시스코 DNA 와함께하는 인프라기반의똑똑한네트워크보안 이재미부장 (jaemlee@cisco.com) Systems Engineer, Solution SE 김종만부장 (jongmkim@cisco.com) Consulting Engineer, Security Specialist
지하철에서만난이아저씨는오늘저녁무엇을하셨을까요? 밤 10 시, 지하철 풀어헤친넥타이 비틀비틀붉은얼굴 맥주 + 고기냄새
어떻게우리는해답을 찾아낼까요? 추리 알고있는것을바탕으로알지못하는것을미루어생각함
네트워크트래픽트렌드 - HTTPS 트래픽증가 SSL/TLS encrypted traffic grew 90% year over year from July 2015 to July 2016.* 1년사이 21% 에서 40% 로증가가트너연구결과 2019년에는 80% 로추정구글서버와연결되는트래픽의 77% (2016년) You tube의 97% 의트래픽 40% 75% 21% 2015 2016 * Source: NSS Labs 2019
시스코의새로워진 DNA (Digital Network Architecture) L E A R N I N G ( 학습 ) DNA Center Policy Automation Analytics I N T E N T ( 의도 ) C O N T E X T ( 상황 ) Intent-based Network Infrastructure S E C U R I T Y ( 보안 ) DC Campus Branch
시스코의새로워진 DNA (Digital Network Architecture) Enhanced Network as a Sensor 시스코 Encrypted Traffic Analytics
보안솔루션스페셜리스트 김종만부장
네트워크트래픽트렌드 - 암호화된공격 81% 41% 64% 사이버공격을경험한조직 감지회피를위해암호화를사용한공격 암호화된공격의미감지율
전통적암호화공격방어방법 - Decrypt WEB Proxy NGFW
프록시를이용한 Decrypt - MiTM Client ClientHello TLS 프록시 Server ClientHello (own or modified) 인증서유효성체크 ServerHello ServerCertChain Spoofed cert. Spoof 된인증서생성 Proxy 의 Private 키로사인
Decrypt 의제약사항 Certificate Pinning (RFC 7469) Strict Pinning HSTS(HTTP Strict Transport Security) http://tools.ietf.org/html/rfc6797
암호화공격방어방법 (Non-Decrypt) 행위기반분석 ( 머신러닝기반 )
가용한모든행위정보사용 기존플로우모니터링 srcip, dstip, srcport, dstport, prot, starttime, stoptime, numbytes, numpackets Observation Exporter Collection Analysis Storage Observation Observation 암호화데이터정보 IDP SPLT 위협 인텔리젼스 정보 Contex 정보 DNS/HTTP
높은정확도를위한 ETA 알고리즘 - 데이터샘플, 시스코보안연구팀 TCP/IP TLS (IDP) SPLT (Sequence of Packets Length & Time) DNS 위협의심리스트주소 비정상적인패턴확인되지않은인증서 C2 Message c15c0.com afb32d75.com Data Exfiltration 위협트래픽 Self-Signed Certificate Bestafera 정상적인서비스주소 정상적인패턴안전한인증서 cisco.com 정상트래픽 Google search
어떤추가정보를활용하는가? 첫번째데이터패킷 (IDP) TLS ClientHello Possible Clients True Client 암호화되지않은정보를최대한추출하여활용 (v: 1.0.1r)
어떤추가정보를활용하는가? 세션내데이터패킷의시간간격및길이 (SPLT) Google Search Bestafera 세션내의패킷의간격, 길이패턴등을기반으로컨텐츠타입을분석 Data Exfiltration Self-Signed Certificate C2 Message C2 Message Initial Page Load Page Refresh Data Exfiltration Autocomplete Self-Signed Certificate
어떤추가정보를활용하는가? 위협인텔리젼스맵 다년간의정보로구성된위협지도를기반으로분석 인터넷상의서버에대한행위기반정보 HTTP Headers Method: *Value* URI: *Value* Version: *Value* Accept: *Value* User-Agent: *Value* Host: *Value* Connection: *Value* cookie: *Value* DNS Response Query Answer Name Type Class Time to Live Data Length Data Name Type Class Time to Live Data Length Data
행위기반분석 정확도 2015 년 8 월 2017 년 2 월 멀웨어트래픽정보 Training / Storage Classifier / Rules 정상트래픽정보 멀웨어 정상 ThreatGrid pcaps (~5,000 per day) Two Networks (~500 users each) FNFv9 SPLT IDP 멀웨어 정상 482,188 TLS flows 1,955,598 TLS flows (sampled)
0.5 0.75 0.9 0.95 0.99 0.5 0.75 0.9 0.95 0.99 0.5 0.75 0.9 0.95 0.99 ACCURACY ACCURACY ACCURACY 행위기반분석 결과 100.0% 80.0% 60.0% 40.0% 20.0% 0.0% Malw are Samples CLASSIFIER THRESHOLD FNFv9 + SPLT Malw are Samples 100.0% 90.0% 80.0% 70.0% 60.0% CLASSIFIER THRESHOLD FNFv9 + SPLT + TLS Malw are Samples FNFv9 100.0% 90.0% + SPLT 80.0% 70.0% + TLS 60.0% + DNS/HTTP CLASSIFIER THRESHOLD Malware Family FNFv9 + SPLT FNFv9 + SPLT + TLS Bergat* 100.0% 100.0% Sality* 95.0% 97.7% Dridex 16.5% 78.5% Skeeyah 95.9% 98.6% Virlock 100.0% 100.0%
ETA 테스트결과요약 알려진악성코드 정상적인 HTTPS 트래픽 특징적인데이터를추출, 수집 Detector 구현을위한머신러닝적용 99% 의정확도로알려진악성코드의감지성공 Identifying Encrypted Malware Traffic with Contextual Flow Data AISec 16 Blake Anderson, David McGrew (Cisco Fellow)
암호학의대가 David McGrew (Cisco Fellow)
시스코 ETA 솔루션 ETA 컬렉트 Cisco Cloud Analytics 암호화트래픽정보전달 멀웨어탐지및차단 네트워크기반수집 빠른탐지 높은정확도
시스코 ETA 솔루션 네트워크센서 Netflow Enhanced Netflow Netflow + Proxy telemetry Cognitive Analytics HTTPS cognitive.cisco.com Crypto audit telemetry 수집기 Cat 9K Netflow 데이타 + ETA 정보전달 Cognitive Analytics 암호화된 Traffic 분석 Stealthwatch 가시화정보를한눈에
ETA 분석을위한데이터수집 (Catalyst 9000) Catalyst 9K 시리즈 암호화된트래픽정보전달자 ETA 네트워크를센서로활용 Full NetFlow based Behavior Analytics Encrypted Traffic Analytics Policy Enforcement Analytics
암호화된트래픽을분석 (Cognitive Analytics) Cognitive Analytics 클라우드기반위협분석 모델기반고성능분석 Anomaly 탐지 Trust 모델링분류 Entity 모델링 Relationship 모델링 Cluster 1 Classifier X Classifier A Cluster 1 CONFIRMED threats (spanning multiple users) Cluster 2 Cluster 2 Classifier H Classifier Z DETECTED threats (unique) Cluster 3 Classifier K Classifier M Cluster 3 10B requests per day +/- 1% is anomalous 10M events per day 1K-50K incidents per day Near real-time processing
분석된정보를가시화 (Stealthwatch) Stealthwatch Cognitive Analytics Expanded CTA dashboard view Cognitive Analytics
ETA 상세분석예 9 THREAT 100% confidence AFFECTING winnt://emea\user1 Activities (8) Domain (8) IPs (8) Autonomous systems (5) 9 Url string as comm 95.211.239.228 Encrypted Command & Control 9 Url string as comm 85.25.116.167 LeaseWeb B.V. 6 Http traffic to ip addr 54.240.147.123 54.240.147.123 C2L2hCLEExuNJaeA9wtSRmOgxVg9NhpJXK7oD8dTDoGOD46zWaWDDpQ9zNdmhNtmOfeWA3xxgZ9KzDpd7SVUnz intergenia AG 6 Http traffic to ip addr 54.239.166.104 95.211.239.228 85.25.116.167 http://95.211.239.228/mg/6xyzcn5dkopx7yzqbqbmefobum9h97ymdgpz+x8ini56fk/0xhgs6urf5zawkxzxmdvbs 91AgesgFarBDRYRCqEi+a8roqlRl77ZucRB4sLOlkpoG5d44OZ95VO6pVjtKVAj0SIOXHGFTr7+w5jqe46Kz4//NDHGJw6 ATdD3E1USpWmkpsYsGkTE8fVQ692WQd8h2cRp+KHDg8F2ECZlcDXGOPQPU9TrWFw 54.239.166.104 6 Http traffic to ip addr 63.234.248.204 63.234.248.204 Amazon.com, Inc 6 Http traffic to ip addr 54.239.166.69 54.239.166.69 Qwest communication.. 6 Http traffic to ip addr 63.235.36.156 63.235.36.156 Amazon.com Tech Tel 6 Http traffic to ip addr 54.240.148.64 54.240.148.64
See the Unseen Demo
Summary
시스코새로운 DNA ETA 삼총사 Cognitive Analytics 똑똑한네트워크 보안의달인명품분석엔진 보석을만드는든든한브릿지
똑똑한네트워크가똑똑한보안을만듭니다.
보이는것으로보이지않는것을보다! Cisco ETA 스스로판단하고진화하는네트워크