion techniquesNo VM presenceObscured VM“tells”Configurable runtimeNetwork Exit Localization(VEN)PlaybooksEvasion BIsFile Analysis Methods:Advanced Dynamic TechniquesI see adversariesBRKSEC-210112Image:Phrynosoma mcallii-Flat-tailed Horned LizardUSFWS Photo by Jim Rorabaugh,Public Dom

14、ainhttps:/commons.wikimedia.org/wiki/File:Phrynosoma_mcallii.jpgA Bit More on Counter-Evasion 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveThe purpose of Secure Malware Analytics is to catch the bad guys.The bad guys do not want us to catch them!The bad guys also know w

15、hat a sandbox is.This is why“sandbox evasion”has been part of their bag of dirty tricks for a very long time.”Sandbox Evasion”is an Old,Old Trick14BRKSEC-2101 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveThe first step for the attacker is figuring out if theyre being wa

16、tched or not.Malware authors have used lots of tricks to detect sandboxes,including looking for characteristics of VM environments,detecting analysis/debugging hooks,etc.Secure Malware Analytics is designed to be very hard to detect.Evading the Evaders15Another approach is to use some test to see if

17、 theres a real user(mouse movements,etc.)This is what playbooks are for.Malware can also do things,like sleep timers,obfuscation,etc.,to make it harder to analyze in case they do end up executing in a sandbox.BRKSEC-2101 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecu

18、re Malware Analytics uses anti-sandbox or similar evasion as a very interesting behavioral behavioral indicatorindicator.In other words,by attempting to escape detection,the malware actually gives itself away.(They dont play fair,so why should we?)Catching the Bad Guys Trying to Catch Us16BRKSEC-210

19、1Malware Threat Intelligence 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveThreat Intelligence:Behavior IndicatorsDetailed Intelligence about how malware behavesBRKSEC-210118 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicThreat Intelligence:Global Corr

20、elation Samples correlated with billions of malware artifacts Global/historical context on threat landscape“Wikipedia of Malware”BRKSEC-210119 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicThreat Intelligence:Privacy and ComplianceEncryption of all samples at restMultiple regional

21、 datacentersNA(US&CA),EU(DE),APJC(AU)Hosted Cisco Iron(UCS)Cloud Privacy Options:Private-by-Default*Self-Serve Sample deletionSecure Malware Analytics Appliance*All automated submissions are marked Private by defaultBRKSEC-210120Image:Venice carnival costume with mask and hat CC-0(Public Domain)http

22、s:/commons.wikimedia.org/wiki/File:Venice_carnival_costume_with_mask_and_hat_-_transparent.png 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveThreat Intelligence:DeliverySample and Artifact Intelligence DatabaseAnalysis and Search ResultsUser,org,or global analysis result

23、s per sampleSearch for key elements across regions for public samples and locally(your DC)for private samplesDownload artifacts,pcaps,etcThreat Intel Data FeedsThreat feeds with context/metadataCreate custom feeds or download 15 curated batch feedsVarious formats(JSON,STIX,CSV,Snort)BRKSEC-210121Dep

24、loyment Options 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDeployment:OptionsCloudCloudGlobal datasetFull correlationApplianceAppliancePrivacyLocal correlationInstallationInterfaceIntegration OnlyIntegration OnlyAutomated interactionAutomated sample acquisitionUnified

25、 workflowsFull Portal Full Portal(UI/API)UI/API)Custom integrationsFull searching capabilitiesCurated feedsBRKSEC-210123 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCloudCloudApplianceApplianceIntegrationIntegrationSamples analyzed in the cloudSamples analyzed on premi

26、seUI/API includedLocal data/intelligence onlyUI/APIUI/API“Secure Malware Analytics Cloud”Samples analyzed in the cloudAccess to global dataDeployment:OptionsInstallation InterfaceBRKSEC-210124 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive25Deployment:Cloud vs.ApplianceB

27、RKSEC-2101CloudCloudApplianceApplianceDeploymentDeploymentRegional cloud data centers(NA&EU APJC and Canada 2H CY22)Hardware UCS ApplianceSample PrivacySample PrivacySamples submitted as private by default(public by default for manual submissions)Samples kept locallyAnalysis PrivacyAnalysis PrivacyP

28、ublic sample analysis available to all customersNo data sent is sent to the CloudData RetentionData RetentionUp to 24 monthsAt least 36 months under normal usageScalabilityScalabilityOrganization license-based=20K sample submissions/day(exceptions require PM approval)Appliance license:200 10K sample

29、 submissions/day;Clustering:up to 70k(2-7 appliances)LicensingLicensingSecure Malware Analytics Cloud,Advanced File Analysis packs,Portal UsersSecure Malware Analytics Appliance licenseIntegrationsIntegrationsSecure X,Secure Firewall,Secure Email,Secure Endpoint,Umbrella SIG,Meraki,WSA&3rdpartySecur

30、e Firewall,Secure Endpoint Private Cloud,SecureEmail,WSA&3rd partyRelease cycleRelease cycleBi-weeklyBi-weekly w/Automated Updates enabled or once a quarter w/outVMs/TargetsVMs/TargetsWin7 64-bit(2 profiles,+Jp/Kr),Win 10 Win7 64-bit,Win 10.jp/.kr,Win 10IntelIntelPivoting/searching based on global d

31、ataPivoting/searching based on local data FeedsFeedsCurated intel feeds based on global dataSelf-generated feeds 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecure Malware AnalyticsDeployment:Cisco Secur

32、e Endpoint IntegrationSecure EndpointCloudSecure Endpoint connector2a:Disposition(/)END 2:Is it known?ny4:File type check?yn1:File Hash4b:File FetchStatic AnalysisDynamic AnalysisScoringQueue5:Poke:Threat Score and optional Disposition(?/)Otherinputs6:Disposition(/?/)3a:Disposition(?)END4a:ENDDisp U

33、pdater3:Send to CSMA?yn3b:Disposition(?)(SEND)BRKSEC-210126 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecure Endpoint+Malware Analytics made easyAt the Advantage license tier or higher,Secure Endpoint includes full CSMA and also Orbital Advanced Search which means th

34、at suitable Behavioral Indicators can turn into Orbital searches at the click of a button!BRKSEC-210127 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSupported Integrations&PartnersSupported Integrations&PartnersSelect Recipe IntegrationsSelect Recipe IntegrationsSelect

35、Threat Feed IntegrationsSelect Threat Feed IntegrationsSecure Malware Analytics IntegrationsBRKSEC-210128Portal Features 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-210130 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-210131 2

36、023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-210132 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-210133 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-210134 2023 Cisco and/or its affiliates.A

37、ll rights reserved.Cisco Public#CiscoLiveBRKSEC-210135 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-210136 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-210137 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#C

38、iscoLiveBRKSEC-210138 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-210139 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKSEC-210140 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive41BRKSEC-2101 2023 Cisco

39、and/or its affiliates.All rights reserved.Cisco Public#CiscoLive42BRKSEC-2101 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive43 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive44A Day 5 Minutes in the Life of a Malware Analytics Sample 2023 Cisc

40、o and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveThe most important part of pre-execution static analysis is the classifierclassifier.The main purpose of the classifier is to determine if its even worth running the sample in a VM.For example,a PDF that contains no URLs,JavaScript,or

41、 other dynamic content is only going to waste a sample run.Static Analysis Part 1:Pre-Execution46SMA uses a custom classifier that doesnt depend on MIME types,libmagic,etc.Its not always straightforward;for example,some files can be a PDF or a PE depending on how theyre executed;even“plain text”file

42、s can be malicious.The classifier filters over 90%of submissions before execution.BRKSEC-2101 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveThe sample runs in a VM of the selected type,under a heavily customized hypervisor.A PREP process figures out how to run the sample

43、 within the VM based on information from the classifier.In the case of something like a ZIP archive,there is a priority list of what to execute(for example,PE).Dynamic Analysis:Sample Execution/Detonation47Disk snapshots are taken at the start and end of the run.SMA monitors activity during the run

44、by hooking into the hypervisor(not the running image).This enables us to do things like capture artifacts that are created and then deleted again.Modern web browsers are very chatty and do a lot of this.BRKSEC-2101 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAfter the

45、configured sample time,the VM terminates,there is a second static analysis step on every artifact that was created during the run.This includes re-running the classifier,parsing and scanning artifacts,and looking them up in multiple reputation databases.Static Analysis Part 2:Post-Execution48The sta

46、te of the VM and the information captured during the run is used to build the reports.If configured,a notification is sent via email and/or callback URL.The Callback URL format just recently got added to online help(under/api/v2/samples).BRKSEC-2101API 2023 Cisco and/or its affiliates.All rights res

47、erved.Cisco PublicAPI Use CasesSubmit Samples for AnalysisQuery Malware IntelligenceRetrieve Curated Intelligence FeedsUsage Statistics and DataSecure Malware Analytics APIMalware Analysis&Threat IntelligenceBRKSEC-210150 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSec

48、ure Malware Analytics API:Security Integration and Automation Secure Malware Analytics REST API automates sample analysis,enrichment and reportingAutomate submission from numerous technologies(host or network)Pull results into numerous technologiesYour Existing SecurityThreat ContentEnrichmentThreat

49、 IntelligenceFeedsFirewallNetworkTapsSIEMLog MgmtSecurityPartnersEndpointSecurityGateway,ProxyIPS/IDSSecure Malware AnalyticsMalware Analysis&Threat IntelligenceBRKSEC-210151 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecure Malware Analytics APIsData APIEntity search

50、/search/search observables by specific criteriaEntity lookups/domains/,/urls/,/paths/,etc pivot from a known observable to other related information in Secure Malware Analytics dataSample mgmt:/samples/submit retrieve data/analysis raw observables feeds/samples/feeds/Get lists of observables associa

51、ted with a filterable set of samplesHarvested from all sample activity,suspicious or not,therefore very high FPCan filter to your users or your orgs samples only;eg“get all domains associated with samples my company submitted”Results in JSONBRKSEC-210152 2023 Cisco and/or its affiliates.All rights r

52、eserved.Cisco Public#CiscoLiveSecure Malware Analytics APIsData API(continued)Indicator of Compromise(IOC)feeds/iocs/feeds Observables seen in conjunction with Behavior Indicators Moderate FP level Only those observables seen with a BI so there is at least some degree of suspicious behavior associat

53、ed with the item Also filterable to only your or your orgs samples Results in JSONUser management API/users/Create users,set sample limits,etcBRKSEC-210153 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecure Malware Analytics APIsCurated feeds API/feeds/Based on specifi

54、c,high confidence human-curated BIs Whitelisted via Secure Malware Analytics and Talos intelligence Much lower FP Groups observables by IOC type(eg“DGA DNS domains”)Not filterable by sample ownership But you could combine with IOC feeds to do so!Least complex request structure Made for integrations-

55、available output formats:JSON CSV Snort STIXBRKSEC-210154 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecure Malware Analytics APIsFeed details summary:Sample FeedsSample FeedsIOC feedsIOC feedsCurated FeedsCurated FeedsVersionVersion/v2/v2/v3EndpointEndpoint/samples/f

56、eeds/iocs/feeds/feeds/ContentContentAll observables seenObservables seen in all BIsObservables seen as part of a trusted high confidence BI triggeringFP rate*FP rate*HighMediumLowPrePre-whitelistedwhitelistedNoNoYesFilterable to only you/org?Filterable to only you/org?YesYesNoOutput FormatsOutput Fo

57、rmatsJSONJSONJSON/CSV/Snort/STIX*Request ComplexityRequest ComplexityLowLowLowest*The factual FP rate is 0;these were all seen.The functional FP rate,as an indicator of local compromise,is dependent on the details of the observation and varies from feed to feed.*additional formats not available for

58、all curated feedsBRKSEC-210155 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAPI Use Case:Curated FeedsprefixFEED-NAME_date.FORMAT?api_keyDGA DNS as JSON:https:/panacea.ThreatG IP/DNS as STIX:https:/panacea.ThreatG DNS Domains as Snort rules:https:/panacea.ThreatG 2023 C

59、isco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAPI Use Case:Submit files for analysisSecureX Threat ResponseIs file known?Secure Malware AnalyticsWas file seen recently?Secure Malware AnalyticsSubmit file!NoNoBRKSEC-210157 2023 Cisco and/or its affiliates.All rights reserved.Ci

60、sco Public#CiscoLiveAPI Example:Secure Malware Analytics Submitsecintsight:$crontab l|grep Secure Malware Analytics0*/5*/home/secintsight/scripts/spam2CSMA.shUsage example:Analysis folderCreate a folder for all analysts to dump files of interest into,Use script to pick them up and submit to Secure M

61、alware Analytics.Use POST parameters to set an email alert to owner of file when analysis is complete.Could also have different folders for different options,OS language,network exit,etc.BRKSEC-210158 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAdditional API Use Cases

62、:Ensure/enforce that all manually submitted samples are set to privateDownload network resources found in analysis of your orgs samples and compare to network logsAdd observable lookups to existing reputation checksSet users passwords from password management system.BRKSEC-210159 2023 Cisco and/or i

63、ts affiliates.All rights reserved.Cisco Public#CiscoLiveThreat Response APIAccess Included with purchase of Secure Malware Analytics portal accountTime based tokensFunctions(partial list)Look up observable reputationsAcross all data sourcesUnlimited lookupsTake common response actionsQuarantine file

64、Block domainBRKSEC-210160 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCSMA in SecureXBRKSEC-210161Conclusion 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFill out your session surveys!Attendees who fill out a minimum of four session survey

65、s and the overall event survey will get Cisco Live-branded socks(while supplies last)!These points help you get on the leaderboard and increase your chances of winning daily and grand prizesAttendees will also earn 100 points in the Cisco Live Challenge for every survey completed.BRKSEC-210163 2023

66、Cisco and/or its affiliates.All rights reserved.Cisco PublicContinue your educationVisit the Cisco Showcase for related*demosVisit the Threat Wall,right next to the NOC display areaBook your one-on-oneMeet the Engineer meetingGet interactive education with DevNet,Capture the FlagCapture the Flag,and

67、 Walk-in LabsVisit the On-Demand Library for more sessions at www.CiscoL 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveJun 5 16:00(watch later)BRKSEC-1023Accelerate your SOC with Cisco XDRMatt VanderhorstJun 6 10:30(watch later)BRKSEC-2354Automating Security:Just Because

68、 You Can,Doesnt Mean You ShouldTK KeaniniJun 6 13:00(watch later)BRKSEC-2242Ciscos Malware Defense Cloud and Secure Malware Analytics IntegrationsBill YazjiJun 7 10:30 Mandalay Bay DBRKSEC-2120Breach Prevention:An Effective Security Awareness ProgramFilipe LopesJun 7 14:00 WoS Theater 2PSOSEC-1009Cy

69、bercriminals See All Users As OpportunitiesAdam TomeoJun 7 13:00 Breakers BHBRKSEC-2113Cisco XDR-Making sense of the Solution and how its a Security Productivity ToolAaron WolandJun 8 9:30 South Seas JBRKSEC-2178Extended Detection w/Cisco XDR:Security Analysis across the enterpriseMatt RobertsonJun

70、7 12:00 DevNet TheaterDEVNET-3098Leveraging Cisco Security APIs for threat hunting based on automated alerting and intel-driven detectionsOxana SannikovaSTARTSuggested SessionsRecommendations for learningBased on your attendance in this session,these are some other sessions that have been hand-chose

71、n for you.If you are unable to attend a live session,you can watch it On Demand after the eventBRKSEC-283465Thank you#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive67Gamify your Cisco Live experience!Get points Get points for attending this session!for attending this session!Open the Cisco Events App.Click on Cisco Live Challenge in the side menu.Click on View Your Badges at the top.Click the+at the bottom of the screen and scan the QR code:How:123467 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKSEC-2834#CiscoLive