Targeted Threat (APT) Defense for Applications Featuring pxGrid: a deep dive

We’re ready. Are you?
February 15 - 19, 2016 • Berlin, Germany

Targeted Threat (APT)
Defense for Applications
Featuring pxGrid
David Jones
Computer Relations Specialist

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID
Why are we here?
Was looking like this:

Ask dave
5% of SySAdmin accounts or
their laptops may be
compromised at any moment

Top 10 varieties of threat actions over time
Source: 2014 Verizon Data Breach Investigation Report

By the numbers
Source Verizon 2015 DBIR

Source: Verizon 2015 DBIR

99.9%
OF THE EXPLOITED VULNERABILITIES WERE COMPROMISED
MORE THAN A YEAR AFTER THE CVE WAS PUBLISHED
Source: Verizon 2015 DBIR

“The only comment I have is that it’s
sad we live in this country and have
to look outside of the united states
for affordable medicine.”
Excerpt From: Krebs, Brian. “Spam Nation.” Sourcebooks, Inc,
2014.
9

From the recent news:
“Juniper said that someone managed to get into its
systems and write "unauthorized code" that "could
allow a knowledgeable attacker to gain administrative
access."
“LANDESK has found remnants of text files with lists
of source code and build servers that the attackers
compiled,” John said. “They know for a fact that the
attackers have been slowly [archiving] data from the
build and source code servers, uploading it to
LANDESK’s web servers, and downloading it.”

Nation State Run Book

DataCenter
Infestation & Lateral
Movement 1. User desktop infected WCE or
Mimikatz is started
2. Privileged user or Application logs in -
WCE hijacks credentials
3. Rootkit remotely installed on server in
datacenter
4. Super user performs task on
datacenter server, malware hijacks
credentials
5. Malware spreads throughout
datacenter
Malware details
• Targeting out of date plugins (Flash, Word,
Acrobat Reader, Java)
• Malware customized to avoid AV signatures
• Higher they get – the more unique the
malware

DataCenter
Infestation - Remediation
1. Super user logs in with SmartCard and has
scoped access to other hosts
2. Malware not propagated throughout data center
3. Prevent privileged user or Application from
logging into desktop.
4. Privileged user instead logs into administrator
station.
5. Malware is not spread to data center
6. Upgrade Applications and Operating System
baseline and Train Users
7. Initial attack fails

Infestation Abuses Applied
Software Publishing Infrastructure
1. Engineer desktop infected. Access to
source code and Build server available
2. SysAdmin targeted for access to
systems and/or their Distribution
Credentials.
3. SysAdmin laptop infected
4. Either way Customers are infected
Build Cluster
Code
Repository
Software Developer
Distribution
update.company.com
Manufacturing
Customers

Infestation Abuses Applied - Remediation
Software Publishing Infrastructure
1. Image singing deployed
2. Customer devices validate images
3. Distribution servers validate images and use
their own multi factor instead of passwords
4. Engineer & SysAdmin use smartcard instead
of password
5. Developer and SysAdmin endpoints secured
Build Cluster
Code
Repository
Software Developer
Distribution
update.company.com
Manufacturing
Customers

Software Publishing remediation
Need to remove the ability for developers to run a build from code that has not
been checked into the repository
Repository must log and report on differences between previous versions
Reviewers must review those change logs for production releases
Multi factor must be required to check code into the repository and also to run a
build.
Builds should require two people
Builds must be cryptographically signed and build time
Each stage of the distribution should validate the image signature
That way, the only way to inject a back door is for the developer to miss the change
to their own code and for the reviewers of changes to also miss it.
That said, it would be easy to forget to do these things after a while or during a
customer crisis requiring an emergency build. Back to the must review at full GA
production releases.

Controls

Secure Administration Controls
SCP
Production
Resources
Administration
End point

Security Control Points
OTP
Windows SCP
Linux SCP
Perimeter
Defense
RDP

• Sandbox Detonation
• pDNS
• NetFlow
• Host Based IP/DS on low value computers
• Windows Event Logs
• Log all of these to the same place so they can be correlated
Monitoring and Detection

• Windows
• GPOs/AppLocker
• Linux
• Puppet/Perl
• Both
• Change the default passwords
• Full reconciliation of configuration settings
• Log of executables executed on critical systems.
• Location of binary can be a giveaway
• Verify binary Signatures
• Accounts trying to log into hosts that they are not authorized to log into
Security Configuration Management
Proactively maintain security controls

Control Use Cases

Blocking Lateral movement
Scoped Access with GPOs

Network device product management
Only allow SSH
From SCP
Programmatic
Interface only from
specific host servers

MDM product management suite
Client and Management Traffic over HTTPS
ClientApp
Admin UI
App
Replication

Mail Server product management
Only allow SSH
From SCP
BSDi Mail
Appliance
Appliance
Mail Server
Only allow PwrShell from Prov Box

Database

Virtual Machine hosting product(s) management
UCS
VMWare or OpenStack/KVM
Tenan
t1
Tenan
tX
Tenan
t3
Tenan
t2
CSG Common Identity or DSX
Commodity dual
Internal Admin Token
ACLs Blocking
Admin Ports
SCP
Web Server
Plugin
Infra
Admin
Internal
Tenant
Partner
Authentication Mechanism

CSIRT
Monitoring sso.yourcompany.com
Cisco Premise
Secure Cloud Administration – 3rd Party
Security Control
Point aka Jump Box

Application to Application

Simple Application Credential Management
Application 1 Application B
Logged Sudo Access
to Credential

Remove the Credential From the Application
Get Creds

App to App - Target
OAuthToken
request flow
TLS EncryptedTunnel
Machine
Certificate
Machine
Certificate
User JanDoe
Delegated
JanDoe
Encrypted
Storage

• ACT2 Lite
• HSM
• TPM
• USB
• Files….
Certificate Storage

Application to Application
Best Practice - pxGrid

Cisco Platform Exchange Grid – pxGrid
Network-Wide Context Sharing
That Didn’t
Work So
Well!
pxGrid
Context
Sharing
Single
Framework
Direct,
Secured
Interfaces
I have NBAR info!
I need identity…
I have firewall logs!
I need identity…
SIO
I have sec events!
I need reputation…
I have NetFlow!
I need entitlement…
I have reputation info!
I need threat data…
I have MDM info!
I need location…
I have app inventory info!
I need posture…
I have identity & device-type!
I need app inventory & vulnerability…
I have application info!
I need location & auth-group…
I have threat data!
I need reputation…
I have location!
I need identity…
BENEFITS of pxGrid, it can…
• Establish that secure TLS tunnel for you
• Be leveraged as your communications bus with XMPP
Including discovery of services available
• Verify Integrity of each endpoint communicating in the Grid
• Be used without you writing *that* code

ISE Integration
pxGrid
Radius
1.802.1X
User
Session
Publish
User
SGT
Device
Location
Auth
User
Meta Data
User Group
ISE Server
Switch
Internet
FireSIGHT
Management
Center
Sensor
User
Meta Data

pxGrid
Certificate
Registration

• Bi-direction certificate authentication is better then one way
with passwords
• Current pxGrid Java API stores certificates in files (JKS)
• If the certificates are not protected they become available
to theft
pxGrid Certificate Security
3rd Party Applications

• Ability to use OpenSSL SSLContext directives to specify cert context
• This could be HSM, TPM, USB, other
pxGrid Certificate Security - Future

• Java API only supports JKS Files
• JKS files and the passwords to open them must be
protected
pxGrid Certificate Security - Current

• Place certificate password in a file
• Run your application with a dedicated account with no
password and no default shell – “AppUser”
• Protect the storage of pword and JKS file with file systems
permissions like: AppUser rw- --- ---
• Require logged sudo to access those files
pxGrid Certificate Security - Linux

Getting Started with pxGrid

• Install Java
• Download the SDK
• Download the Configuration and testing guide
• Will walk you through using certificates, external data sources and tests
• Bourne Shell scripts to test connectivity and basic functions
• Code you can mess with to do the same in Java and C
Getting started with pxGrid

For Example – Query by IP
./session_query_by_ip.sh -a 10.0.0.37 -u dave -k myKeys.jks -p demoPas$ -t myKeys_root.jks -q demoPas$
-------properties -------
version=1.0.2-30-SNAPSHOT
hostnames=10.0.0.37
username=dave
group=Session
description=null
keystoreFilename=myKeys.jks
keystorePassword=demoPas$
truststoreFilename=myKeys_root.jks
truststorePassword=demoPas$
--------------------------
12:50:33.356 [Thread-1] INFO com.cisco.pxgrid.ReconnectionManager-Started
Connecting...
Connected
12:50:34.961 [Thread-1] INFO com.cisco.pxgrid.ReconnectionManager-Connected
IP address (or <enter> to disconnect): 10.0.0.15
Session={ip=[10.0.0.15], Audit Session Id=0A0000020000000F004BE344, User Name=jeppich, AD User DNS
Domain=lab6.com, AD Host DNS Domain=null, AD User NetBIOS Name=LAB6, AD Host NETBIOS Name=null, Calling
station id=00:0C:29:79:02:A8, Session state=AUTHENTICATED, ANCstatus=null, Security Group=null, Endpoint
Profile=Add_Device, NAS IP=10.0.0.2, NAS Port=GigabitEthernet1/0/43, RADIUSAVPairs=[ Acct-Session-Id=00000009], Posture
Status=null, Posture Timestamp=, Session Last Update Time=Thu Jul 23 13:42:25 EDT 2015}

Called Source Code
// set configuration
TLSConfiguration config = new TLSConfiguration();;
config.setHosts(hostnames);;
config.setUserName(username);;
config.setGroup(Group.SESSION.value());;
config.setKeystorePath(keystoreFilename);;
config.setKeystorePassphrase(keystorePassword);;
config.setTruststorePath(truststoreFilename);;
config.setTruststorePassphrase(truststorePassword);;

Called Source Code - Continued
// initialize xgrid connection
GridConnection con = new GridConnection(config);;
con.addListener(new SampleConnectionListener());;
// use reconnection manager to ensure connection gets re-established {…}
// create query we'll use to make call
SessionDirectoryQuery query = SessionDirectoryFactory.createSessionDirectoryQuery(con);;
Session session = query.getActiveSessionByIPAddress(InetAddress.getByName(ip));;
if (session != null) {
SampleUtilities.print(session);;
System.out.println("");;
}
else {
System.out.println("session not found");;
}

Example – Download Session Directory
./session_download.sh -a 10.0.0.37 -u dave -k myKeys.jks -p demoPas$ -t myKeys_root.jks -q demoPas$
…
Session={ip=[10.0.0.15], Audit Session Id=0A0000020000000F004BE344, User Name=jeppich, AD User DNS
Domain=lab6.com, AD Host DNS Domain=null, AD User NetBIOS Name=LAB6, AD Host NETBIOS Name=null, Calling
station id=00:0C:29:79:02:A8, Session state=AUTHENTICATED, ANCstatus=null, Security Group=null, Endpoint
Profile=Add_Device, NAS IP=10.0.0.2, NAS Port=GigabitEthernet1/0/43, RADIUSAVPairs=[ Acct-Session-Id=00000009],
Posture Status=null, Posture Timestamp=, Session Last Update Time=Thu Jul 23 13:42:25 EDT 2015}
Session={ip=[10.0.0.37], Audit Session Id=0A0000020000000E004156F4, User Name=00:0C:29:87:8D:1F, AD User DNS
Domain=null, AD Host DNS Domain=null, AD User NetBIOS Name=null, AD Host NETBIOS Name=null, Calling station
id=00:0C:29:87:8D:1F, Session state=STARTED, ANCstatus=null, Security Group=null, Endpoint Profile=VMWare-Device,
NAS IP=10.0.0.2, NAS Port=GigabitEthernet1/0/37, RADIUSAVPairs=[ Acct-Session-Id=00000005], Posture Status=null,
Posture Timestamp=, Session Last Update Time=Thu Jul 23 09:41:25 EDT 2015}
Session={ip=[10.0.0.3], Audit Session Id=0A0000020000000D00036A42, User Name=18:E7:28:2E:29:CB, AD User DNS
Domain=null, AD Host DNS Domain=null, AD User NetBIOS Name=null, AD Host NETBIOS Name=null, Calli
ng station id=18:E7:28:2E:29:CB, Session state=STARTED, ANCstatus=null, Security Group=null, Endpoint Profile=Cisco-
Device, NAS IP=10.0.0.2, NAS Port=GigabitEthernet1/0/37, RADIUSAVPairs=[ Acct-Session-Id=00000007], Posture
Status=null, Posture Timestamp=,Session Last Update Time=Thu Jul 23 09:43:42 EDT 2015}

Called Source Code
SessionDirectoryQuery sd = SessionDirectoryFactory.createSessionDirectoryQuery(con);
SessionIterator iterator = sd.getSessionsByTime(start, end, filter);
iterator.open();
Date startedAt = new Date();
System.out.println("starting at " + startedAt.toString() + "...");
int count = 0;
Session s = iterator.next();
while (s != null) {
// when testing performance, comment out the following line. otherwise
// excessive console IO will adversely affect results
SampleUtilities.print(s);
s = iterator.next();
count++;
if (count % 1000 == 0) {
System.out.println("count: " + count);
}
}

Quarantine That Machine by IP
// create query we'll use to make call
EPSClientStub stub = new EPSClientStub();
EPSQuery query = stub.createEPSQuery(con);
// quarantine ip addresses based on user input
try {
query.quarantineByIP(ip);
} catch (GCLException e) {
System.out.println("GCLException msg=" + e.getMessage());
}

Un-Quarantine that Machine by MAC
// quarantine ip addresses based on mac addresses
Scanner scanner = new Scanner(System.in);
while (true) {
System.out.print("mac address (or <enter> to disconnect): ");
String mac = scanner.nextLine();
if (mac == null || "".equals(mac)) {
break;
}
try {
query.unquarantineByMAC(mac);
} catch (GCLException e) {
System.out.println("GCLException msg=" + e.getMessage());
}
}
scanner.close();

• development SDK and client
information. https://developer.cisco.com/site/pxgrid/
pxGrid – More Information

Image Verification
Secure Boot and ACT-2 Lite

Secure Boot
55

• Cisco Secure Boot – FPGA as the hardware
anchor
• CPU Based – with CPU as the hardware anchor
• Bootcode Hardening – hardware anchor in boot
flash
Secure Boot Options
57

Cisco Secure Boot Sequence
58

ACT2 Lite Overview

"ACT-2 provides the mechanism for
the highest possible assurance for
identity for our products."
- Bob Bell
60

ACT-2 Lite Overview
Hardware Anchored Identity – Creating and installing
an identity which is immutably and irrevocably linked to
a specific hardware instance

• ACT-2Lite is an initial step to solving the Hardware Anchored Identity
issue
• ACT-2Lite is composed of
• A hardware component – ACT-2Lite Chip
• A software component – ACT-2Lite Support Library
• A mechanism to link and control device identity – Identity Insertion Process
• Based on a commercially available smart chip and cryptographic library
• Protects the identity credentials with smart chip measures
What is an ACT-2 Lite Chip?

• Provides identity assurance that hardware and software on a device have not been
tampered with or are in other ways counterfeit
• Has it’s own provisioned identity embedded in hardware (Hardware anchored Identity)
• A device that can perform cryptographic functions.
• Can provide secure storage for license keys and similar data
• Cannot be accessed by the end user
What is an ACT-2 Lite Chip?

ACT-2Lite Capabilities
• To provide hardware anchored identity
• X.509v3 identity certificates
• RSA asymmetric cryptography
• ECC asymmetric cryptography
• To provide limited cryptographic operations
• keys do not leave the chip
• encrypted data normally stored on chip but may be stored in host FLASH
• performs HASH, HMAC, symmetric key cryptography, and asymmetric key
cryptography
• To provide secure on-chip storage of information
• access control based on roles
• data encrypted at rest
• Entropy source
• Contains a non-deterministic random bit source
• Contains a FIPS approvable deterministic random bit source

• Manage its own users and objects stored in it
• Read information from and about the SUDI and the ACT-2 Chip
• Provide User Resource utilization – EEPROM and RAM
• Create deterministic random numbers
• HASH functions
• HMAC functions
• Symetric Crypto functions
• RSA functions
• ECC functions
Things ACT-2 Can Do

Host to ACT-2 Lite Chip relationship diagram
Application
Specific
Hardware
(e.g. switch
ports and
console
interfaces)
Application Specific
Host Processor
(e.g. Intel Xeon
chipset with RAM
and FLASH)
ACT-2Lite
Support
Library
ACT-2Lite
Chip

ACT-2 Identity Insertion
Process

ACT-2 Lite Identity Insertion Process
• Ensures that there is a one-to-one mapping between identities issued and
physical hardware instances
• Protects critical credential information from loss of confidentiality
• Provides for a constant tracking of the location of both ACT-2Lite Chips and the
associated Identities from the time the chip is manufactured until it is installed
into a hardware instance of a product
68

ACT-2
Identity
Insertion
Process
• Generates)unique)chip)serial)number)
• Delivers)eCSKMP)to)backend)
• Delivers)chips)to)CM)
Chip)
Manufacturer)
• Generates)SUDI)Cer@ficate)during)IIP)
• Generates)CLIIP)offline)from)eCSKMP)
• Handles)the)reconcilia@on)for)issuing)new)real)@me)CLIIP)files)or)new)SUDI)
cer@ficates))
Cisco)Backend)
(CBE))
• Authen@cate)Manufacturing)User)through)token)
• Interface)with)UUT)and)CBE)pass)CLIIP)toDiags)
• Request)SUDI)cert)from)CBE)and)pass)SUDI)to)Diags))
Auto)Test))
• Receive)CLIIP)from)Autotest)and)install)in)ACTN2)chip)
• Generate)SUDI)request)and)pass)to)Autotest)
• Receive)SUDI)cert)and)install)in)ACTN2)chip)
• Authen@cate)the)ACTN2)chip)by)Validate)the)SUDI)and)CLIIP)cer@ficate)are)
correctly)installed.)
BU)

ACT-2 Lite Examples

• ACT-2 is accessed through the TAM Library API
• You must first open(connect) the ACT-2 device and authenticate to it
to perform operations.
• Authenticating to it involves validating the product ID from the SUDI
and the SN to complete the anti-counterfeit verification
• ACT-2 has it’s own users, admin and restricted which must
authenticate to it with PINs in order to access the chip
ACT-2 Basics

RSA Key Generation and Private Key Encryption
status = tam_lib_rsa_keypair_gen(tam_handle,
session_id,
key_length,
e_value,
TAM_LIB_ZEROIZE,
TAM_LIB_MEM_RAM,
&key_object_id);;
if (status != TAM_RC_OK) {
printf("n%s-%u ERROR sid=0x%x status=0x%0x-%s",
__FUNCTION__, __LINE__,
session_id,
status, tam_lib_rc2string(status));;
return (status);;
}
status = tam_lib_rsa_private_encr(tam_handle,
session_id,
key_object_id,
orig_object_id,
&encr_object_id);;
session_id,
return (status);;
}

RSA Public Key Encryption and Private Key
Decryption
status = tam_lib_rsa_public_encr(tam_handle,
session_id,
key_object_id,
orig_object_id,
&encr_object_id);;
session_id,
return (status);;
}
status = tam_lib_rsa_private_decr(tam_handle,
session_id,
key_object_id,
encr_object_id,
&decr_object_id);;
session_id,
return (status);;
}

http://wwwin.cisco.com/security-trust/trust_eng/tsi/tat/tam/act2/getting_started.shtml
Code Samples: EDCS-1272160
ACT-2 Lite Reference

Assuming that they run on a platform with ACT-2, you could set up one of the restricted users (an ACT-2 user role) is the
keeper of the keys for the JKS file. The app would first submit the JKS file to the ACT-2 using that restricted user role to be
encrypted using a key maintained within the scope of the role. Later, when the file is to be used, the encrypted file is sent
to the chip again under the scope of the restricted user role and retrieve the decrypted form of the file which is then kept in
memory. It is then submitted through the JAVA system for use. When it is done, the memory copy is either discarded (if
clean) or re-encrypted (if dirty).
If they have a TPM, there are similar operations that can be performed but they are not as exclusive as the ACT-2
restricted user scenario presented above.
If they have no hardware crypto module, there is a software TAm which is implemented as part of the TAM library which,
while not as secure as ACT-2, could be used to provide software protections above the basic OS protections.
Protecting JKS file with ACT2

Cisco Common Security
Modules

• CiscoSSL – SSL and TLS support functions based on OpenSSL enhanced
with functions to reach FIPS compliance
• CiscoSafeC and CiscoJ – Provide secure development libraries to reach
FIPS compliance
• Cisco RA - Cisco Registration Authority (CiscoRA) is a common security
module that provides registration authority services in a public key
infrastructure (PKI). CiscoRA has several possible use cases
• Cisco EST – Implementation of Enrollment over Secure Transport (EST) is a
newly-defined certificate enrollment protocol (IETF RFC 7030)
• Cisco TAM - Trust Anchor module (TAm) for accessing ACT-2 Lite chips
• Cisco SSM - The Cisco Secure Storage Module (CiscoSSM) is a light weight
alterative to the Trust Anchor module (TAm) Services
Common Security Modules

CSM Reference Architecture

Cisco RA Reference Architecture

Cisco EST Reference Architecture

https://cisco.jiveon.com/groups/common-security-modules/pages/software-documentation-release-info
Common Security Modules Reference

Thank you
davej@cisco.com

Targeted Threat (APT) Defense for Applications Featuring pxGrid: a deep dive

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (19)

Destaque

Destaque (20)

Semelhante a Targeted Threat (APT) Defense for Applications Featuring pxGrid: a deep dive

Semelhante a Targeted Threat (APT) Defense for Applications Featuring pxGrid: a deep dive (20)

Mais de Cisco DevNet

Mais de Cisco DevNet (20)

Último

Último (20)

Targeted Threat (APT) Defense for Applications Featuring pxGrid: a deep dive