Intrusion Event
A Deep Dive into the Firepower Manager William Young, Security Solutions Architect [email protected] @WilliamDYoung BRKSEC-2058
Just some Security Guy •
William Young
•
Security Solutions Architect, Cisco
•
26 Years in Security
•
13 Years working with “Sourcefire” / “Firepower”
•
Focus areas: •
• • •
Security Operations Policy & Compliance Threat Forensics and Investigation Hacker: Or just some guy that breaks stuff
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
4
Cisco Firepower Sessions: Building Blocks BRKSEC-2056
BRKSEC-2050
BRKSEC-2058
Threat Centric Network Security
ASA Firepower NGFW typical deployment scenarios
A Deep Dive into using the Firepower
Tuesday 11:15
Tuesday 14:15
Tuesday 16:45
BRKSEC-3032
BRKSEC-3035
BRKSEC-3455
NGFW Clustering Deep Dive
Firepower Platform Deep Dive
Dissecting Firepower NGFW (FTD+FPS)
Wednesday 9:00
Thursday 9:00
Friday 9:00
BRKSEC-2058
Manager
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
5
Agenda •
Introduction
•
Understanding Events in the Firepower Management Center
•
Workflows
•
Custom Tables
•
Walking through a Breach
•
Leveraging the Dashboard
•
Security Automation (Orchestration) •
Recommended Rules
•
Correlation Rules
•
Automating Remediation (Remediation API)
•
•
Reporting Matters
Close
Do you really know Firepower Manager? •
More than just: •
A policy configuration tool for NGFW / NGIPS • A quick way to see the context / composition of your network • A tool to “check-on” your intrusion events
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
7
Creating a deeper value than ”just threat protection” Firepower Management Center (FMC) manages threat detection. It also: •
Puts threat into context within YOUR unique network.
•
Provides actionable security, network, and business data
•
Can allow “Security” to come out of the “Dog House” by supporting multiple business outcomes
•
Create automation in your ”threat hunting”
•
Bend itself to your organization’s workflow or automate that workflow.
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
8
Key Takeaways At the end of the session, will start to: •
understand how automatic correlation REALLY works. •
Impact Flags & Indications of Compromise (IOCs).
•
know which security events need to be investigated first, and why.
•
begin using correlation policies and system APIs to automate your security workflow
•
understand the full breadth of reporting capabilities to support BOTH security and business interests for your enterprise. Introduction
Understanding Events
Walking the Breach
Security Automation
Reporting
Close
➥ Recommended Rules ➥ Workflows ➥ Custom Tables ➥ Correlation Rules ➥ Remediation API BRKSEC-2058
➥ The Dashboard
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
9
Understanding Events in the Firepower Management Center Introduction
Understanding Events
Walking the Breach
Security Automation
Reporting
➥ Recommended Rules ➥ Workflows ➥ Custom Tables ➥ Correlation Rules ➥ Remediation API
➥ The Dashboard
Close
Event Source Matters
Understanding Data
Misunderstood Data
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
11
Visual Guide to Firepower Event Sources Security Intelligence
Security Intelligence
Traffic Normalization
Connection Events
DNS Sinkhole
SSL Decrypt
Discovery Events
URL
Application Detection
Intrusion Events
Network Discovery
User Activity
Identity
File Events
Servers
File Detection
AMP
Malware Events
IPS Engine (Snort®)
AMP 4 Endpoints
File Info
Supplemental Data • Geo IP Data
Applications
File Trajectory
• CVE / Vuln Data • IP Reputation Data • URL Data
Application Details
Host Profiles
Indications of Compromise
Host Attributes
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
12
Indications of Compromise Leverages correlation of multiple event types, such as: • Impact 1 & 2 events • CNC connection events (IPS) • Compromise events (IPS)
• Security Intelligence Events • AMP for Endpoint Events • AMP for Network • Includes some file events • Built in Cisco correlation rules Goal: 1. FIX THIS NOW 2. What needs to be fixed 3. How to fix BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
13
What makes an Intrusion Event •
(state established)
Structure and Content Testing
Snort® rules use variables to determine “directionality” • $EXTERNAL_NET -> $HOME_NET (inbound) • $HOME_NET -> $EXTERNAL_NET (outbound) • TCP based events from the Snort® Engine are based on ESTABLISHED sessions • Reduces false positives ★ IPS events are generated when sessions ARE THROUGH the perimeter
What makes a Host Profile • • • •
TCP request responds map to Server Port UDP request sent map to Server Port
Passive data collection (network packet analysis) “State” table based on Discovery Events Server Services: TCP based respond to connections UDP based initiate UDP packets Applications (generally TCP) detected during session initiation from host.
Understanding directionality is key to Impact Flags BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
14
The Host Profile: End Point Context Applications
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
15
Understanding Impact Flags Intrusion Events Source / Destination IP
Impact Flag Action
Host Profile [Outside Profile Range] [Host not yet profiled]
Protocol (TCP/UDP) Source / Destination Port
Previously unseen host within monitored network
3
Good information event may not have connected
Relevant port not open or protocol not in use
2
Worth investigation. Host exposed.
Relevant port or protocol in use but no vuln mapped
1
Act immediately. Host vulnerable or compromised.
Host vulnerable to attack or showing an IOC.
CVE
Client / Server Apps Operating System
IOC: Predefined Impact
4
Good information host is currently not known
Client Side Ports
Services
Snort ID
Event occurred outside profiled networks
Protocols Server Side Ports
Service
0
General info†† Event outside profiled networks
IP Address User IDs
Potential Vulnerabilities
††
BRKSEC-2058
Why
If you have a fully profiled network this may be a critical event!
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
16
Unique Events: Correlation & White List Events FMC Events
Discovery Events
Correlation Rules
Host Profile Changes
Correlation Events
White List Events
Correlation Events: Internal events based on boolean conditions within and across multiple event databases within the FMC. [Tip: Correlation Rules can monitor changes in flow!]
White List Events: Internal events based on changes to individual or grouped host Profiles First step in creating automated response!
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
17
Walking through a breach Introduction
Understanding Events
Walking the Breach
Security Automation
Reporting
➥ Recommended Rules ➥ Workflows ➥ Custom Tables ➥ Correlation Rules ➥ Remediation API
➥ The Dashboard
Close
Stages of Incident Handling SANS Institute
Preparation
Identification
Containment
Eradication
BRKSEC-2058
Recovery
Lessons Learned
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
19
Stages of Incident Handling SANS Institute
Preparation
Containment
Eradication
Recovery
Lessons Learned
• Decide on which events to focus on first Identification
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
20
Stages of Incident Handling SANS Institute
Preparation
Containment
Eradication
Recovery
Lessons Learned
• Decide on which events to focus on first • Drill into a specific event Identification
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
21
Stages of Incident Handling SANS Institute
Preparation
Containment
Identification
Eradication
Recovery
Lessons Learned
• Decide on which events to focus on first • Drill into a specific event • Validate the breach • Leverage documentation • Leverage additional forensics
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
22
Stages of Incident Handling SANS Institute
Preparation
Containment
Identification
Eradication
Recovery
Lessons Learned
• Decide on which events to focus on first • Drill into a specific event • Validate the breach • Leverage documentation • Leverage additional forensics • Explore your remediation options
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
23
Stages of Incident Handling SANS Institute
Preparation
Containment
Identification
Eradication
Recovery
Lessons Learned
• Decide on which events to focus on first • Drill into a specific event • Validate the breach • Leverage documentation • Leverage additional forensics • Explore your remediation options • Remediate
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
24
Stages of Incident Handling SANS Institute
Preparation
Containment
Identification
Eradication
Recovery
Lessons Learned
• Decide on which events to focus on first • Drill into a specific event • Validate the breach • Leverage documentation • Leverage additional forensics • Explore your remediation options • Remediate • Automate as many decisions or actions as possible. BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
25
Order of Investigation†
Goal: Getting to Remediation
Remediation – Incident Response – Data Collection You’ve been Owned! Indication of Compromise
Under Attack Impact 0
Impact 1
Research & Tuning Impact 3 (then 2) Impact 4
“Critical Assets” Not Blocked
Internal Source External Source Dropped
Correlation Rules †may
vary based on corporate priority BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
26
POP QUIZ: Where do I start my Investigation?
From the FMC Context Explorer
From the FMC Dashboard BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
27
This is what most of our networks look like.
Some ways to choose • • • • • • •
Look for Malware Executed (Endpoint AMP) Dropper Infection (Endpoint AMP) Threat detected in file transfer CNC Connected Events Shell Code Executed Impact 1 (these were probably blocked) Impact 2 (these were probably blocked) THEME: Start with what is compromised first.
From the FMC Context Explorer
Let’s see what these 63 events are all about.
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
28
Drilling into the IOC
Busy event. Looks like we’re getting more.
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
29
Digging into the IOC
Seems active across 6 hosts. Let’s drill into one. BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
30
Looks like Kim Ralls has a lot going on her Windows host.
✔ ✔ ✔ ✔ Events from multiple sources: • IPS Engine • File Protection • AMP for Networks
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
32
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
33
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
34
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
35
• • • • • BRKSEC-2058
.147 Tried to send the file 5 times .147 was sent the file once IPS blocked it! (yeah) What does Impact 4 mean? Should we investigate more?
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
36
Did you forget about these? Let’s see if that file moved around without the IPS seeing it.
✔
✔ ✔ ✔
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Yep. That file is malware
We see it in the malware summary, too.
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
38
BRKSEC-2058
•
A lot more than the 6 file transfers and hosts the IPS engine stopped.
•
Good thing they have AMP for Endpoints, too.
•
Bet they wished they enabled quarantining.
•
Problem scoped. Time to remediate.
•
Maybe a good time to look at file analysis / Threatgrid to learn what other artifacts are left behind.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
39
Take Away Be sure to look at every angle around an event. Try to tell the whole story and find every part of the issue.
BRKSEC-2058
•
A lot more than the 6 file transfers and hosts the IPS engine stopped.
•
Good thing they have AMP for Endpoints, too.
•
Bet they wished they enabled quarantining.
•
Problem scoped. Time to remediate.
•
Maybe a good time to look at file analysis / Threatgrid to learn what other artifacts are left behind.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
40
Looking at an Impact 3 Attempt
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
41
Looking at an Impact 3 Attempt
• Source IP: all internal,
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
42
Looking at an Impact 3 Attempt
• Source IP: all internal, • Destination IP: all external
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
43
Looking at an Impact 3 Attempt
• Source IP: all internal, • Destination IP: all external • Impact 3: no Host Profiles for external hosts
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
44
Looking at an Impact 3 Attempt
• • • •
Source IP: all internal, Destination IP: all external Impact 3: no Host Profiles for external hosts Sourced from my Network = I’m the attacker? = Indication of Compromise
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
45
Looking at an Impact 3 Attempt
• • • • •
Source IP: all internal, Destination IP: all external Impact 3: no Host Profiles for external hosts Sourced from my Network = I’m the attacker? = Indication of Compromise TCP detection: means established connection
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
46
Looking at an Impact 3 Attempt
• • • • •
Source IP: all internal, Destination IP: all external Impact 3: no Host Profiles for external hosts Sourced from my Network = I’m the attacker? = Indication of Compromise TCP detection: means established connection • These hosts definitely “launched” an attack.
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
47
Looking at an Impact 3 Attempt
• • • • •
Source IP: all internal, Destination IP: all external Impact 3: no Host Profiles for external hosts Sourced from my Network = I’m the attacker? = Indication of Compromise TCP detection: means established connection • These hosts definitely “launched” an attack. • Next Step: Focus on the Source Host. Probably compromised. BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
48
Looking at an Impact 3 Attempt
• • • • •
Source IP: all internal, Destination IP: all external Impact 3: no Host Profiles for external hosts Sourced from my Network = I’m the attacker? = Indication of Compromise TCP detection: means established connection • These hosts definitely “launched” an attack. • Next Step: Focus on the Source Host. Probably compromised. BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
49
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Assessment: This has has to be stopped!
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Breached? Follow an Order of Operations Multiple Event Vectors
Mission/Op Critical
IPS, Malware, Connection, File, Trajectory, DNS,
Context
Correlation IOCs, Impact Flags
Check all the related data.
Event Directionality
Protocol: TCP / UDP?
Leverage Rule Documentation
“See the big story” : Packet not always necessary Build a complete timeline – tell a story. BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
52
Automating Security Work Introduction
Understanding Events
Walking the Breach
Security Automation
Reporting
➥ Recommended Rules ➥ Workflows ➥ Custom Tables ➥ Correlation Rules ➥ Remediation API
➥ The Dashboard
Close
Recommended Rules Introduction
Understanding Events
Walking the Breach
Security Automation
Reporting
➥ Recommended Rules ➥ Workflows ➥ Custom Tables ➥ Correlation Rules ➥ Remediation API
➥ The Dashboard
Close
False Negatives ensure your NOT protected Too many exploits succeed because: • Systems aren’t patched • Detections aren’t enabled Attackers succeed with “old” exploits Verizon Data Breach Report(s) Cisco Annual Security Report(s)
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
55
False Negatives ensure your NOT protected Too many exploits succeed because: • Systems aren’t patched • Detections aren’t enabled Attackers succeed with “old” exploits Verizon Data Breach Report(s) Cisco Annual Security Report(s)
Cause
Resolution
Event Overload!
Impact Analysis
Tuning Failures
Understanding Detection Tools
Detections Disabled
Knowing What Needs Protection
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
56
False Negatives ensure your NOT protected Too many exploits succeed because: • Systems aren’t patched • Detections aren’t enabled Attackers succeed with “old” exploits Verizon Data Breach Report(s) Cisco Annual Security Report(s)
Cause
Resolution
Event Overload!
Impact Analysis
Tuning Failures
Understanding Detection Tools
Detections Disabled
Knowing What Needs Protection
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
57
False Negatives ensure your NOT protected Too many exploits succeed because: • Systems aren’t patched • Detections aren’t enabled Attackers succeed with “old” exploits Verizon Data Breach Report(s) Cisco Annual Security Report(s)
Cause
Resolution
Event Overload!
Impact Analysis
Tuning Failures
Understanding Detection Tools
Detections Disabled
Knowing What Needs Protection
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
58
Firepower Recommendations Knows what I Do Not
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
59
Recommended Rules – How it works Snort Rules SID: 24671, 32361 Integer Overflow in Windows
SVID
Possible Vuln CVE:2012-1528
99675
Remotely exploitable vulnerability
Remote exploit
SID: 33306 BLACKLIST: Connection to a malware sinkhole.
Detection of behavior that comes from a compromised host or one that is about to be compromised.
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
60
Recommended Rules – the details alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE ActiveX installer broker object sandbox escape attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|55 8B EC 6A FF 68 A8 31 01 10 64 A1 00 00 00 00 50 83 EC 0C A1 20 B0 01 10 33 C5 89 45 F0 56 50|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; Not reference:cve,2014-4123; reference:url,technet.microsoft.com/enus/security/bulletin/ms14-056; classtype:attempted-user; sid:32265; rev:1; )
Rule that will map to Recommended Rules
all rules have a CVE!
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLACKLIST Connection to malware sinkhole"; flow:to_client,established; dsize:22; content:"Sinkholed by abuse.ch|0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,en.wikipedia.org/wiki/Sinkhole_Server; classtype:trojan-activity; sid:33306; rev:1; )
Rules disabling by default
Some rules will turned off by Recommended Rules
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
61
Recommended Rules alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE ActiveX installer broker object sandbox escape attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|55 8B EC 6A FF 68 A8 31 01 10 64 A1 00 00 00 00 50 83 EC 0C A1 20 B0 01 10 33 C5 89 45 F0 56 50|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-4123; reference:url,technet.microsoft.com/enus/security/bulletin/ms14-056; classtype:attempted-user; sid:32265; rev:1; )
Rule that will map to Recommended Rules alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLACKLIST Connection to malware sinkhole"; flow:to_client,established; dsize:22; content:"Sinkholed by abuse.ch|0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,en.wikipedia.org/wiki/Sinkhole_Server; classtype:trojan-activity; sid:33306; rev:1; )
Some rules will ALWAYS be turned off by Recommended Rules
You may want to uncheck this. BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
62
Correlation Rules Introduction
Understanding Events
Walking the Breach
Security Automation
Reporting
➥ Recommended Rules ➥ Workflows ➥ Custom Tables ➥ Correlation Rules ➥ Remediation API
➥ The Dashboard
Close
Correlation Rules / Correlation Policy 100,000 events
5,000 events 500 events
Correlation Rules allow for BOOLEAN decisions on one or more sets of data within the Firepower console. Rules can then lead to Actions such as: Email, Syslog, SNMP events or remediation actions.
100 events
Correlation Policy
20 events
10 events
Correlation Rule
Correlation Event
Correlation Rule
Action
Email Syslog SNMP Remediation Module
3 Events © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Correlation Rules / Correlation Policy Value:
• Automate Security Decisions • Track Business Outcome • Trigger Automated Response to specific conditions
100,000 events
5,000 events 500 events
Correlation Rules allow for BOOLEAN decisions on one or more sets of data within the Firepower console. Rules can then lead to Actions such as: Email, Syslog, SNMP events or remediation actions.
100 events
Correlation Policy
20 events
10 events
Correlation Rule
Correlation Event
Correlation Rule
Action
Email Syslog SNMP Remediation Module
3 Events © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Correlation Rules go into Correlation Policies
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Building a Correlation Rule
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
67
Sample Correlation Rule Correlation Rule to: • Ensure only HTTPS traffic is used on port 443
• Ensure traffic is initiated by a Host within a defined Location (host Attribute) is POS • Ensure the HTTPS traffic from the POS host is received on hosts in the PCI network. • Any traffic outside this profile will generate an event.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Correlation Rule example: Production Network Change
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
example: Production Network Change is exfiltrating traffic
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Some Correlations Rules To Drive Action If “an Intrusion Event occurs”. . . O Impact Flag is 3 - Yellow R Impact Flag is 4 - Blue
If “a Malware Event occurs” “by retrospective network-based malware detection” Sending IP is in 192.168.0.0/16
O Sending IP is in 10.0.0.0/8 R
Source IP is in 192.168.0.0/16
A N D
O Source IP is in 10.0.0.0/8 R
Source IP is in 172.16.0.0/12 Destination IP is not in 192.168.0.0/16
O Destination IP is not in 10.0.0.0/8 R
Destination IP is not in 172.16.0.0/12
You have a compromised host “attacking” systems off your network.
O R
Sending IP is in 172.16.0.0/12 Receiving IP is in 192.168.0.0/16
O Receiving IP is in 10.0.0.0/8 R
Receiving IP is in 172.16.0.0/12
A recently seen file has been retrospectively determined to be malware! Go Stop it NOW!
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
71
Some Correlations Rules To Drive Action Make it even more actionable based on the file TYPE
If “a Malware Event occurs” “by retrospective network-based malware detection” Sending IP is in 192.168.0.0/16
O Sending IP is in 10.0.0.0/8 R O R
Sending IP is in 172.16.0.0/12 Receiving IP is in 192.168.0.0/16
O Receiving IP is in 10.0.0.0/8 R
Receiving IP is in 172.16.0.0/12
A recently seen file has been retrospectively determined to be malware! Go Stop it NOW! Just add another Boolean Condition
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
72
Remediation API Introduction
Understanding Events
Walking the Breach
Security Automation
Reporting
➥ Recommended Rules ➥ Workflows ➥ Custom Tables ➥ Correlation Rules ➥ Remediation API
➥ The Dashboard
Close
Grand Vision for Integration & Firepower Management
Firepower
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
74
Automating Response – Remediation API Intrusion Events Discovery Events User Activity Host Inputs Connection Events Traffic Profiles Malware Event
Correlation Policies Boolean Conditions
Correlation Rules
Correlation Rules
Actions (API, Email, SNMP)
Correlation Events
Sample Remediation Modules • Cisco ISE (pxGrid Mitigation) • Guidance Encase • Set Host Attributes • Security Intelligence Blacklisting • Nmap Scan • SSH / Expect Scripts • F5 iRules • Solera DeepSee • Netscaler • PacketFence • Bradford BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
75
ISE + Firepower = Rapid Threat Containment WWW
4. Endpoint Assigned Quarantine + CoA-Reauth Sent
Controller
NGFW
3. pxGrid EPS Action: Quarantine + Re-Auth
1. Security Events / IOCs Reported
FMC
i-Net
MnT
2. Correlation Rules Trigger Remediation Action
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configure Rapid Threat Containment
Open the System:Integration page Enter ISE Server details ise-1.mynet.com ise-2.mynet.com
Be sure to configure your certs for the integration
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
77
Configure Rapid Threat Containment
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configure Rapid Threat Containment
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configure Rapid Threat Containment
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configure Rapid Threat Containment
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configure Rapid Threat Containment
Notice your ISE mitigation actions!
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configure Rapid Threat Containment
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configure Rapid Threat Containment
Be sure to assign the action to a Correlation Rule within a Correlation Policy
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
84
Other ”Tools" in the Firepower Toolkit Event Analysis Toolset White Listing
Correlation tool to monitor for host profile changes
Traffic Profiling
Monitor behavioral changes in traffic conditions
Programmatic Interfaces Estreamer API
Transmit all event data to an external repository (SEIM, event log, edge)
Host Input API
Insert data into Host Profiles from external data sources
Remediation API
Programmatically initiate actions on external systems.
JDBC Connector
Directly query FMC database (reporting, SEIM queries, etc)
REST API
REST interface for FMC query, configuration, and NEW! BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
85
Reporting Matters Introduction
Understanding Events
Walking the Breach
Security Automation
Reporting
➥ Recommended Rules ➥ Workflows ➥ Custom Tables ➥ Correlation Rules ➥ Remediation API
➥ The Dashboard
Close
Default Reports
Not just what’s in the templates
Dashboard widgets are “mini”-reports
Over 120 preset reports within a widget
Create custom Widgets for more
Think of the Dashboard as your unlimited report designer.
Tools:
Searches Custom Workflows Custom Tables = Data goldmine
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
87
Event Viewing
Tables Workflows Filters Custom Tables
• Listing of events with a data set (IPS, Connection, Malware, etc.)
• Customized organization of specific column headers • Allows Analysts to go straight to meaningful data • • • •
Search for specific or generalized matches within event tables Each table can have it’s own filters Hundreds of filters pre-installed Customizable
• Join of two or more individual event tables • Aggregate useful data for faster decision making and reporting • Has it’s own Workflows and Filters
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
88
Workflows Introduction
Understanding Events
Walking the Breach
Security Automation
Reporting
➥ Recommended Rules ➥ Workflows ➥ Custom Tables ➥ Correlation Rules ➥ Remediation API
➥ The Dashboard
Close
A Default Event View
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
90
A Default View
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
91
Changing the view helps focus analysis
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
92
Create a Custom Workflow
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Create a Custom Workflow
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
How it turned out
Build on your order of investigation
Actionable Data: Hosts .52, .56, and .111 need to be investigated!
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Custom Tables Introduction
Understanding Events
Walking the Breach
Security Automation
Reporting
➥ Recommended Rules ➥ Workflows ➥ Custom Tables ➥ Correlation Rules ➥ Remediation API
➥ The Dashboard
Close
Building Custom Tables
Intrusion Events
Have all the data you need immediately in one view.
BRKSEC-2058
Host Data
Custom View
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
97
Custom Table: Intrusion Event with Host Data
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
98
Custom Table: Intrusion Event with Host Data
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
99
Custom Table: Intrusion Event with Host Data Custom tables can even have their own workflows
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
100
Custom Table: Intrusion Event with Host Data
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
101
Custom Table: Intrusion Event with Host Data
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
102
Custom Table: Includes Custom Filters
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
103
Custom Table: Includes Custom Filters
Tables, Custom Tables, and Filters can also be leveraged on the Dashboard. Just choose the 1 column that is most meaningful.
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
104
Uses for Tables (standard & custom) and Workflows •
Having more relevant data on hand when doing event analysis and forensics
•
Reducing the “number” of clicks to drill into meaningful data
•
Customize prioritization based on local business and security drivers
•
Speed new threat discovery / hunting
•
Combined with Filters allow you to segment information into meaningful chunks, such as: • • •
Device functionality Network Zone Operating System
• • •
• • •
Users / Groups Country Threat Type
Activity / Behavior Trends? What changed? What’s new?
Valuable in customizing your dashboard, building reports, documenting compliance. Let the business need feed your creativity. BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
105
Examples of possible data to report Security
Operations
Compliance
• • • •
•
• • • • •
Specific Threats experienced Automated Remediations OS’s most compromised App Threat Root Cause
• • •
New systems on the network New services or applications in use Changes in network behavior OS data
PCI, NERC CIP, HIPPA… OS Usage User/Group Access behavior App segmentation Hosts in violation of corporate policy
Expanding your reporting to drive business efficiency creates a stronger security practice.
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
106
Interesting Data for Filtering Potential ”new” Threat List Int. Source IP
List Ext. Source IP
List Int. Source IP
List Int. Source IP
Threat Destinations
Top File Sources
Executable Exfil
Odd URLs
Internal IPs that send files to External Address (esp. exe, jar, pdf, doc, archive, etc.)
Internal IPs connecting to URL Categories “of concern”
Top Sec Int. Events with external Dest. IP
Top External Source IPs for files
List Int. Source IP
List Int. Source IP
DNS
Bad SSL
Internal IPs generating DNS Sinkhole Events
Internal IPs using invalid SSL Certs to external IP
List Int. Source IP Retrospective
Internal IP addresses Associated with Retrospective Malware
List Int. Source IP Correlation Events Internal IPs sourcing Correlation Events
Processes Introducing Malware (prebuilt in FMC, requires AMP 4 Endpoints)
Invalid App Usage Internal IPs using Apps on nonstandard protocols
* Create Correlation Rules * Leverage Open AppID © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
107
Leveraging the Dashboard Introduction
Understanding Events
Walking the Breach
Security Automation
Reporting
➥ Recommended Rules ➥ Workflows ➥ Custom Tables ➥ Correlation Rules ➥ Remediation API
➥ The Dashboard
Close
Customize The Dashboard
There are a number of default dashboards
All of them have customizable widgets
Create / Customize your own for better visibility and report designs
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
109
Customize The Dashboard
This is your most powerful widget
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
110
Dashboards That Meet Your Needs
Threat Focused
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Dashboards That Meet Your Needs
Network Focused
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
112
Build Reports Straight from the Dashboard
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
113
Or Import Dashboards With the Report Builder
Import Sections from Dashboards, Summaries, and Workflows
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
114
Closing Introduction
Understanding Events
Walking the Breach
Security Automation
Reporting
➥ Recommended Rules ➥ Workflows ➥ Custom Tables ➥ Correlation Rules ➥ Remediation API
➥ The Dashboard
Close
Key Takeaways By now you hopefully: •
Have a better understanding of how automated event analysis happens •
Impact Flags & Indications of Compromise (IOCs).
•
Have a better strategy for examining a security breach.
•
Be able to leverage correlation policies and system APIs to create meaningful security automation.
•
Understand the full breadth of reporting capabilities to support BOTH security and business interests for your enterprise. Introduction
Understanding Events
Walking the Breach
Security Automation
Reporting
Close
➥ Recommended Rules ➥ Workflows ➥ Custom Tables ➥ Correlation Rules ➥ Remediation API BRKSEC-2058
➥ The Dashboard
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
116
Complete Your Online Session Evaluation •
Please complete your Online Session Evaluations after each session
•
Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt
•
All surveys can be completed via the Cisco Live Mobile App or the Communication Stations
Please leave comments!
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
(and your email if you want a response) BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
117
Continue Your Education •
Demos in the Cisco campus
•
Walk-in Self-Paced Labs
•
Lunch & Learn
•
Meet the Engineer 1:1 meetings
•
Related sessions
Presentation ID
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
118
Call to Action •
Firepower Management Center can be the center of your security operations.
•
Look at FMC as security automation framework.
•
FMC’s real value is in how it can merge security operations and business outcome.
•
Look for cross product integration to strengthen FMC’s value.
•
Be creative in creating solutions. Look beyond “IPS” or “Threat Protection” opportunities.
•
The more you understand about your organization’s security practices and business outcome needs, the more you’ll find you can deliver with Firepower Management Center.
•
Check out Firepower more at the World of Solutions! What can you make it do?!
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
119
Thank You
And remember to fill out your surveys!
Reference Slides
(Reference)
Event Source to Event Type Engine
Policy
Event Type
L3 - IP
IP Reputation Pre-Processor
Security Intelligence (Access Control Policy)
Security Intelligence Events
L2 – L7
Intrusion Prevention (Snort®)
Intrusion Policy
Intrusion Events
L2 – L7
Network Discovery
Network Discovery Policy
Discovery Events, User Activity, Connection Events, Host Profiles, Servers, Applications, Vulnerabilities
L3
DNS Sinkhole Processor
DNS Policy
Connection Events
File
File Detection Processor
File Policy
File Events
L3-L7
SSL
SSL Policy
Connection Events
L4-L7
Application Detection (AppID)
Network Discovery Policy / Access Control Policy
Application Detail Events
L4-L7
URL Filter
Access Control Policy
Connection Events
Files
Advanced Malware Protection (AMP) (Sandbox, Cloud Lookup)
File Policy
Malware Events, File Trajectory
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
123
(Reference)
Event Sources to Events Source / Event Table Security Intelligence
Security Intelligence
Connection
Intrusion
Detection
File
Malware
User
✔ ✔
Normalization Pre-Processors SSL Decryption
✔
App Detection
✔
App Control
✔
Network Detection
✔
✔ ✔ ✔
Non-Auth User Act.
✔ ✔
User Activity from AD
✔
URL Filter
✔
File Detection AMP Engine
✔
AMP Endpoint Cloud
✔ ✔
Sort® (IPS) “Reference Data” Geo IP Db
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
URL Rep Db User Db (from AD)
✔
✔
✔
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
124
(Reference)
Correlating Event Data Flow and connection conditions over time or volume.
Data from User Table (name, group info, etc)
Data from Host Profiles
When a… Intrusion Event Discovery Event
Connection Event Host Input Event User Activity Occurs
✔ ✔ ✔ ✔ ✔
✔ ✔ ✔ ✔
✔ ✔ ✔ ✔ ✔
Traffic Profile Changes Malware Event BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
125
(reference)
Custom Table Matrix Applicatio n Details
Applications
Application Details
✔
✔
Applications
✔
Connection Events
✔
✔
Connection Events
✔
✔
Connection Summary
✔
Correlation Events
✔
Discovery Events
✔
Connection Summary
✔
Correlation Events
✔
Discovery Events
Host Attributes
Hosts
Indications of Compromise
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔ ✔
Intrusion Events
Sec. Int. Events
Servers
White List Events
✔
✔
✔
✔
Host Attributes
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
Hosts
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
Indications of Compromise
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
Intrusion Events
✔
✔
✔
✔
Sec. Int. Events
✔
✔
✔
✔
Servers
✔
✔
✔
✔
White List Events
✔
✔
✔
✔
✔
✔
BRKSEC-2058
✔
✔ ✔
✔
✔
✔
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
✔
126
Just some Security Guy •
William Young
•
Security Solutions Architect, Cisco
•
26 Years in Security
•
13 Years working with “Sourcefire” / “Firepower”
•
Focus areas: •
• • •
Security Operations Policy & Compliance Threat Forensics and Investigation Hacker: Or just some guy that breaks stuff
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
4
Cisco Firepower Sessions: Building Blocks BRKSEC-2056
BRKSEC-2050
BRKSEC-2058
Threat Centric Network Security
ASA Firepower NGFW typical deployment scenarios
A Deep Dive into using the Firepower
Tuesday 11:15
Tuesday 14:15
Tuesday 16:45
BRKSEC-3032
BRKSEC-3035
BRKSEC-3455
NGFW Clustering Deep Dive
Firepower Platform Deep Dive
Dissecting Firepower NGFW (FTD+FPS)
Wednesday 9:00
Thursday 9:00
Friday 9:00
BRKSEC-2058
Manager
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
5
Agenda •
Introduction
•
Understanding Events in the Firepower Management Center
•
Workflows
•
Custom Tables
•
Walking through a Breach
•
Leveraging the Dashboard
•
Security Automation (Orchestration) •
Recommended Rules
•
Correlation Rules
•
Automating Remediation (Remediation API)
•
•
Reporting Matters
Close
Do you really know Firepower Manager? •
More than just: •
A policy configuration tool for NGFW / NGIPS • A quick way to see the context / composition of your network • A tool to “check-on” your intrusion events
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
7
Creating a deeper value than ”just threat protection” Firepower Management Center (FMC) manages threat detection. It also: •
Puts threat into context within YOUR unique network.
•
Provides actionable security, network, and business data
•
Can allow “Security” to come out of the “Dog House” by supporting multiple business outcomes
•
Create automation in your ”threat hunting”
•
Bend itself to your organization’s workflow or automate that workflow.
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
8
Key Takeaways At the end of the session, will start to: •
understand how automatic correlation REALLY works. •
Impact Flags & Indications of Compromise (IOCs).
•
know which security events need to be investigated first, and why.
•
begin using correlation policies and system APIs to automate your security workflow
•
understand the full breadth of reporting capabilities to support BOTH security and business interests for your enterprise. Introduction
Understanding Events
Walking the Breach
Security Automation
Reporting
Close
➥ Recommended Rules ➥ Workflows ➥ Custom Tables ➥ Correlation Rules ➥ Remediation API BRKSEC-2058
➥ The Dashboard
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
9
Understanding Events in the Firepower Management Center Introduction
Understanding Events
Walking the Breach
Security Automation
Reporting
➥ Recommended Rules ➥ Workflows ➥ Custom Tables ➥ Correlation Rules ➥ Remediation API
➥ The Dashboard
Close
Event Source Matters
Understanding Data
Misunderstood Data
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
11
Visual Guide to Firepower Event Sources Security Intelligence
Security Intelligence
Traffic Normalization
Connection Events
DNS Sinkhole
SSL Decrypt
Discovery Events
URL
Application Detection
Intrusion Events
Network Discovery
User Activity
Identity
File Events
Servers
File Detection
AMP
Malware Events
IPS Engine (Snort®)
AMP 4 Endpoints
File Info
Supplemental Data • Geo IP Data
Applications
File Trajectory
• CVE / Vuln Data • IP Reputation Data • URL Data
Application Details
Host Profiles
Indications of Compromise
Host Attributes
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
12
Indications of Compromise Leverages correlation of multiple event types, such as: • Impact 1 & 2 events • CNC connection events (IPS) • Compromise events (IPS)
• Security Intelligence Events • AMP for Endpoint Events • AMP for Network • Includes some file events • Built in Cisco correlation rules Goal: 1. FIX THIS NOW 2. What needs to be fixed 3. How to fix BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
13
What makes an Intrusion Event •
(state established)
Structure and Content Testing
Snort® rules use variables to determine “directionality” • $EXTERNAL_NET -> $HOME_NET (inbound) • $HOME_NET -> $EXTERNAL_NET (outbound) • TCP based events from the Snort® Engine are based on ESTABLISHED sessions • Reduces false positives ★ IPS events are generated when sessions ARE THROUGH the perimeter
What makes a Host Profile • • • •
TCP request responds map to Server Port UDP request sent map to Server Port
Passive data collection (network packet analysis) “State” table based on Discovery Events Server Services: TCP based respond to connections UDP based initiate UDP packets Applications (generally TCP) detected during session initiation from host.
Understanding directionality is key to Impact Flags BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
14
The Host Profile: End Point Context Applications
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
15
Understanding Impact Flags Intrusion Events Source / Destination IP
Impact Flag Action
Host Profile [Outside Profile Range] [Host not yet profiled]
Protocol (TCP/UDP) Source / Destination Port
Previously unseen host within monitored network
3
Good information event may not have connected
Relevant port not open or protocol not in use
2
Worth investigation. Host exposed.
Relevant port or protocol in use but no vuln mapped
1
Act immediately. Host vulnerable or compromised.
Host vulnerable to attack or showing an IOC.
CVE
Client / Server Apps Operating System
IOC: Predefined Impact
4
Good information host is currently not known
Client Side Ports
Services
Snort ID
Event occurred outside profiled networks
Protocols Server Side Ports
Service
0
General info†† Event outside profiled networks
IP Address User IDs
Potential Vulnerabilities
††
BRKSEC-2058
Why
If you have a fully profiled network this may be a critical event!
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
16
Unique Events: Correlation & White List Events FMC Events
Discovery Events
Correlation Rules
Host Profile Changes
Correlation Events
White List Events
Correlation Events: Internal events based on boolean conditions within and across multiple event databases within the FMC. [Tip: Correlation Rules can monitor changes in flow!]
White List Events: Internal events based on changes to individual or grouped host Profiles First step in creating automated response!
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
17
Walking through a breach Introduction
Understanding Events
Walking the Breach
Security Automation
Reporting
➥ Recommended Rules ➥ Workflows ➥ Custom Tables ➥ Correlation Rules ➥ Remediation API
➥ The Dashboard
Close
Stages of Incident Handling SANS Institute
Preparation
Identification
Containment
Eradication
BRKSEC-2058
Recovery
Lessons Learned
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
19
Stages of Incident Handling SANS Institute
Preparation
Containment
Eradication
Recovery
Lessons Learned
• Decide on which events to focus on first Identification
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
20
Stages of Incident Handling SANS Institute
Preparation
Containment
Eradication
Recovery
Lessons Learned
• Decide on which events to focus on first • Drill into a specific event Identification
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
21
Stages of Incident Handling SANS Institute
Preparation
Containment
Identification
Eradication
Recovery
Lessons Learned
• Decide on which events to focus on first • Drill into a specific event • Validate the breach • Leverage documentation • Leverage additional forensics
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
22
Stages of Incident Handling SANS Institute
Preparation
Containment
Identification
Eradication
Recovery
Lessons Learned
• Decide on which events to focus on first • Drill into a specific event • Validate the breach • Leverage documentation • Leverage additional forensics • Explore your remediation options
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
23
Stages of Incident Handling SANS Institute
Preparation
Containment
Identification
Eradication
Recovery
Lessons Learned
• Decide on which events to focus on first • Drill into a specific event • Validate the breach • Leverage documentation • Leverage additional forensics • Explore your remediation options • Remediate
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
24
Stages of Incident Handling SANS Institute
Preparation
Containment
Identification
Eradication
Recovery
Lessons Learned
• Decide on which events to focus on first • Drill into a specific event • Validate the breach • Leverage documentation • Leverage additional forensics • Explore your remediation options • Remediate • Automate as many decisions or actions as possible. BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
25
Order of Investigation†
Goal: Getting to Remediation
Remediation – Incident Response – Data Collection You’ve been Owned! Indication of Compromise
Under Attack Impact 0
Impact 1
Research & Tuning Impact 3 (then 2) Impact 4
“Critical Assets” Not Blocked
Internal Source External Source Dropped
Correlation Rules †may
vary based on corporate priority BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
26
POP QUIZ: Where do I start my Investigation?
From the FMC Context Explorer
From the FMC Dashboard BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
27
This is what most of our networks look like.
Some ways to choose • • • • • • •
Look for Malware Executed (Endpoint AMP) Dropper Infection (Endpoint AMP) Threat detected in file transfer CNC Connected Events Shell Code Executed Impact 1 (these were probably blocked) Impact 2 (these were probably blocked) THEME: Start with what is compromised first.
From the FMC Context Explorer
Let’s see what these 63 events are all about.
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
28
Drilling into the IOC
Busy event. Looks like we’re getting more.
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
29
Digging into the IOC
Seems active across 6 hosts. Let’s drill into one. BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
30
Looks like Kim Ralls has a lot going on her Windows host.
✔ ✔ ✔ ✔ Events from multiple sources: • IPS Engine • File Protection • AMP for Networks
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
32
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
33
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
34
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
35
• • • • • BRKSEC-2058
.147 Tried to send the file 5 times .147 was sent the file once IPS blocked it! (yeah) What does Impact 4 mean? Should we investigate more?
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
36
Did you forget about these? Let’s see if that file moved around without the IPS seeing it.
✔
✔ ✔ ✔
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Yep. That file is malware
We see it in the malware summary, too.
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
38
BRKSEC-2058
•
A lot more than the 6 file transfers and hosts the IPS engine stopped.
•
Good thing they have AMP for Endpoints, too.
•
Bet they wished they enabled quarantining.
•
Problem scoped. Time to remediate.
•
Maybe a good time to look at file analysis / Threatgrid to learn what other artifacts are left behind.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
39
Take Away Be sure to look at every angle around an event. Try to tell the whole story and find every part of the issue.
BRKSEC-2058
•
A lot more than the 6 file transfers and hosts the IPS engine stopped.
•
Good thing they have AMP for Endpoints, too.
•
Bet they wished they enabled quarantining.
•
Problem scoped. Time to remediate.
•
Maybe a good time to look at file analysis / Threatgrid to learn what other artifacts are left behind.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
40
Looking at an Impact 3 Attempt
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
41
Looking at an Impact 3 Attempt
• Source IP: all internal,
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
42
Looking at an Impact 3 Attempt
• Source IP: all internal, • Destination IP: all external
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
43
Looking at an Impact 3 Attempt
• Source IP: all internal, • Destination IP: all external • Impact 3: no Host Profiles for external hosts
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
44
Looking at an Impact 3 Attempt
• • • •
Source IP: all internal, Destination IP: all external Impact 3: no Host Profiles for external hosts Sourced from my Network = I’m the attacker? = Indication of Compromise
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
45
Looking at an Impact 3 Attempt
• • • • •
Source IP: all internal, Destination IP: all external Impact 3: no Host Profiles for external hosts Sourced from my Network = I’m the attacker? = Indication of Compromise TCP detection: means established connection
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
46
Looking at an Impact 3 Attempt
• • • • •
Source IP: all internal, Destination IP: all external Impact 3: no Host Profiles for external hosts Sourced from my Network = I’m the attacker? = Indication of Compromise TCP detection: means established connection • These hosts definitely “launched” an attack.
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
47
Looking at an Impact 3 Attempt
• • • • •
Source IP: all internal, Destination IP: all external Impact 3: no Host Profiles for external hosts Sourced from my Network = I’m the attacker? = Indication of Compromise TCP detection: means established connection • These hosts definitely “launched” an attack. • Next Step: Focus on the Source Host. Probably compromised. BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
48
Looking at an Impact 3 Attempt
• • • • •
Source IP: all internal, Destination IP: all external Impact 3: no Host Profiles for external hosts Sourced from my Network = I’m the attacker? = Indication of Compromise TCP detection: means established connection • These hosts definitely “launched” an attack. • Next Step: Focus on the Source Host. Probably compromised. BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
49
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Assessment: This has has to be stopped!
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Breached? Follow an Order of Operations Multiple Event Vectors
Mission/Op Critical
IPS, Malware, Connection, File, Trajectory, DNS,
Context
Correlation IOCs, Impact Flags
Check all the related data.
Event Directionality
Protocol: TCP / UDP?
Leverage Rule Documentation
“See the big story” : Packet not always necessary Build a complete timeline – tell a story. BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
52
Automating Security Work Introduction
Understanding Events
Walking the Breach
Security Automation
Reporting
➥ Recommended Rules ➥ Workflows ➥ Custom Tables ➥ Correlation Rules ➥ Remediation API
➥ The Dashboard
Close
Recommended Rules Introduction
Understanding Events
Walking the Breach
Security Automation
Reporting
➥ Recommended Rules ➥ Workflows ➥ Custom Tables ➥ Correlation Rules ➥ Remediation API
➥ The Dashboard
Close
False Negatives ensure your NOT protected Too many exploits succeed because: • Systems aren’t patched • Detections aren’t enabled Attackers succeed with “old” exploits Verizon Data Breach Report(s) Cisco Annual Security Report(s)
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
55
False Negatives ensure your NOT protected Too many exploits succeed because: • Systems aren’t patched • Detections aren’t enabled Attackers succeed with “old” exploits Verizon Data Breach Report(s) Cisco Annual Security Report(s)
Cause
Resolution
Event Overload!
Impact Analysis
Tuning Failures
Understanding Detection Tools
Detections Disabled
Knowing What Needs Protection
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
56
False Negatives ensure your NOT protected Too many exploits succeed because: • Systems aren’t patched • Detections aren’t enabled Attackers succeed with “old” exploits Verizon Data Breach Report(s) Cisco Annual Security Report(s)
Cause
Resolution
Event Overload!
Impact Analysis
Tuning Failures
Understanding Detection Tools
Detections Disabled
Knowing What Needs Protection
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
57
False Negatives ensure your NOT protected Too many exploits succeed because: • Systems aren’t patched • Detections aren’t enabled Attackers succeed with “old” exploits Verizon Data Breach Report(s) Cisco Annual Security Report(s)
Cause
Resolution
Event Overload!
Impact Analysis
Tuning Failures
Understanding Detection Tools
Detections Disabled
Knowing What Needs Protection
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
58
Firepower Recommendations Knows what I Do Not
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
59
Recommended Rules – How it works Snort Rules SID: 24671, 32361 Integer Overflow in Windows
SVID
Possible Vuln CVE:2012-1528
99675
Remotely exploitable vulnerability
Remote exploit
SID: 33306 BLACKLIST: Connection to a malware sinkhole.
Detection of behavior that comes from a compromised host or one that is about to be compromised.
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
60
Recommended Rules – the details alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE ActiveX installer broker object sandbox escape attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|55 8B EC 6A FF 68 A8 31 01 10 64 A1 00 00 00 00 50 83 EC 0C A1 20 B0 01 10 33 C5 89 45 F0 56 50|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; Not reference:cve,2014-4123; reference:url,technet.microsoft.com/enus/security/bulletin/ms14-056; classtype:attempted-user; sid:32265; rev:1; )
Rule that will map to Recommended Rules
all rules have a CVE!
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLACKLIST Connection to malware sinkhole"; flow:to_client,established; dsize:22; content:"Sinkholed by abuse.ch|0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,en.wikipedia.org/wiki/Sinkhole_Server; classtype:trojan-activity; sid:33306; rev:1; )
Rules disabling by default
Some rules will turned off by Recommended Rules
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
61
Recommended Rules alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE ActiveX installer broker object sandbox escape attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|55 8B EC 6A FF 68 A8 31 01 10 64 A1 00 00 00 00 50 83 EC 0C A1 20 B0 01 10 33 C5 89 45 F0 56 50|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-4123; reference:url,technet.microsoft.com/enus/security/bulletin/ms14-056; classtype:attempted-user; sid:32265; rev:1; )
Rule that will map to Recommended Rules alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLACKLIST Connection to malware sinkhole"; flow:to_client,established; dsize:22; content:"Sinkholed by abuse.ch|0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,en.wikipedia.org/wiki/Sinkhole_Server; classtype:trojan-activity; sid:33306; rev:1; )
Some rules will ALWAYS be turned off by Recommended Rules
You may want to uncheck this. BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
62
Correlation Rules Introduction
Understanding Events
Walking the Breach
Security Automation
Reporting
➥ Recommended Rules ➥ Workflows ➥ Custom Tables ➥ Correlation Rules ➥ Remediation API
➥ The Dashboard
Close
Correlation Rules / Correlation Policy 100,000 events
5,000 events 500 events
Correlation Rules allow for BOOLEAN decisions on one or more sets of data within the Firepower console. Rules can then lead to Actions such as: Email, Syslog, SNMP events or remediation actions.
100 events
Correlation Policy
20 events
10 events
Correlation Rule
Correlation Event
Correlation Rule
Action
Email Syslog SNMP Remediation Module
3 Events © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Correlation Rules / Correlation Policy Value:
• Automate Security Decisions • Track Business Outcome • Trigger Automated Response to specific conditions
100,000 events
5,000 events 500 events
Correlation Rules allow for BOOLEAN decisions on one or more sets of data within the Firepower console. Rules can then lead to Actions such as: Email, Syslog, SNMP events or remediation actions.
100 events
Correlation Policy
20 events
10 events
Correlation Rule
Correlation Event
Correlation Rule
Action
Email Syslog SNMP Remediation Module
3 Events © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Correlation Rules go into Correlation Policies
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Building a Correlation Rule
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
67
Sample Correlation Rule Correlation Rule to: • Ensure only HTTPS traffic is used on port 443
• Ensure traffic is initiated by a Host within a defined Location (host Attribute) is POS • Ensure the HTTPS traffic from the POS host is received on hosts in the PCI network. • Any traffic outside this profile will generate an event.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Correlation Rule example: Production Network Change
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
example: Production Network Change is exfiltrating traffic
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Some Correlations Rules To Drive Action If “an Intrusion Event occurs”. . . O Impact Flag is 3 - Yellow R Impact Flag is 4 - Blue
If “a Malware Event occurs” “by retrospective network-based malware detection” Sending IP is in 192.168.0.0/16
O Sending IP is in 10.0.0.0/8 R
Source IP is in 192.168.0.0/16
A N D
O Source IP is in 10.0.0.0/8 R
Source IP is in 172.16.0.0/12 Destination IP is not in 192.168.0.0/16
O Destination IP is not in 10.0.0.0/8 R
Destination IP is not in 172.16.0.0/12
You have a compromised host “attacking” systems off your network.
O R
Sending IP is in 172.16.0.0/12 Receiving IP is in 192.168.0.0/16
O Receiving IP is in 10.0.0.0/8 R
Receiving IP is in 172.16.0.0/12
A recently seen file has been retrospectively determined to be malware! Go Stop it NOW!
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
71
Some Correlations Rules To Drive Action Make it even more actionable based on the file TYPE
If “a Malware Event occurs” “by retrospective network-based malware detection” Sending IP is in 192.168.0.0/16
O Sending IP is in 10.0.0.0/8 R O R
Sending IP is in 172.16.0.0/12 Receiving IP is in 192.168.0.0/16
O Receiving IP is in 10.0.0.0/8 R
Receiving IP is in 172.16.0.0/12
A recently seen file has been retrospectively determined to be malware! Go Stop it NOW! Just add another Boolean Condition
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
72
Remediation API Introduction
Understanding Events
Walking the Breach
Security Automation
Reporting
➥ Recommended Rules ➥ Workflows ➥ Custom Tables ➥ Correlation Rules ➥ Remediation API
➥ The Dashboard
Close
Grand Vision for Integration & Firepower Management
Firepower
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
74
Automating Response – Remediation API Intrusion Events Discovery Events User Activity Host Inputs Connection Events Traffic Profiles Malware Event
Correlation Policies Boolean Conditions
Correlation Rules
Correlation Rules
Actions (API, Email, SNMP)
Correlation Events
Sample Remediation Modules • Cisco ISE (pxGrid Mitigation) • Guidance Encase • Set Host Attributes • Security Intelligence Blacklisting • Nmap Scan • SSH / Expect Scripts • F5 iRules • Solera DeepSee • Netscaler • PacketFence • Bradford BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
75
ISE + Firepower = Rapid Threat Containment WWW
4. Endpoint Assigned Quarantine + CoA-Reauth Sent
Controller
NGFW
3. pxGrid EPS Action: Quarantine + Re-Auth
1. Security Events / IOCs Reported
FMC
i-Net
MnT
2. Correlation Rules Trigger Remediation Action
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configure Rapid Threat Containment
Open the System:Integration page Enter ISE Server details ise-1.mynet.com ise-2.mynet.com
Be sure to configure your certs for the integration
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
77
Configure Rapid Threat Containment
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configure Rapid Threat Containment
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configure Rapid Threat Containment
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configure Rapid Threat Containment
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configure Rapid Threat Containment
Notice your ISE mitigation actions!
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configure Rapid Threat Containment
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configure Rapid Threat Containment
Be sure to assign the action to a Correlation Rule within a Correlation Policy
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
84
Other ”Tools" in the Firepower Toolkit Event Analysis Toolset White Listing
Correlation tool to monitor for host profile changes
Traffic Profiling
Monitor behavioral changes in traffic conditions
Programmatic Interfaces Estreamer API
Transmit all event data to an external repository (SEIM, event log, edge)
Host Input API
Insert data into Host Profiles from external data sources
Remediation API
Programmatically initiate actions on external systems.
JDBC Connector
Directly query FMC database (reporting, SEIM queries, etc)
REST API
REST interface for FMC query, configuration, and NEW! BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
85
Reporting Matters Introduction
Understanding Events
Walking the Breach
Security Automation
Reporting
➥ Recommended Rules ➥ Workflows ➥ Custom Tables ➥ Correlation Rules ➥ Remediation API
➥ The Dashboard
Close
Default Reports
Not just what’s in the templates
Dashboard widgets are “mini”-reports
Over 120 preset reports within a widget
Create custom Widgets for more
Think of the Dashboard as your unlimited report designer.
Tools:
Searches Custom Workflows Custom Tables = Data goldmine
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
87
Event Viewing
Tables Workflows Filters Custom Tables
• Listing of events with a data set (IPS, Connection, Malware, etc.)
• Customized organization of specific column headers • Allows Analysts to go straight to meaningful data • • • •
Search for specific or generalized matches within event tables Each table can have it’s own filters Hundreds of filters pre-installed Customizable
• Join of two or more individual event tables • Aggregate useful data for faster decision making and reporting • Has it’s own Workflows and Filters
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
88
Workflows Introduction
Understanding Events
Walking the Breach
Security Automation
Reporting
➥ Recommended Rules ➥ Workflows ➥ Custom Tables ➥ Correlation Rules ➥ Remediation API
➥ The Dashboard
Close
A Default Event View
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
90
A Default View
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
91
Changing the view helps focus analysis
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
92
Create a Custom Workflow
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Create a Custom Workflow
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
How it turned out
Build on your order of investigation
Actionable Data: Hosts .52, .56, and .111 need to be investigated!
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Custom Tables Introduction
Understanding Events
Walking the Breach
Security Automation
Reporting
➥ Recommended Rules ➥ Workflows ➥ Custom Tables ➥ Correlation Rules ➥ Remediation API
➥ The Dashboard
Close
Building Custom Tables
Intrusion Events
Have all the data you need immediately in one view.
BRKSEC-2058
Host Data
Custom View
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
97
Custom Table: Intrusion Event with Host Data
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
98
Custom Table: Intrusion Event with Host Data
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
99
Custom Table: Intrusion Event with Host Data Custom tables can even have their own workflows
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
100
Custom Table: Intrusion Event with Host Data
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
101
Custom Table: Intrusion Event with Host Data
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
102
Custom Table: Includes Custom Filters
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
103
Custom Table: Includes Custom Filters
Tables, Custom Tables, and Filters can also be leveraged on the Dashboard. Just choose the 1 column that is most meaningful.
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
104
Uses for Tables (standard & custom) and Workflows •
Having more relevant data on hand when doing event analysis and forensics
•
Reducing the “number” of clicks to drill into meaningful data
•
Customize prioritization based on local business and security drivers
•
Speed new threat discovery / hunting
•
Combined with Filters allow you to segment information into meaningful chunks, such as: • • •
Device functionality Network Zone Operating System
• • •
• • •
Users / Groups Country Threat Type
Activity / Behavior Trends? What changed? What’s new?
Valuable in customizing your dashboard, building reports, documenting compliance. Let the business need feed your creativity. BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
105
Examples of possible data to report Security
Operations
Compliance
• • • •
•
• • • • •
Specific Threats experienced Automated Remediations OS’s most compromised App Threat Root Cause
• • •
New systems on the network New services or applications in use Changes in network behavior OS data
PCI, NERC CIP, HIPPA… OS Usage User/Group Access behavior App segmentation Hosts in violation of corporate policy
Expanding your reporting to drive business efficiency creates a stronger security practice.
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
106
Interesting Data for Filtering Potential ”new” Threat List Int. Source IP
List Ext. Source IP
List Int. Source IP
List Int. Source IP
Threat Destinations
Top File Sources
Executable Exfil
Odd URLs
Internal IPs that send files to External Address (esp. exe, jar, pdf, doc, archive, etc.)
Internal IPs connecting to URL Categories “of concern”
Top Sec Int. Events with external Dest. IP
Top External Source IPs for files
List Int. Source IP
List Int. Source IP
DNS
Bad SSL
Internal IPs generating DNS Sinkhole Events
Internal IPs using invalid SSL Certs to external IP
List Int. Source IP Retrospective
Internal IP addresses Associated with Retrospective Malware
List Int. Source IP Correlation Events Internal IPs sourcing Correlation Events
Processes Introducing Malware (prebuilt in FMC, requires AMP 4 Endpoints)
Invalid App Usage Internal IPs using Apps on nonstandard protocols
* Create Correlation Rules * Leverage Open AppID © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
107
Leveraging the Dashboard Introduction
Understanding Events
Walking the Breach
Security Automation
Reporting
➥ Recommended Rules ➥ Workflows ➥ Custom Tables ➥ Correlation Rules ➥ Remediation API
➥ The Dashboard
Close
Customize The Dashboard
There are a number of default dashboards
All of them have customizable widgets
Create / Customize your own for better visibility and report designs
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
109
Customize The Dashboard
This is your most powerful widget
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
110
Dashboards That Meet Your Needs
Threat Focused
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Dashboards That Meet Your Needs
Network Focused
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
112
Build Reports Straight from the Dashboard
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
113
Or Import Dashboards With the Report Builder
Import Sections from Dashboards, Summaries, and Workflows
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
114
Closing Introduction
Understanding Events
Walking the Breach
Security Automation
Reporting
➥ Recommended Rules ➥ Workflows ➥ Custom Tables ➥ Correlation Rules ➥ Remediation API
➥ The Dashboard
Close
Key Takeaways By now you hopefully: •
Have a better understanding of how automated event analysis happens •
Impact Flags & Indications of Compromise (IOCs).
•
Have a better strategy for examining a security breach.
•
Be able to leverage correlation policies and system APIs to create meaningful security automation.
•
Understand the full breadth of reporting capabilities to support BOTH security and business interests for your enterprise. Introduction
Understanding Events
Walking the Breach
Security Automation
Reporting
Close
➥ Recommended Rules ➥ Workflows ➥ Custom Tables ➥ Correlation Rules ➥ Remediation API BRKSEC-2058
➥ The Dashboard
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
116
Complete Your Online Session Evaluation •
Please complete your Online Session Evaluations after each session
•
Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt
•
All surveys can be completed via the Cisco Live Mobile App or the Communication Stations
Please leave comments!
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
(and your email if you want a response) BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
117
Continue Your Education •
Demos in the Cisco campus
•
Walk-in Self-Paced Labs
•
Lunch & Learn
•
Meet the Engineer 1:1 meetings
•
Related sessions
Presentation ID
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
118
Call to Action •
Firepower Management Center can be the center of your security operations.
•
Look at FMC as security automation framework.
•
FMC’s real value is in how it can merge security operations and business outcome.
•
Look for cross product integration to strengthen FMC’s value.
•
Be creative in creating solutions. Look beyond “IPS” or “Threat Protection” opportunities.
•
The more you understand about your organization’s security practices and business outcome needs, the more you’ll find you can deliver with Firepower Management Center.
•
Check out Firepower more at the World of Solutions! What can you make it do?!
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
119
Thank You
And remember to fill out your surveys!
Reference Slides
(Reference)
Event Source to Event Type Engine
Policy
Event Type
L3 - IP
IP Reputation Pre-Processor
Security Intelligence (Access Control Policy)
Security Intelligence Events
L2 – L7
Intrusion Prevention (Snort®)
Intrusion Policy
Intrusion Events
L2 – L7
Network Discovery
Network Discovery Policy
Discovery Events, User Activity, Connection Events, Host Profiles, Servers, Applications, Vulnerabilities
L3
DNS Sinkhole Processor
DNS Policy
Connection Events
File
File Detection Processor
File Policy
File Events
L3-L7
SSL
SSL Policy
Connection Events
L4-L7
Application Detection (AppID)
Network Discovery Policy / Access Control Policy
Application Detail Events
L4-L7
URL Filter
Access Control Policy
Connection Events
Files
Advanced Malware Protection (AMP) (Sandbox, Cloud Lookup)
File Policy
Malware Events, File Trajectory
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
123
(Reference)
Event Sources to Events Source / Event Table Security Intelligence
Security Intelligence
Connection
Intrusion
Detection
File
Malware
User
✔ ✔
Normalization Pre-Processors SSL Decryption
✔
App Detection
✔
App Control
✔
Network Detection
✔
✔ ✔ ✔
Non-Auth User Act.
✔ ✔
User Activity from AD
✔
URL Filter
✔
File Detection AMP Engine
✔
AMP Endpoint Cloud
✔ ✔
Sort® (IPS) “Reference Data” Geo IP Db
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
URL Rep Db User Db (from AD)
✔
✔
✔
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
124
(Reference)
Correlating Event Data Flow and connection conditions over time or volume.
Data from User Table (name, group info, etc)
Data from Host Profiles
When a… Intrusion Event Discovery Event
Connection Event Host Input Event User Activity Occurs
✔ ✔ ✔ ✔ ✔
✔ ✔ ✔ ✔
✔ ✔ ✔ ✔ ✔
Traffic Profile Changes Malware Event BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
125
(reference)
Custom Table Matrix Applicatio n Details
Applications
Application Details
✔
✔
Applications
✔
Connection Events
✔
✔
Connection Events
✔
✔
Connection Summary
✔
Correlation Events
✔
Discovery Events
✔
Connection Summary
✔
Correlation Events
✔
Discovery Events
Host Attributes
Hosts
Indications of Compromise
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔ ✔
Intrusion Events
Sec. Int. Events
Servers
White List Events
✔
✔
✔
✔
Host Attributes
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
Hosts
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
Indications of Compromise
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
✔
Intrusion Events
✔
✔
✔
✔
Sec. Int. Events
✔
✔
✔
✔
Servers
✔
✔
✔
✔
White List Events
✔
✔
✔
✔
✔
✔
BRKSEC-2058
✔
✔ ✔
✔
✔
✔
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
✔
126
