Upload
doantu
View
221
Download
5
Embed Size (px)
Citation preview
A Deep Dive into the Firepower Manager
William Young, Security Solutions [email protected]@WilliamDYoung
BRKSEC-2058
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Just some Security Guy
• William Young
• Security Solutions Architect, Cisco
• 26 Years in Security
• 13 Years working with “Sourcefire” / “Firepower”
• Focus areas:
• Security Operations
• Policy & Compliance
• Threat Forensics and Investigation
• Hacker: Or just some guy that breaks stuff
BRKSEC-2058 4
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Firepower Sessions: Building Blocks
BRKSEC-2058
A Deep Dive into using the Firepower
Manager
Tuesday 16:45
BRKSEC-2056
Threat Centric Network Security
Tuesday 11:15
BRKSEC-3032
NGFW Clustering Deep Dive
Wednesday 9:00
BRKSEC-3035
Firepower Platform Deep Dive
Thursday 9:00
BRKSEC-2050
ASA Firepower NGFW typical deployment
scenarios
Tuesday 14:15
BRKSEC-3455
Dissecting Firepower NGFW (FTD+FPS)
Friday 9:00
BRKSEC-2058 5
• Introduction
• Understanding Events in the Firepower Management Center
• Walking through a Breach
• Security Automation (Orchestration)
• Recommended Rules
• Correlation Rules
• Automating Remediation (Remediation API)
Agenda
• Reporting Matters
• Workflows
• Custom Tables
• Leveraging the Dashboard
• Close
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Do you really know Firepower Manager?
• More than just:• A policy configuration tool for NGFW / NGIPS
• A quick way to see the context / composition of your network
• A tool to “check-on” your intrusion events
BRKSEC-2058 7
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Creating a deeper value than ”just threat protection”
Firepower Management Center (FMC) manages threat detection. It also:
• Puts threat into context within YOUR unique network.
• Provides actionable security, network, and business data
• Can allow “Security” to come out of the “Dog House” by supporting multiple business outcomes
• Create automation in your ”threat hunting”
• Bend itself to your organization’s workflow
or automate that workflow.
BRKSEC-2058 8
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Key TakeawaysAt the end of the session, will start to:
• understand how automatic correlation REALLY works.
• Impact Flags & Indications of Compromise (IOCs).
• know which security events need to be investigated first, and why.
• begin using correlation policies and system APIs to automate your security workflow
• understand the full breadth of reporting capabilities to support BOTH security and business interests for your enterprise.
Introduction Understanding Events Walking the Breach Security Automation Reporting
➥Recommended Rules
➥Correlation Rules
➥Remediation API
➥Workflows
➥Custom Tables
➥The Dashboard
Close
BRKSEC-2058 9
Understanding Eventsin theFirepower Management Center
Introduction Understanding Events Walking the Breach Security Automation Reporting
➥Recommended Rules
➥Correlation Rules
➥Remediation API
➥Workflows
➥Custom Tables
➥The Dashboard
Close
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Event Source Matters
Understanding Data
Misunderstood Data
BRKSEC-2058 11
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Visual Guide to Firepower Event Sources
Security
Intelligence
Security
Intelligence
IPS Engine
(Snort®)
Traffic
NormalizationDNS
Sinkhole
SSL
Decrypt
File
Detection
Application
Detection
Network
DiscoveryAMPURL Identity
Intrusion
Events
File
Events
Malware
EventsUser Activity
Host Profiles
Applications
Application
Details
Host
Attributes
Servers
File
Trajectory
File Info
AMP 4 Endpoints
Discovery
Events
Connection
Events
Indications of
Compromise
Supplemental Data
• Geo IP Data
• CVE / Vuln Data
• IP Reputation Data
• URL Data
BRKSEC-2058 12
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Indications of Compromise
Leverages correlation of multiple event types, such as:
• Impact 1 & 2 events• CNC connection events (IPS)
• Compromise events (IPS)
• Security Intelligence Events
• AMP for Endpoint Events
• AMP for Network
• Includes some file events
• Built in Cisco correlation rules
Goal:
1. FIX THIS NOW
2. What needs to be fixed
3. How to fix
BRKSEC-2058 13
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
What makes an Intrusion Event
(state established)
Structure and Content Testing
What makes a Host Profile• Passive data collection (network packet analysis)
• “State” table based on Discovery Events
• Server Services: TCP based respond to connections
UDP based initiate UDP packets
• Applications (generally TCP)
detected during session initiation from host.
TCP request responds map to Server Port
UDP request sent map to Server Port
• Snort® rules use variables to determine “directionality”
• $EXTERNAL_NET -> $HOME_NET (inbound)
• $HOME_NET -> $EXTERNAL_NET (outbound)
• TCP based events from the Snort® Engine are based on ESTABLISHED sessions
• Reduces false positives
★ IPS events are generated when sessions ARE THROUGH the perimeter
Understanding directionality
is key to Impact Flags
BRKSEC-2058 14
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
The Host Profile: End Point Context Applications
BRKSEC-2058 15
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Understanding Impact Flags
Intrusion Events
Source / Destination IP
Protocol (TCP/UDP)
Source / Destination
Port
Service
Snort ID
IOC: Predefined Impact
Host Profile
[Outside Profile Range]
[Host not yet profiled]
IP Address
Protocols
Server Side Ports
Client Side Ports
User IDs
Potential Vulnerabilities
Services
Client / Server Apps
Operating System
CV
E
0
4
2
3
1
Action Why
General info††
Event outside
profiled networks
Event occurred
outside profiled
networks
Good information
host is currently
not known
Previously
unseen host
within monitored
network
Good information
event may not
have connected
Relevant port not
open or protocol
not in use
Worth
investigation.
Host exposed.
Relevant port or
protocol in use
but no vuln
mapped
Act immediately.
Host vulnerable
or compromised.
Host vulnerable
to attack or
showing an IOC.
†† If you have a fully profiled network
this may be a critical event!
Impact Flag
BRKSEC-2058 16
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Unique Events: Correlation & White List Events
Correlation
Events
Correlation Events:
Internal events based on
boolean conditions within
and across multiple event
databases within the FMC.
[Tip: Correlation Rules can
monitor changes in flow!]
FMC Events Correlation
Rules
Discovery
Events
Host Profile
Changes
White List Events:
Internal events based on
changes to individual or
grouped host Profiles
White List
Events
First step in creating automated
response!
BRKSEC-2058 17
Walking through a breach
Introduction Understanding Events Walking the Breach Security Automation Reporting
➥Recommended Rules
➥Correlation Rules
➥Remediation API
➥Workflows
➥Custom Tables
➥The Dashboard
Close
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Stages of Incident Handling
Preparation Identification Containment Eradication Recovery Lessons Learned
SANS Institute
BRKSEC-2058 19
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Stages of Incident Handling
Preparation
Identification
Containment Eradication Recovery Lessons Learned
SANS Institute
• Decide on which events to focus on first
BRKSEC-2058 20
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Stages of Incident Handling
Preparation
Identification
Containment Eradication Recovery Lessons Learned
SANS Institute
• Decide on which events to focus on first
• Drill into a specific event
BRKSEC-2058 21
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Stages of Incident Handling
Preparation
Identification
Containment Eradication Recovery Lessons Learned
SANS Institute
• Decide on which events to focus on first
• Drill into a specific event
• Validate the breach
• Leverage documentation
• Leverage additional forensics
BRKSEC-2058 22
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Stages of Incident Handling
Preparation
Identification
Containment Eradication Recovery Lessons Learned
SANS Institute
• Decide on which events to focus on first
• Drill into a specific event
• Validate the breach
• Leverage documentation
• Leverage additional forensics
• Explore your remediation options
BRKSEC-2058 23
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Stages of Incident Handling
Preparation
Identification
Containment Eradication Recovery Lessons Learned
SANS Institute
• Decide on which events to focus on first
• Drill into a specific event
• Validate the breach
• Leverage documentation
• Leverage additional forensics
• Explore your remediation options
• Remediate
BRKSEC-2058 24
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Stages of Incident Handling
Preparation
Identification
Containment Eradication Recovery Lessons Learned
SANS Institute
• Decide on which events to focus on first
• Drill into a specific event
• Validate the breach
• Leverage documentation
• Leverage additional forensics
• Explore your remediation options
• Remediate
• Automate as many decisions or actions as
possible.
BRKSEC-2058 25
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Order of Investigation†
Remediation – Incident Response – Data Collection
†may vary based on corporate priority
Indication of Compromise
You’ve been Owned! Under Attack Research & TuningImpact 0 Impact 1 Impact 3 (then 2) Impact 4
“Critical Assets”
Not Blocked
Internal Source
External Source
DroppedCorrelation
Rules
Goal: Getting to Remediation
BRKSEC-2058 26
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
POP QUIZ: Where do I start my Investigation?
From the FMC Dashboard From the FMC Context Explorer
BRKSEC-2058 27
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
This is what most of our networks look like.
Some ways to choose• Look for Malware Executed (Endpoint AMP)
• Dropper Infection (Endpoint AMP)
• Threat detected in file transfer
• CNC Connected Events
• Shell Code Executed
• Impact 1 (these were probably blocked)
• Impact 2 (these were probably blocked)
From the FMC Context Explorer
Let’s see what these 63
events are all about.
THEME: Start with what is compromised first.
BRKSEC-2058 28
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Drilling into the IOC
Busy event. Looks like
we’re getting more.
BRKSEC-2058 29
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Digging into the IOC
Seems active across 6
hosts. Let’s drill into one.
BRKSEC-2058 30
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
✔
✔
✔✔
Looks like Kim
Ralls has a lot
going on her
Windows host.
Events from multiple
sources:
• IPS Engine
• File Protection
• AMP for Networks
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2058 32
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2058 33
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2058 34
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2058 35
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• .147 Tried to send the file 5 times
• .147 was sent the file once
• IPS blocked it! (yeah)
• What does Impact 4 mean?
• Should we investigate more?
BRKSEC-2058 36
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
✔
Did you forget
about these?
Let’s see if that
file moved around
without the IPS
seeing it.
✔
✔✔
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Yep. That file is
malware
We see it in the
malware
summary, too.
BRKSEC-2058 38
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• A lot more than the 6
file transfers and hosts
the IPS engine
stopped.
• Good thing they have
AMP for Endpoints,
too.
• Bet they wished they
enabled quarantining.
• Problem scoped. Time
to remediate.
• Maybe a good time to
look at file analysis /
Threatgrid to learn
what other artifacts are
left behind.
BRKSEC-2058 39
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• A lot more than the 6
file transfers and hosts
the IPS engine
stopped.
• Good thing they have
AMP for Endpoints,
too.
• Bet they wished they
enabled quarantining.
• Problem scoped. Time
to remediate.
• Maybe a good time to
look at file analysis /
Threatgrid to learn
what other artifacts are
left behind.
Take Away
Be sure to look at every angle
around an event. Try to tell the
whole story and find every part of
the issue.
BRKSEC-2058 40
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Looking at an Impact 3 Attempt
BRKSEC-2058 41
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Looking at an Impact 3 Attempt
• Source IP: all internal,
BRKSEC-2058 42
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Looking at an Impact 3 Attempt
• Source IP: all internal,
• Destination IP: all external
BRKSEC-2058 43
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Looking at an Impact 3 Attempt
• Source IP: all internal,
• Destination IP: all external
• Impact 3: no Host Profiles for external hosts
BRKSEC-2058 44
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Looking at an Impact 3 Attempt
• Source IP: all internal,
• Destination IP: all external
• Impact 3: no Host Profiles for external hosts
• Sourced from my Network = I’m the attacker? = Indication of Compromise
BRKSEC-2058 45
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Looking at an Impact 3 Attempt
• Source IP: all internal,
• Destination IP: all external
• Impact 3: no Host Profiles for external hosts
• Sourced from my Network = I’m the attacker? = Indication of Compromise
• TCP detection: means established connection
BRKSEC-2058 46
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Looking at an Impact 3 Attempt
• Source IP: all internal,
• Destination IP: all external
• Impact 3: no Host Profiles for external hosts
• Sourced from my Network = I’m the attacker? = Indication of Compromise
• TCP detection: means established connection
• These hosts definitely “launched” an attack.
BRKSEC-2058 47
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Looking at an Impact 3 Attempt
• Source IP: all internal,
• Destination IP: all external
• Impact 3: no Host Profiles for external hosts
• Sourced from my Network = I’m the attacker? = Indication of Compromise
• TCP detection: means established connection
• These hosts definitely “launched” an attack.
• Next Step: Focus on the Source Host. Probably compromised.
BRKSEC-2058 48
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Looking at an Impact 3 Attempt
• Source IP: all internal,
• Destination IP: all external
• Impact 3: no Host Profiles for external hosts
• Sourced from my Network = I’m the attacker? = Indication of Compromise
• TCP detection: means established connection
• These hosts definitely “launched” an attack.
• Next Step: Focus on the Source Host. Probably compromised.
BRKSEC-2058 49
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Assessment:
This has has to be
stopped!
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Multiple Event Vectors Mission/Op Critical
IPS, Malware, Connection, File, Trajectory, DNS,
ContextCorrelation IOCs,
Impact Flags
Check all the related data. Event Directionality
Protocol: TCP / UDP?
Leverage Rule Documentation
“See the big story” : Packet not always necessary
Build a complete timeline – tell a story.
Breached? Follow an Order of Operations
BRKSEC-2058 52
Automating Security Work
Introduction Understanding Events Walking the Breach Security Automation Reporting
➥Recommended Rules
➥Correlation Rules
➥Remediation API
➥Workflows
➥Custom Tables
➥The Dashboard
Close
Recommended Rules
Introduction Understanding Events Walking the Breach Security Automation Reporting
➥Recommended Rules
➥Correlation Rules
➥Remediation API
➥Workflows
➥Custom Tables
➥The Dashboard
Close
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
False Negatives ensure your NOT protected
BRKSEC-2058 55
Too many exploits succeed because:
• Systems aren’t patched
• Detections aren’t enabled
Attackers succeed with “old” exploitsVerizon Data Breach Report(s)
Cisco Annual Security Report(s)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
False Negatives ensure your NOT protected
BRKSEC-2058 56
Too many exploits succeed because:
• Systems aren’t patched
• Detections aren’t enabled
Attackers succeed with “old” exploitsVerizon Data Breach Report(s)
Cisco Annual Security Report(s)
Cause Resolution
Event Overload! Impact Analysis
Tuning Failures Understanding Detection Tools
Detections Disabled Knowing What Needs Protection
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
False Negatives ensure your NOT protected
BRKSEC-2058 57
Too many exploits succeed because:
• Systems aren’t patched
• Detections aren’t enabled
Attackers succeed with “old” exploitsVerizon Data Breach Report(s)
Cisco Annual Security Report(s)
Cause Resolution
Event Overload! Impact Analysis
Tuning Failures Understanding Detection Tools
Detections Disabled Knowing What Needs Protection
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
False Negatives ensure your NOT protected
BRKSEC-2058 58
Too many exploits succeed because:
• Systems aren’t patched
• Detections aren’t enabled
Attackers succeed with “old” exploitsVerizon Data Breach Report(s)
Cisco Annual Security Report(s)
Cause Resolution
Event Overload! Impact Analysis
Tuning Failures Understanding Detection Tools
Detections Disabled Knowing What Needs Protection
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Firepower Recommendations Knows what I Do Not
BRKSEC-2058 59
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Recommended Rules – How it works
CVE:2012-1528
Snort Rules
SID: 24671, 32361
Integer Overflow in Windows
Possible Vuln
99675
SVID
Remote exploitRemotely exploitable
vulnerability
SID: 33306
BLACKLIST: Connection to
a malware sinkhole.
Detection of behavior that comes from a
compromised host or one that is about to
be compromised.
BRKSEC-2058 60
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Recommended Rules – the details
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLACKLIST Connection to
malware sinkhole"; flow:to_client,established; dsize:22; content:"Sinkholed by
abuse.ch|0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, service http; reference:url,en.wikipedia.org/wiki/Sinkhole_Server;
classtype:trojan-activity; sid:33306; rev:1; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE
ActiveX installer broker object sandbox escape attempt"; flow:to_server,established;
flowbits:isset,file.exe; file_data; content:"|55 8B EC 6A FF 68 A8 31 01 10 64 A1 00 00
00 00 50 83 EC 0C A1 20 B0 01 10 33 C5 89 45 F0 56 50|"; fast_pattern:only;
metadata:policy balanced-ips drop, policy security-ips drop, service smtp;
reference:cve,2014-4123; reference:url,technet.microsoft.com/en-
us/security/bulletin/ms14-056; classtype:attempted-user; sid:32265; rev:1; )
Rule that will map to
Recommended Rules
Rules disabling
by default
Some rules will
turned off by
Recommended
Rules
Not all
rules
have a
CVE!
BRKSEC-2058 61
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Recommended Rules
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLACKLIST Connection to
malware sinkhole"; flow:to_client,established; dsize:22; content:"Sinkholed by
abuse.ch|0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, service http; reference:url,en.wikipedia.org/wiki/Sinkhole_Server;
classtype:trojan-activity; sid:33306; rev:1; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE
ActiveX installer broker object sandbox escape attempt"; flow:to_server,established;
flowbits:isset,file.exe; file_data; content:"|55 8B EC 6A FF 68 A8 31 01 10 64 A1 00 00
00 00 50 83 EC 0C A1 20 B0 01 10 33 C5 89 45 F0 56 50|"; fast_pattern:only;
metadata:policy balanced-ips drop, policy security-ips drop, service smtp;
reference:cve,2014-4123; reference:url,technet.microsoft.com/en-
us/security/bulletin/ms14-056; classtype:attempted-user; sid:32265; rev:1; )
Rule that will map to
Recommended
Rules
You may want to uncheck this.
Some rules will
ALWAYS be
turned off by
Recommended
Rules
BRKSEC-2058 62
Correlation Rules
Introduction Understanding Events Walking the Breach Security Automation Reporting
➥Recommended Rules
➥Correlation Rules
➥Remediation API
➥Workflows
➥Custom Tables
➥The Dashboard
Close
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Correlation Rules / Correlation PolicyCorrelation Rules allow for
BOOLEAN decisions on one or
more sets of data within the
Firepower console.
Rules can then lead to Actions
such as: Email, Syslog, SNMP
events or remediation actions.
Syslog
SNMP
Remediation Module
100,000 events
5,000 events
500 events
20 events
10 events
3 Events
Correlation Policy
Correlation Rule
Correlation Rule
Correlation Event
Action
100 events
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Correlation Rules / Correlation PolicyCorrelation Rules allow for
BOOLEAN decisions on one or
more sets of data within the
Firepower console.
Rules can then lead to Actions
such as: Email, Syslog, SNMP
events or remediation actions.
Syslog
SNMP
Remediation Module
100,000 events
5,000 events
500 events
20 events
10 events
3 Events
Correlation Policy
Correlation Rule
Correlation Rule
Correlation Event
Action
100 events
Value:
• Automate Security Decisions
• Track Business Outcome
• Trigger Automated Response to
specific conditions
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Correlation Rules go into Correlation Policies
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Building a Correlation Rule
BRKSEC-2058 67
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Sample Correlation Rule
Correlation Rule to:• Ensure only HTTPS traffic is
used on port 443
• Ensure traffic is initiated by a
Host within a defined Location
(host Attribute) is POS
• Ensure the HTTPS traffic from
the POS host is received on
hosts in the PCI network.
• Any traffic outside this profile
will generate an event.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Correlation Rule example: Production Network Change
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
example: Production Network Change is exfiltrating traffic
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Some Correlations Rules To Drive Action
Source IP is in 192.168.0.0/16
Source IP is in 10.0.0.0/8
Source IP is in 172.16.0.0/12
OR
Destination IP is not in 192.168.0.0/16
Destination IP is not in 10.0.0.0/8
Destination IP is not in 172.16.0.0/12
OR
Impact Flag is 3 - Yellow
Impact Flag is 4 - Blue
OR
AND
If “an Intrusion Event occurs”. . .
You have a compromised host “attacking” systems off your network.
Sending IP is in 192.168.0.0/16
Sending IP is in 10.0.0.0/8
Sending IP is in 172.16.0.0/12
OR
Receiving IP is in 192.168.0.0/16
Receiving IP is in 10.0.0.0/8
Receiving IP is in 172.16.0.0/12
OR
If “a Malware Event occurs”
“by retrospective network-based malware detection”
OR
A recently seen file has been retrospectively determined to be malware!
Go Stop it NOW!
BRKSEC-2058 71
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Some Correlations Rules To Drive Action
Sending IP is in 192.168.0.0/16
Sending IP is in 10.0.0.0/8
Sending IP is in 172.16.0.0/12
OR
Receiving IP is in 192.168.0.0/16
Receiving IP is in 10.0.0.0/8
Receiving IP is in 172.16.0.0/12
OR
If “a Malware Event occurs”
“by retrospective network-based malware detection”
OR
A recently seen file has been retrospectively determined to be malware!
Go Stop it NOW!
Make it even more actionable based on the file TYPE
Just add another Boolean Condition
BRKSEC-2058 72
Remediation API
Introduction Understanding Events Walking the Breach Security Automation Reporting
➥Recommended Rules
➥Correlation Rules
➥Remediation API
➥Workflows
➥Custom Tables
➥The Dashboard
Close
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Grand Vision for Integration & Firepower Management
Firepower
BRKSEC-2058 74
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Automating Response – Remediation API
Sample Remediation Modules
• Cisco ISE (pxGrid Mitigation)
• Guidance Encase
• Set Host Attributes
• Security Intelligence Blacklisting
• Nmap Scan
• SSH / Expect Scripts
• F5 iRules
• Solera DeepSee
• Netscaler
• PacketFence
• Bradford
Intrusion Events
Discovery Events
User Activity
Host Inputs
Connection Events
Traffic Profiles
Malware Event
Correlation RulesBoolean
Conditions
Correlation Policies
Correlation Rules Correlation EventsActions
(API, Email, SNMP)
BRKSEC-2058 75
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
MnT
FMC
ISE + Firepower = Rapid Threat Containment
Controller
WWW
NGFW
2. Correlation
Rules Trigger
Remediation Action
3. pxGrid EPS
Action: Quarantine
+ Re-Auth
4. Endpoint
Assigned Quarantine
+ CoA-Reauth Sent
1. Security
Events / IOCs
Reported
i-Net
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configure Rapid Threat Containment
Open the System:Integration page
Enter ISE Server details
Be sure to configure your certs for the integration
ise-1.mynet.com
ise-2.mynet.com
BRKSEC-2058 77
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configure Rapid Threat Containment
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configure Rapid Threat Containment
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configure Rapid Threat Containment
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configure Rapid Threat Containment
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configure Rapid Threat Containment
Notice your ISE
mitigation actions!
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configure Rapid Threat Containment
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Configure Rapid Threat Containment
Be sure to assign
the action to a
Correlation Rule
within a
Correlation Policy
BRKSEC-2058 84
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Other ”Tools" in the Firepower Toolkit
Event Analysis Toolset
White Listing Correlation tool to monitor for host profile changes
Traffic Profiling Monitor behavioral changes in traffic conditions
Programmatic Interfaces
Estreamer API Transmit all event data to an external repository (SEIM, event log, edge)
Host Input API Insert data into Host Profiles from external data sources
Remediation API Programmatically initiate actions on external systems.
JDBC Connector Directly query FMC database (reporting, SEIM queries, etc)
REST API REST interface for FMC query, configuration, and
NEW!
BRKSEC-2058 85
Reporting Matters
Introduction Understanding Events Walking the Breach Security Automation Reporting
➥Recommended Rules
➥Correlation Rules
➥Remediation API
➥Workflows
➥Custom Tables
➥The Dashboard
Close
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Not just what’s in the templates
Dashboard widgets are “mini”-reports
Over 120 preset reports within a widget
Create custom Widgets for more
Think of the Dashboard as your unlimited report designer.
Tools:
Searches
Custom Workflows
Custom Tables = Data goldmine
Default Reports
BRKSEC-2058 87
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Listing of events with a data set (IPS, Connection, Malware, etc.)Tables
• Customized organization of specific column headers
• Allows Analysts to go straight to meaningful dataWorkflows
• Search for specific or generalized matches within event tables
• Each table can have it’s own filters
• Hundreds of filters pre-installed
• Customizable
Filters
• Join of two or more individual event tables
• Aggregate useful data for faster decision making and reporting
• Has it’s own Workflows and Filters
Custom Tables
Event Viewing
BRKSEC-2058 88
Workflows
Introduction Understanding Events Walking the Breach Security Automation Reporting
➥Recommended Rules
➥Correlation Rules
➥Remediation API
➥Workflows
➥Custom Tables
➥The Dashboard
Close
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
A Default Event View
BRKSEC-2058 90
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
A Default View
BRKSEC-2058 91
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Changing the view helps focus analysis
BRKSEC-2058 92
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Create a Custom Workflow
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Create a Custom Workflow
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
How it turned out
Build on your order
of investigation
Actionable Data:Hosts .52, .56, and .111
need to be investigated!
Custom Tables
Introduction Understanding Events Walking the Breach Security Automation Reporting
➥Recommended Rules
➥Correlation Rules
➥Remediation API
➥Workflows
➥Custom Tables
➥The Dashboard
Close
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Have all the data you need immediately in one view.
Building Custom TablesIntrusion Events Host Data
Custom View
BRKSEC-2058 97
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Custom Table: Intrusion Event with Host Data
BRKSEC-2058 98
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Custom Table: Intrusion Event with Host Data
BRKSEC-2058 99
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Custom Table: Intrusion Event with Host Data Custom tables can even
have their own workflows
BRKSEC-2058 100
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Custom Table: Intrusion Event with Host Data
BRKSEC-2058 101
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Custom Table: Intrusion Event with Host Data
BRKSEC-2058 102
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Custom Table: Includes Custom Filters
BRKSEC-2058 103
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Custom Table: Includes Custom Filters
Tables, Custom Tables, and Filters can also be leveraged on the
Dashboard. Just choose the 1 column that is most meaningful.
BRKSEC-2058 104
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Uses for Tables (standard & custom) and Workflows• Having more relevant data on hand when doing event analysis and forensics
• Reducing the “number” of clicks to drill into meaningful data
• Customize prioritization based on local business and security drivers
• Speed new threat discovery / hunting
• Combined with Filters allow you to segment information into meaningful chunks, such as:
• Device functionality
• Network Zone
• Operating System
• Users / Groups
• Country
• Threat Type
Valuable in customizing your dashboard,
building reports, documenting compliance.
Let the business need feed your creativity.
• Activity / Behavior Trends?
• What changed?
• What’s new?
BRKSEC-2058 105
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Examples of possible data to report
Security• Specific Threats experienced
• Automated Remediations
• OS’s most compromised
• App Threat Root Cause
Operations• New systems on the
network
• New services or
applications in use
• Changes in network
behavior
• OS data
Compliance• PCI, NERC CIP, HIPPA…
• OS Usage
• User/Group Access behavior
• App segmentation
• Hosts in violation of corporate policy
Expanding your reporting to drive business efficiency creates a stronger
security practice.
BRKSEC-2058 106
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Interesting Data for Filtering Potential ”new” Threat
Threat
Destinations
Top Sec Int.
Events with
external Dest. IP
Top File
Sources
Top External
Source IPs for
files
Executable Exfil
Internal IPs that
send files to
External Address
(esp. exe, jar, pdf,
doc, archive, etc.)
Odd URLs
Internal IPs
connecting to
URL Categories
“of concern”
Retrospective
Internal IP
addresses
Associated with
Retrospective
Malware
DNS
Internal IPs
generating DNS
Sinkhole Events
Bad SSL
Internal IPs using
invalid SSL Certs
to external IP
Correlation
Events
Internal IPs
sourcing
Correlation
Events
Processes
Introducing
Malware
(prebuilt in FMC,
requires AMP 4
Endpoints)
Invalid App
Usage
Internal IPs using
Apps on non-
standard
protocols
* Create Correlation Rules
* Leverage Open AppID
List Int. Source IP List Int. Source IPList Ext. Source IP List Int. Source IP List Int. Source IP
List Int. Source IP List Int. Source IP List Int. Source IP
107
Leveraging the Dashboard
Introduction Understanding Events Walking the Breach Security Automation Reporting
➥Recommended Rules
➥Correlation Rules
➥Remediation API
➥Workflows
➥Custom Tables
➥The Dashboard
Close
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
There are a number of default dashboards
All of them have customizable widgets
Create / Customize your own for better visibility and report designs
Customize The Dashboard
BRKSEC-2058 109
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Customize The Dashboard
This is your
most powerful
widget
BRKSEC-2058 110
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Dashboards That Meet Your Needs Threat Focused
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Dashboards That Meet Your NeedsNetwork Focused
BRKSEC-2058 112
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Build Reports Straight from the Dashboard
BRKSEC-2058 113
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Or Import Dashboards With the Report Builder
Import Sections from
Dashboards, Summaries, and
Workflows
BRKSEC-2058 114
Closing
Introduction Understanding Events Walking the Breach Security Automation Reporting
➥Recommended Rules
➥Correlation Rules
➥Remediation API
➥Workflows
➥Custom Tables
➥The Dashboard
Close
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Key TakeawaysBy now you hopefully:
• Have a better understanding of how automated event analysis happens
• Impact Flags & Indications of Compromise (IOCs).
• Have a better strategy for examining a security breach.
• Be able to leverage correlation policies and system APIs to create meaningful security automation.
• Understand the full breadth of reporting capabilities to support BOTH security and business interests for your enterprise.
Introduction Understanding Events Walking the Breach Security Automation Reporting
➥Recommended Rules
➥Correlation Rules
➥Remediation API
➥Workflows
➥Custom Tables
➥The Dashboard
Close
BRKSEC-2058 116
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Complete Your Online Session Evaluation
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
• Please complete your Online Session Evaluations after each session
• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt
• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations
Please leave comments!(and your email if you want a response)
BRKSEC-2058 117
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions
118Presentation ID
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Call to Action• Firepower Management Center can be the center of your security operations.
• Look at FMC as security automation framework.
• FMC’s real value is in how it can merge security operations and business outcome.
• Look for cross product integration to strengthen FMC’s value.
• Be creative in creating solutions. Look beyond “IPS” or “Threat Protection” opportunities.
• The more you understand about your organization’s security practices and business outcome needs, the more you’ll find you can deliver with Firepower Management Center.
• Check out Firepower more at the World of Solutions! What can you make it do?!
BRKSEC-2058 119
Thank You And remember to fill out your surveys!
Reference Slides
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Event Source to Event TypeEngine Policy Event Type
L3 - IP IP Reputation Pre-Processor Security Intelligence (Access Control Policy) Security Intelligence Events
L2 – L7 Intrusion Prevention (Snort®) Intrusion Policy Intrusion Events
L2 – L7 Network Discovery Network Discovery Policy
Discovery Events, User Activity,
Connection Events, Host Profiles,
Servers, Applications,
Vulnerabilities
L3 DNS Sinkhole Processor DNS Policy Connection Events
File File Detection Processor File Policy File Events
L3-L7 SSL SSL Policy Connection Events
L4-L7 Application Detection (AppID) Network Discovery Policy / Access Control Policy Application Detail Events
L4-L7 URL Filter Access Control Policy Connection Events
FilesAdvanced Malware Protection (AMP)
(Sandbox, Cloud Lookup)File Policy Malware Events, File Trajectory
(Reference)
BRKSEC-2058 123
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Event Sources to EventsSource / Event Table Security Intelligence Connection Intrusion Detection File Malware User
Security Intelligence ✔
Normalization Pre-Processors ✔
SSL Decryption ✔
App Detection ✔ ✔
App Control ✔
Network Detection ✔ ✔
Non-Auth User Act. ✔ ✔
User Activity from AD ✔
URL Filter ✔
File Detection ✔
AMP Engine ✔
AMP Endpoint Cloud ✔
Sort® (IPS) ✔
“Reference Data”
Geo IP Db ✔ ✔ ✔ ✔ ✔ ✔ ✔
URL Rep Db ✔
User Db (from AD) ✔ ✔ ✔ ✔ ✔ ✔ ✔
(Reference)
BRKSEC-2058 124
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Correlating Event Data
Intrusion Event ✔ ✔ ✔
Discovery Event ✔ ✔ ✔
Connection Event ✔ ✔ ✔
Host Input Event ✔ ✔ ✔
User Activity Occurs ✔ ✔
Traffic Profile Changes
Malware Event
When a…
Flow and connection conditions
over time or volume.
Data from User Table (name,
group info, etc) Data from Host Profiles
(Reference)
BRKSEC-2058 125
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Custom Table Matrix
Applicatio
n Details
Applications Connection
Events
Connection
Summary
Correlation
Events
Discovery
Events
Host
Attributes
Hosts Indications of
Compromise
Intrusion
Events
Sec. Int.
Events
Servers White List
Events
Application
Details ✔ ✔ ✔ ✔ ✔
Applications ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
Connection
Events ✔ ✔ ✔ ✔ ✔ ✔
Connection
Summary ✔ ✔ ✔ ✔ ✔ ✔
Correlation
Events ✔ ✔ ✔ ✔ ✔
Discovery Events✔ ✔ ✔ ✔ ✔
Host Attributes ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
Hosts ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
Indications of
Compromise ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
Intrusion Events ✔ ✔ ✔ ✔ ✔ ✔
Sec. Int. Events ✔ ✔ ✔ ✔ ✔ ✔
Servers ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
White List Events✔ ✔ ✔ ✔ ✔
(reference)
BRKSEC-2058 126