Targeted Threat (APT) Defense for Applications Featuring pxGrid: a deep dive

We’re ready. Are you?

February 15 - 19, 2016 • Berlin, Germany

Targeted Threat (APT) Defense for Applications

Featuring pxGrid

David JonesComputer Relations Specialist

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID

Why are we here?

Was looking like this:


Ask dave

5% of SySAdmin accounts or their laptops may be compromised at any moment


Top 10 varieties of threat actions over timeSource: 2014 Verizon Data Breach Investigation Report


By the numbersSource Verizon 2015 DBIR


Source: Verizon 2015 DBIR


99.9%OF THE EXPLOITED VULNERABILITIES WERE COMPROMISED MORE THAN A YEAR AFTER THE CVE WAS PUBLISHED

Source: Verizon 2015 DBIR


“The only comment I have is that it’s sad we live in this country and have to look outside of the united states for affordable medicine.”

Excerpt From: Krebs, Brian. “Spam Nation.” Sourcebooks, Inc, 2014.

9


From the recent news:

“Juniper said that someone managed to get into its systems and write "unauthorized code" that "could allow a knowledgeable attacker to gain administrative access."

“LANDESK has found remnants of text files with lists of source code and build servers that the attackers compiled,” John said. “They know for a fact that the attackers have been slowly [archiving] data from the build and source code servers, uploading it to LANDESK’s web servers, and downloading it.”


Nation State Run Book


DataCenter

Infestation & Lateral Movement 1. User desktop infected WCE or

Mimikatz is started

2. Privileged user or Application logs in -WCE hijacks credentials

3. Rootkit remotely installed on server in datacenter

4. Super user performs task on datacenter server, malware hijacks credentials

5. Malware spreads throughout datacenter

Malware details• Targeting out of date plugins (Flash, Word, Acrobat Reader, Java)

• Malware customized to avoid AV signatures• Higher they get – the more unique the malware


DataCenter

Infestation - Remediation

1. Super user logs in with SmartCard and has scoped access to other hosts

2. Malware not propagated throughout data center

3. Prevent privileged user or Application from logging into desktop.

4. Privileged user instead logs into administrator station.

5. Malware is not spread to data center

6. Upgrade Applications and Operating System baseline and Train Users

7. Initial attack fails


Infestation Abuses AppliedSoftware Publishing Infrastructure

1. Engineer desktop infected. Access to source code and Build server available

2. SysAdmin targeted for access to systems and/or their Distribution Credentials.

3. SysAdmin laptop infected

4. Either way Customers are infected

Build Cluster

Code Repository

Software Developer

Distribution

update.company.com

ManufacturingCustomers


Infestation Abuses Applied - RemediationSoftware Publishing Infrastructure

1. Image singing deployed

2. Customer devices validate images

3. Distribution servers validate images and use their own multi factor instead of passwords

4. Engineer & SysAdmin use smartcard instead of password

5. Developer and SysAdmin endpoints secured

Build Cluster

Code Repository

Software Developer

Distributionupdate.company.com

ManufacturingCustomers


Software Publishing remediationNeed to remove the ability for developers to run a build from code that has not been checked into the repositoryRepository must log and report on differences between previous versionsReviewers must review those change logs for production releasesMulti factor must be required to check code into the repository and also to run a build. Builds should require two people Builds must be cryptographically signed and build timeEach stage of the distribution should validate the image signature

That way, the only way to inject a back door is for the developer to miss the change to their own code and for the reviewers of changes to also miss it.

That said, it would be easy to forget to do these things after a while or during a customer crisis requiring an emergency build. Back to the must review at full GA production releases.


Controls


Secure Administration Controls

SCP

Production Resources

AdministrationEnd point


Security Control Points

OTP

Windows SCP

Linux SCP

Perimeter Defense

RDP


• Sandbox Detonation • pDNS• NetFlow• Host Based IP/DS on low value computers• Windows Event Logs• Log all of these to the same place so they can be correlated

Monitoring and Detection


• Windows• GPOs/AppLocker

• Linux• Puppet/Perl

• Both• Change the default passwords• Full reconciliation of configuration settings• Log of executables executed on critical systems. • Location of binary can be a giveaway• Verify binary Signatures• Accounts trying to log into hosts that they are not authorized to log into

Security Configuration ManagementProactively maintain security controls


Control Use Cases


Blocking Lateral movement Scoped Access with GPOs


Network device product management

Only allow SSH From SCP

Programmatic Interface only from specific host servers


MDM product management suiteClient and Management Traffic over HTTPS

Client App

Admin UI

App Replication


Mail Server product management

Only allow SSH From SCP BSDi Mail

ApplianceAppliance

Mail Server

Only allow PwrShell from Prov Box


Database


Virtual Machine hosting product(s) management

UCS

VMWare or OpenStack/KVM

Tenant1

TenantX

Tenant3

Tenant2

CSG Common Identity or DSX

Commodity dual

Internal Admin Token

ACLs BlockingAdmin Ports

SCP

Web Server Plugin

Infra Admin

Internal Tenant

Partner

Authentication Mechanism


CSIRT Monitoring sso.yourcompany.com

Cisco Premise

Secure Cloud Administration – 3rd Party

Security Control Point aka Jump Box


Application to Application


Simple Application Credential Management

Application 1 Application B

Logged Sudo Access to Credential


Remove the Credential From the Application

Get Creds



App to App - Target

OAuth Token request flow


TLS Encrypted TunnelMachine Certificate

Machine Certificate

User JanDoe

Delegated JanDoe

EncryptedStorage


• ACT2 Lite• HSM• TPM• USB• Files….

Certificate Storage


Application to ApplicationBest Practice - pxGrid


Cisco Platform Exchange Grid – pxGridNetwork-Wide Context Sharing

That Didn’t Work So Well!

pxGrid ContextSharingSingle Framework

Direct, Secured Interfaces

I have NBAR info!I need identity…

I have firewall logs!I need identity…

SIO

I have sec events!I need reputation…

I have NetFlow!I need entitlement…

I have reputation info!I need threat data…

I have MDM info!I need location…

I have app inventory info!I need posture…

I have identity & device-type!I need app inventory & vulnerability…

I have application info!I need location & auth-group…

I have threat data!I need reputation…

I have location!I need identity…

BENEFITS of pxGrid, it can…

• Establish that secure TLS tunnel for you

• Be leveraged as your communications bus with XMPPIncluding discovery of services available

• Verify Integrity of each endpoint communicating in the Grid

• Be used without you writing *that* code


ISE Integration

pxGrid

Radius

1.802.1X

User Session

PublishUserSGTDeviceLocation

Auth

UserMeta Data

User Group

ISE Server

Switch

Internet

FireSIGHTManagementCenter

Sensor

UserMeta Data


pxGrid

Certificate Registration


• Bi-direction certificate authentication is better then one way with passwords

• Current pxGrid Java API stores certificates in files (JKS)• If the certificates are not protected they become available to theft

pxGrid Certificate Security3rd Party Applications


• Ability to use OpenSSL SSLContext directives to specify cert context• This could be HSM, TPM, USB, other

pxGrid Certificate Security - Future3rd Party Applications


• Java API only supports JKS Files• JKS files and the passwords to open them must be protected

pxGrid Certificate Security - Current3rd Party Applications


• Place certificate password in a file• Run your application with a dedicated account with no password and no default shell – “AppUser”

• Protect the storage of pword and JKS file with file systems permissions like: AppUser rw- --- ---

• Require logged sudo to access those files

pxGrid Certificate Security - Linux3rd Party Applications


Getting Started with pxGrid


• Install Java• Download the SDK • Download the Configuration and testing guide• Will walk you through using certificates, external data sources and tests

• Bourne Shell scripts to test connectivity and basic functions• Code you can mess with to do the same in Java and C

Getting started with pxGrid


For Example – Query by IP./session_query_by_ip.sh -a 10.0.0.37 -u dave -k myKeys.jks -p demoPas$ -t myKeys_root.jks -q demoPas$

-------properties -------version=1.0.2-30-SNAPSHOThostnames=10.0.0.37username=davegroup=Sessiondescription=nullkeystoreFilename=myKeys.jkskeystorePassword=demoPas$truststoreFilename=myKeys_root.jkstruststorePassword=demoPas$--------------------------12:50:33.356 [Thread-1] INFO com.cisco.pxgrid.ReconnectionManager -StartedConnecting...Connected12:50:34.961 [Thread-1] INFO com.cisco.pxgrid.ReconnectionManager -ConnectedIP address (or <enter> to disconnect): 10.0.0.15Session=ip=[10.0.0.15], Audit Session Id=0A0000020000000F004BE344, User Name=jeppich, AD User DNS Domain=lab6.com, AD Host DNS Domain=null, AD User NetBIOS Name=LAB6, AD Host NETBIOS Name=null, Calling station id=00:0C:29:79:02:A8, Session state=AUTHENTICATED, ANCstatus=null, Security Group=null, Endpoint Profile=Add_Device, NAS IP=10.0.0.2, NAS Port=GigabitEthernet1/0/43, RADIUSAVPairs=[ Acct-Session-Id=00000009], Posture Status=null, Posture Timestamp=, Session Last Update Time=Thu Jul 23 13:42:25 EDT 2015


Called Source Code

// set configurationTLSConfiguration config = new TLSConfiguration();;

config.setHosts(hostnames);;config.setUserName(username);;config.setGroup(Group.SESSION.value());;config.setKeystorePath(keystoreFilename);;config.setKeystorePassphrase(keystorePassword);;config.setTruststorePath(truststoreFilename);;config.setTruststorePassphrase(truststorePassword);;


Called Source Code - Continued// initialize xgrid connectionGridConnection con = new GridConnection(config);;con.addListener(new SampleConnectionListener());;

// use reconnection manager to ensure connection gets re-established …

// create query we'll use to make callSessionDirectoryQuery query = SessionDirectoryFactory.createSessionDirectoryQuery(con);;

Session session = query.getActiveSessionByIPAddress(InetAddress.getByName(ip));;if (session != null)

SampleUtilities.print(session);;System.out.println("");;

else

System.out.println("session not found");;


Example – Download Session Directory./session_download.sh -a 10.0.0.37 -u dave -k myKeys.jks -p demoPas$ -t myKeys_root.jks -q demoPas$

…Session=ip=[10.0.0.15], Audit Session Id=0A0000020000000F004BE344, User Name=jeppich, AD User DNS Domain=lab6.com, AD Host DNS Domain=null, AD User NetBIOS Name=LAB6, AD Host NETBIOS Name=null, Calling station id=00:0C:29:79:02:A8, Session state=AUTHENTICATED, ANCstatus=null, Security Group=null, Endpoint Profile=Add_Device, NAS IP=10.0.0.2, NAS Port=GigabitEthernet1/0/43, RADIUSAVPairs=[ Acct-Session-Id=00000009], Posture Status=null, Posture Timestamp=, Session Last Update Time=Thu Jul 23 13:42:25 EDT 2015

Session=ip=[10.0.0.37], Audit Session Id=0A0000020000000E004156F4, User Name=00:0C:29:87:8D:1F, AD User DNS Domain=null, AD Host DNS Domain=null, AD User NetBIOS Name=null, AD Host NETBIOS Name=null, Calling station id=00:0C:29:87:8D:1F, Session state=STARTED, ANCstatus=null, Security Group=null, Endpoint Profile=VMWare-Device, NAS IP=10.0.0.2, NAS Port=GigabitEthernet1/0/37, RADIUSAVPairs=[ Acct-Session-Id=00000005], Posture Status=null, Posture Timestamp=, Session Last Update Time=Thu Jul 23 09:41:25 EDT 2015

Session=ip=[10.0.0.3], Audit Session Id=0A0000020000000D00036A42, User Name=18:E7:28:2E:29:CB, AD User DNS Domain=null, AD Host DNS Domain=null, AD User NetBIOS Name=null, AD Host NETBIOS Name=null, Calling station id=18:E7:28:2E:29:CB, Session state=STARTED, ANCstatus=null, Security Group=null, Endpoint Profile=Cisco-Device, NAS IP=10.0.0.2, NAS Port=GigabitEthernet1/0/37, RADIUSAVPairs=[ Acct-Session-Id=00000007], Posture Status=null, Posture Timestamp=,Session Last Update Time=Thu Jul 23 09:43:42 EDT 2015


Called Source CodeSessionDirectoryQuery sd = SessionDirectoryFactory.createSessionDirectoryQuery(con);

SessionIterator iterator = sd.getSessionsByTime(start, end, filter);iterator.open();

Date startedAt = new Date();System.out.println("starting at " + startedAt.toString() + "...");

int count = 0;Session s = iterator.next();while (s != null)

// when testing performance, comment out the following line. otherwise// excessive console IO will adversely affect resultsSampleUtilities.print(s);

s = iterator.next();count++;

if (count % 1000 == 0) System.out.println("count: " + count);


Quarantine That Machine by IP// create query we'll use to make call

EPSClientStub stub = new EPSClientStub();EPSQuery query = stub.createEPSQuery(con);

// quarantine ip addresses based on user input

try query.quarantineByIP(ip);

catch (GCLException e) System.out.println("GCLException msg=" + e.getMessage());


Un-Quarantine that Machine by MAC// quarantine ip addresses based on mac addresses

Scanner scanner = new Scanner(System.in);while (true)

System.out.print("mac address (or <enter> to disconnect): ");String mac = scanner.nextLine();

if (mac == null || "".equals(mac)) break;

try query.unquarantineByMAC(mac);

catch (GCLException e) System.out.println("GCLException msg=" + e.getMessage());

scanner.close();


• development SDK and client information. https://developer.cisco.com/site/pxgrid/

pxGrid – More Information


Image Verification

Secure Boot and ACT-2 Lite


From the recent news:

“Juniper said that someone managed to get into its systems and write "unauthorized code" that "could allow a knowledgeable attacker to gain administrative access."

“LANDESK has found remnants of text files with lists of source code and build servers that the attackers compiled,” John said. “They know for a fact that the attackers have been slowly [archiving] data from the build and source code servers, uploading it to LANDESK’s web servers, and downloading it.”


Secure Boot

55

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation ID 56


• Cisco Secure Boot – FPGA as the hardware anchor

• CPU Based – with CPU as the hardware anchor• Bootcode Hardening – hardware anchor in boot flash

Secure Boot Options

57


Cisco Secure Boot Sequence

58


ACT2 Lite Overview


"ACT-2 provides the mechanism for the highest possible assurance for identity for our products."

- Bob Bell

60


ACT-2 Lite Overview

Hardware Anchored Identity – Creating and installing an identity which is immutably and irrevocably linked to a specific hardware instance


• ACT-2Lite is an initial step to solving the Hardware Anchored Identity issue

• ACT-2Lite is composed of• A hardware component – ACT-2Lite Chip• A software component – ACT-2Lite Support Library• A mechanism to link and control device identity – Identity Insertion Process• Based on a commercially available smart chip and cryptographic library • Protects the identity credentials with smart chip measures

What is an ACT-2 Lite Chip?


• Provides identity assurance that hardware and software on a device have not been tampered with or are in other ways counterfeit

• Has it’s own provisioned identity embedded in hardware (Hardware anchored Identity)

• A device that can perform cryptographic functions.

• Can provide secure storage for license keys and similar data

• Cannot be accessed by the end user

What is an ACT-2 Lite Chip?


ACT-2Lite Capabilities• To provide hardware anchored identity• X.509v3 identity certificates

• RSA asymmetric cryptography• ECC asymmetric cryptography

• To provide limited cryptographic operations• keys do not leave the chip• encrypted data normally stored on chip but may be stored in host FLASH• performs HASH, HMAC, symmetric key cryptography, and asymmetric key cryptography

• To provide secure on-chip storage of information• access control based on roles• data encrypted at rest

• Entropy source• Contains a non-deterministic random bit source• Contains a FIPS approvable deterministic random bit source


• Manage its own users and objects stored in it

• Read information from and about the SUDI and the ACT-2 Chip

• Provide User Resource utilization – EEPROM and RAM

• Create deterministic random numbers

• HASH functions

• HMAC functions

• Symetric Crypto functions

• RSA functions

• ECC functions

Things ACT-2 Can Do


Host to ACT-2 Lite Chip relationship diagram

Application Specific Hardware(e.g. switch ports and console interfaces)

Application Specific Host Processor(e.g. Intel Xeon chipset with RAM and FLASH)

ACT-2LiteSupport Library

ACT-2Lite Chip


ACT-2 Identity Insertion Process


ACT-2 Lite Identity Insertion Process

• Ensures that there is a one-to-one mapping between identities issued and physical hardware instances

• Protects critical credential information from loss of confidentiality

• Provides for a constant tracking of the location of both ACT-2Lite Chips and the associated Identities from the time the chip is manufactured until it is installed into a hardware instance of a product

68


ACT-2

Identity Insertion Process

• Generates)unique)chip)serial)number)• Delivers)eCSKMP)to)backend)• Delivers)chips)to)CM)

Chip)Manufacturer)

• Generates)SUDI)Cer@ficate)during)IIP)• Generates)CLIIP)offline)from)eCSKMP)• Handles)the)reconcilia@on)for)issuing)new)real)@me)CLIIP)files)or)new)SUDI)cer@ficates))

Cisco)Backend)(CBE))

• Authen@cate)Manufacturing)User)through)token)• Interface)with)UUT)and)CBE)pass)CLIIP)toDiags)• Request)SUDI)cert)from)CBE)and)pass)SUDI)to)Diags))

Auto)Test))

• Receive)CLIIP)from)Autotest)and)install)in)ACTN2)chip)• Generate)SUDI)request)and)pass)to)Autotest)• Receive)SUDI)cert)and)install)in)ACTN2)chip)• Authen@cate)the)ACTN2)chip)by)Validate)the)SUDI)and)CLIIP)cer@ficate)are)correctly)installed.)

BU)


ACT-2 Lite Examples


• ACT-2 is accessed through the TAM Library API• You must first open(connect) the ACT-2 device and authenticate to it to perform operations.

• Authenticating to it involves validating the product ID from the SUDI and the SN to complete the anti-counterfeit verification

• ACT-2 has it’s own users, admin and restricted which must authenticate to it with PINs in order to access the chip

ACT-2 Basics


RSA Key Generation and Private Key Encryption

status = tam_lib_rsa_keypair_gen(tam_handle,session_id,key_length,e_value,TAM_LIB_ZEROIZE,TAM_LIB_MEM_RAM,&key_object_id);;

if (status != TAM_RC_OK) printf("\n%s-%u ERROR sid=0x%x status=0x%0x-%s",

__FUNCTION__, __LINE__,session_id,status, tam_lib_rc2string(status));;

return (status);;

status = tam_lib_rsa_private_encr(tam_handle,session_id,key_object_id,orig_object_id,&encr_object_id);;



return (status);;


RSA Public Key Encryption and Private Key Decryption

status = tam_lib_rsa_public_encr(tam_handle,session_id,key_object_id,orig_object_id,&encr_object_id);;



return (status);;

status = tam_lib_rsa_private_decr(tam_handle,session_id,key_object_id,encr_object_id,&decr_object_id);;



return (status);;


http://wwwin.cisco.com/security-trust/trust_eng/tsi/tat/tam/act2/getting_started.shtml

Code Samples: EDCS-1272160

ACT-2 Lite Reference


Assuming that they run on a platform with ACT-2, you could set up one of the restricted users (an ACT-2 user role) is the keeper of the keys for the JKS file. The app would first submit the JKS file to the ACT-2 using that restricted user role to be encrypted using a key maintained within the scope of the role. Later, when the file is to be used, the encrypted file is sentto the chip again under the scope of the restricted user role and retrieve the decrypted form of the file which is then kept in memory. It is then submitted through the JAVA system for use. When it is done, the memory copy is either discarded (if clean) or re-encrypted (if dirty).

If they have a TPM, there are similar operations that can be performed but they are not as exclusive as the ACT-2 restricted user scenario presented above.

If they have no hardware crypto module, there is a software TAm which is implemented as part of the TAM library which, while not as secure as ACT-2, could be used to provide software protections above the basic OS protections.

Protecting JKS file with ACT2


Cisco Common Security Modules


• CiscoSSL – SSL and TLS support functions based on OpenSSL enhanced with functions to reach FIPS compliance

• CiscoSafeC and CiscoJ – Provide secure development libraries to reach FIPS compliance

• Cisco RA - Cisco Registration Authority (CiscoRA) is a common security module that provides registration authority services in a public key infrastructure (PKI). CiscoRA has several possible use cases

• Cisco EST – Implementation of Enrollment over Secure Transport (EST) is a newly-defined certificate enrollment protocol (IETF RFC 7030)

• Cisco TAM - Trust Anchor module (TAm) for accessing ACT-2 Lite chips

• Cisco SSM - The Cisco Secure Storage Module (CiscoSSM) is a light weight alterative to the Trust Anchor module (TAm) Services

Common Security Modules


CSM Reference Architecture


Cisco RA Reference Architecture


Cisco EST Reference Architecture


https://cisco.jiveon.com/groups/common-security-modules/pages/software-documentation-release-info

Common Security Modules Reference


Thank you


[email protected]

Technology

Targeted Threat (APT) Defense for Applications Featuring pxGrid: a deep dive