Suspicious Registry Keys and Requested files: A Threat Grid Case Study - Cisco Certifications

Threat Grid’s detections and indicators are created by the Research and Efficacy Team, or RET. The RET’s primary objective is to improve the detection rate of Threat Grid. As such we have to keep up with new malware campaigns and exploitation techniques. This often requires manual analysis of samples, which is an incredibly time-consuming process. As part of this duty, we must make use of automation tools to speed up our analysis. Threat Grid is chief among those tools, and we will be discussing an example where Threat Grid highlighted everything necessary to make a determination on a file.

The sample in question at first glance appears to have barely executed.  Threat Grid did convict the file, but not in the way or for the reasons we would expect. I dug into the sample in more detail to find out why.  A sample that is convicted due to static analysis only but exhibiting little dynamic behavior is indicative of evasive malware and warrants further examination by our team. To start off I checked into each indicator to determine, at the highest level, what has gone on.

Checking the AV indicator revealed that there were a great many hits on this file, and as such the chance of a false positive is low. The next three indicators triggered on the same two executables, both of which were placed in the AppData folder.

While the naming on the two files is odd and seemingly composed of arbitrary characters, it is far from enough to make a decision on the sample yet. However, the next three indicators again pertained to the same two executables, which supported the hypothesis that these oddly named files are malicious.

After all the indicators regarding the sample and its two created files, the next indicator in the list above is “DNS Query Returned Non-Existent Domain”. This can happen for primarily one of two reasons – the sample is either looking for command and control services that have either not yet been set up or have been already taken down, or the mere existence of the domain is being used as a signal to trigger an action, typically an abort or a proceed. With the abort option, the domain functions in essence as a killswitch; with the proceed option it is the opposite and the malware will “lay low” so as to not attract attention until the malware author or owner wants to activate it. Either way, this activity warrants further investigation of the sample – neither of these reasons are typically indicators of benign intent.

The remaining indicators on the report provided little additional info as the two executables were already suspicious enough to investigate.

The network section of the report was also of little use in this case, since as we mentioned above, the domain did not resolve, and so no important communications were established.

The process section can be incredibly useful but can easily overwhelm a user with the sheer amount of data available under each process. As such I typically do a first pass looking only at the names and number of processes and return later if applicable. In this case nothing stood out. I apply the same principle to the artifact section, where again nothing stood out besides the names of the two executables.

Proceeding to the Registry Activity section of the report proved to be very interesting. The sample created a rarely-used registry key with an executable path as its data. It was via review of Threat Grid analyses that we discovered this unusual and typically maliciously-used run key, and because of this discovery the system now flags such usage as suspicious via a Behavior Indicator created for that purpose.  As it turns out, the data points to one of the oddly named executables we saw earlier. This type of run key coupled with the suspicious features of the executable is indicative of malicious behavior.

Our experts say about Cisco Certification Exams

Moving Towards The Zero Trust Cybersecurity Framework - Cisco Certifications

The original Zero Trust model was conceived by Forrester, and leveraged by Google as part of their BeyondCorp initiative. Gartner has their framework called Continuous Adaptive Risk and Trust Assessment (aka. CARTA). These trust-centric approaches shift access decisions based on network topology to authorized users and devices.

The first step towards establishing trust-centric security should be an investigation and analysis of what your sensitive data is, where it lives, who accesses it, and who might like to steal it.

You should leverage the resources and technologies you already have in place to keep changes and costs to a minimum. Cisco Advanced Security Services has the expertise to help you with the analysis, strategy, design, pilot, and implementation. You’ll understand where your gaps exist against any trust-centric approach. We’ll help you address some in the first few weeks and create a 1-3 year plan for the rest leveraging the Cisco Trusted Access portfolio.

Zero Trust is a New Way to Look at Security

The specific use cases that must be addressed will often be different by organization. Before moving to the more complex use cases, consider these capabilities:

• Inventory of your hardware, software, patches, and network flows
• Identify and catalog your sensitive data and map how it flows between assets 
• Rank your top 50 pieces of sensitive data and understand where it resides
• Knowing your top risks (e.g. threats, brand image, fines, compliance)
• Who is after your data and how capable they are
• Authentication of your users, devices, and workloads
• Enterprise-wide policy with an automated rule base—as much as possible
• Segmentation
• Privilege escalation monitoring
• Continuously monitor and mitigate your trusted ecosystem

Start with the key use cases your organization must address first: contractors, East-West traffic, Continuous Diagnostics Mitigation (CDM), compliance. Prioritizing use cases will help you list the capabilities that will be required, including which products and services you’ll need. Adopting Zero Trust will help you secure your infrastructure, yet provide depth to your existing security architecture. Adhering to standards-based cybersecurity frameworks (CIS 20, NIST 800, ISO 27000 family) with Zero Trust provides a comprehensive safety net.

Be sure to review the Google BeyondCorp implementation of Zero Trust, which Duo Security productized (read their ebook). And how Gartner’s CARTA framework says to start two Zero Trust projects in 2019: [1] establishing software-defined perimeters for users accessing any app, on any device, in any location; and [2] implementing app micro-segmentation for workloads running across multicloud and on-premises data center infrastructures. You can download Gartner’s full report “Zero Trust is an Initial Step on the Roadmap to CARTA” here.

A few key steps you need for all of them include privilege escalation monitoring, integrity monitoring, watching out flows, app security, and more (out of scope for a short blog). So, don’t rely on any one of these frameworks to be the answer.

Ideally, after you work on the above, start discussing your plans to get moving to self identification and automation to reach the next Zero Trust maturity level.  Realize that cloud-based and containerized workload use cases aren’t going to wait, and thus, several parallel engagements will happen.

We titled this blog “Moving Towards The Zero Trust Cybersecurity Framework”, so, the first move is completing a workshop with Cisco Advanced Services. We’ll help you learn your key use cases, your gaps, and what you already have. Then, how to best address these gaps and prioritize your efforts. This end-to-end approach takes into consideration the core principles that make up Zero Trust to ensure you’ll achieve the desired outcomes:

1. Identify and catalog your sensitive data (later, at a metadata repository level)
2. Map the data flows of your sensitive data and store them
3. Architect your Zero Trust network based on data sources and the way they are used transactionally
4. Create your automated rule base and then later move to analyze the metadata and rules
5. Continuously monitor your trusted ecosystem by inspecting and logging the traffic, and updating rules based on behavioral analytics

Segmentation is a Key Part of Zero Trust

Cisco’s Security Segmentation advisory services (read this at-a-glance) will help you develop a strong strategy around security, compliance, and threat management. To be able to logically segment your infrastructure you need four key capabilities: (1) trusted identity, (2) isolation, (3) policy enforcement, and (4) visibility.

By combining the experience of Cisco Advanced Services with the portfolio of Cisco Trusted Access, we’ll evolve your cybersecurity maturity to a threat- and trust-centric approach. Reach out to our services account team so we can help.

Our experts say about Cisco Certification Exams

Cisco Certified Architect Exam Topics - Cisco Certifications

Cisco Certified Architect Exam Topics

Exam Sections and Sub-task Objectives

1.Gather, clarify, and analyze requirements

   a. Gather, clarify, and analyze business requirements

i.Recognize critical requirements (stated and implied)

ii.Recognize noncritical requirements (stated and implied)

iii.Identify and gather missing information

iv.Identify and clarify ambiguous information

v.Identify and resolve conflicting information and requirements

vi.Demonstrate knowledge of the business

vii.Decompose requirements and problems into component parts

viii.Recognize and/or clarify CAPEX parameters (e.g., equipment costs, capital software costs,                  capital facility expenditures)

ix.Recognize and/or clarify OPEX parameters (e.g., software tooling changes, leases, retraining,               staffing, support contracts, utilities, licensing and hosting)

x.Recognize, challenge, and resolve unrealistic requirements (e.g., common-case vs. worst-case               scenario)

b. Gather, clarify, and analyze technical requirements

i.Recognize critical requirements (stated and implied)

ii.Recognize noncritical requirements (stated and implied)

iii.Identify and gather missing information

iv.Identify and clarify ambiguous information

v.Identify and resolve conflicting information and requirements

vi.Leverage existing network documentation to gain understanding of the current network and how it supports the business

vii.Decompose requirements and problems into component parts

viii.Recognize, challenge, and resolve unrealistic requirements (e.g., common-case vs. worst-case scenario)

c. Align business and technical goals and direction

i.Map technical solution to business impact

ii.Map business needs and requirements to technology

iii.Recognize the relationship between technical and business requirements

iv.Map business continuity requirements to the network architecture

v.Establish a vision and strategy for the network with clarity and completeness

vi.Analyze and estimate various impacts on the network from a change in business structure or process

vii.Analyze and estimate the SLAs required by the business and evaluate the impact of outages

viii.Recognize, challenge, and resolve unrealistic requirements (e.g., common-case vs. worst-case scenario)

d. Perform cursory rough estimations for new or changing requirements and/or informal what-ifs and requests

i.Recognize the impact on the existing network and how it currently supports the business

ii.Estimate the general implementation cost and time frame

iii.Estimate project feasibility and practicality (including assumptions of parameters and constraints that impact the two)

iv.Provide an opinion of how the request does or does not align with network and business goals (both current and future)

v.Recognize and/or clarify CAPEX parameters (e.g., equipment costs, capital software costs, capital facility expenditures)

vi.Recognize and/or clarify OPEX parameters (e.g., software tooling changes, leases, retraining, staffing, support contracts, utilities, licensing and hosting)

2.Develop a functional specification for the network

a. Devise a solution

i.The complexity of the network is appropriate for the business requirements

ii.The survivability of the network is appropriate for the business requirements

iii.The scalability of the network is appropriate for the business requirements

iv.The manageability of the network is appropriate for the business requirements

v.The security of the network is appropriate for the business requirements

vi.The performance of the network is appropriate for the business requirements

vii.The cost of the network is appropriate for the business requirements

b. Perform risk analysis

i.Technologies

ii.Security

iii.Legal

iv.Dependencies (e.g., outsourcing to third parties, training, tools, provisioning)

3.Create a road map

a.Create a migration and transition strategy

i.Account for long-term requirements

ii.Perform and account for risk analysis

iii.Minimize the negative impact on existing services

iv.Identify parties responsible for design, implementation, and operation tasks

v.Strive for ease of implementation

4.Convey decisions and rationale (written and verbal)

a. Communicate to a business audience

i.Articulate business problems, requirements, and constraints

ii.Articulate technical problems, requirements, interdependencies, and constraints

iii.Communicate the business strategy and direction

iv.Communicate the risks and benefits

v.Communicate with specificity rather than generality (e.g., “does not scale because…” rather than simply “does not scale”)

vi.Communicate the rationale for decisions clearly and confidently

vii.Accept, think about, and respond to changing requirements, criticisms, questions, and challenges in a timely and positive (not arrogant or defensive) manner

viii.Influence others

b. Communicate to a technical audience

i.Articulate business problems, requirements, and constraints

ii.Articulate technical problems, requirements, interdependencies, and constraints

iii.Communicate business strategy and direction

iv.Communicate risks and benefits

v.Communicate with specificity rather than generality (e.g., “does not scale because…” rather than simply “does not scale”)

vi.Communicate the rationale for decisions clearly and confidently

vii.Accept,think about,and respond to changing requirements, criticisms, questions, and challenges in a timely and positive (not defensive) manner

viii.Influence others

5.Demonstrate technical expertise

a. Technical expertise

i.Demonstrate conceptual knowledge of a wide array of network technologies (e.g., Layer 3 routing, tunneling, security, network management)

ii.Demonstrate conceptual knowledge of places in the network (e.g., data center, WAN, campus)

iii.Demonstrate conceptual knowledge of a wide array of applications on the network (e.g., voice, video)

iv.Demonstrate conceptual knowledge of interactions between components and technologies

v.Demonstrate knowledge of current and future directions of technologies, places in the network, and applications

vi.Demonstrate detailed knowledge of a range of network technologies applicable toinfrastructure design (e.g., Layer 3 routing, tunneling, security, network management)

Success Secrets: How you can Pass Cisco Certification Exams in first attempt 

Cisco Certified Architect Exam Guideline - Cisco Certifications

Cisco Certified Architect

Cisco Certified Architect is the highest level of accreditation achievable within the Cisco Career Certification program. CCAr recognizes those who can effectively translate complex business strategies into infrastructure requirements and clearly communicate and advocate the proposed architecture

About the Board Exam

The Cisco Certified Architect Board Exam requires qualified candidates to develop and defend a network architecture that can effectively support a given set of realistic business requirements.  Candidates first submit an application summarizing their project experience and other qualifications and are interviewed by the Cisco-designated Architecture Board team members.  Candidates shall not submit project experience related to any classified projects. Submission of classified project information will be cause for immediate disqualification. Once approved, candidates will be given an architecture challenge and will meet live with Board members to answer questions and defend their design. The board exam and associated documentation are administered in English. No translators are allowed.

Exam Availability

Board examinations are held one or two times a year, as demand requires.  Due to the intensive evaluation process, only one or two candidates are accepted for each examination period.  View the CCAr Certification Timeline for more information on exam availability.

Cost

The total cost of the CCAr Board Exam is US $15,000 and is paid in two parts.  An initial fee of US$3,750 is paid to review the candidate’s qualifications and conduct the initial interview.  Once approved, candidates submit a final fee of US$11,250.00 to receive the architecture challenge documentation and schedule a live Board Review.

Exam Location

Currently, the exam is only offered in one preselected U.S. location each time it is administered.  Qualified candidates will be provided additional information at the appropriate time.

Board Exam Results

Exams are scored by the Architect Board members according to predefined rubrics based on the posted Board Exam Topics.  Candidates receive a Pass or Fail score and are notified by email no later than 14 business days after the live Board Review.  Candidates with a passing score immediately become Cisco Certified Architects and receive their official certificate in the mail within 30 days.

Success Secrets: How you can Pass Cisco Certification Exams in first attempt