Brksec 2058 PDF

A Deep Dive into using
the Firepower Manager

William Young, Global Security Architect
willyou@cisco.com
@WilliamDYoung
BRKSEC-2058
Cisco Spark
Questions?
Use Cisco Spark to communicate
with the speaker after the session
How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Just Some Security Guy
• William Young
• Security Solutions Architect, Cisco
• 27 Years in Security
• 14 Years working with “Sourcefire” / “Firepower”
• Focus areas:
• Security Operations
• Policy & Compliance
• Threat Forensics and Investigation
• Hacker: Or just some guy that breaks stuff
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Cisco Firepower Sessions
BRKSEC-2050 BRKSEC-2051
Deploying AnyConnect
BRKSEC-2058
Tuesday Firepower NGFW
Internet Edge
SSL VPN with ASA A Deep Dive into using
(and Firepower Threat the Firepower Manager
Deployment Scenarios
Defense)
BRKSEC-2064 BRKSEC-2056 BRKSEC-3300

Wednesday NGFWv and ASAv in
Public Cloud (AWS and
Threat Centric Network Advanced IPS
Security Deployment
Azure)
BRKSEC-3667 BRKSEC-3035 BRKSEC-3455

Thursday Advanced Firepower
SSL policy
Firepower Platform
Dissecting Firepower
NGFW “Installation &
Deep Dive
troubleshooting Troubleshooting
Do You Really Know Firepower Manager?
• A policy configuration tool for NGFW / NGIPS
• A quick way to see the context / composition
of your network
• A tool to “check-on” your threat events
Data Correlation & Organisation is Critical
OS
DNS
All Intrusion Local
IOCs Version
Activity
Events Events Vuln
Data
IP Sec URL Sec DNS User Threat

Intel Intel Sec Intel Data Intel
Policy Network App

Malware File Data
Violation Flow Data
Data Correlation & Organisation is Critical
Analysis
Organisation
Filtration
WHY? Correlation
• Most SOCs fail or keep getting Relatedness
“re-invented” Intelligence
• Good Security Analysts are hard Integration
to find/keep and are expensive
The COST of security is not sustainable even in

today’s climate of regulation, fear, and loss.
Firepower Is More Than Just “Threat Protection”
Firepower Management Centre (FMC) manages threat detection. It also:

• Puts threat into context within YOUR unique network.
• Provides actionable security, network, and business data
• Can allow “Security” to come out of the “Dog House” by supporting multiple
business outcomes
• Create automation in your ”threat hunting”
• Trigger automated response
• Bend itself to your organisation's workflow
or automate that workflow.
Event Security
Why FMC Reporting
Context Investigation
Healthy
Integration Automation Closing
Deployments
Event Source Matters
Understanding Data
Misunderstood Data
Visual Guide to Firepower Event Sources
Security Traffic DNS SSL Application Network File IPS Engine

Normalisation URL Identity AMP
Intelligence Sinkhole Decrypt Detection Discovery Detection (Snort®)
Security Connection Discovery Intrusion File Malware AMP 4

User Activity Endpoints
Intelligence Events Events Events Events Events
Servers File
Info
Supplemental Data
• Geo IP Data Applications
File
• CVE / Vuln Data Trajectory
• IP Reputation Data Application
Details
• URL Data
Host Indications of
Host Profiles Compromise
Attributes
The Host Profile: End Point Context
Applications
Host Profile: Under the Hood
Authoritative Identity Sources
Host Profile: Network Discovery Placement
• Capture Internal Traffic

• Better Fidelity when closer to
the End Point
• Avoid Duplication when
possible
• Map Zones to best CIDR
• Exclude CIDRs from
more distant zones
• Leverage Passive
interfaces/SPAN
• vFTD makes a great Network &
App Discovery tool at no cost
• Adding IDS will cost more
“Normal Way”
is flawed
Host Profile: Create Your Own Attributes
• Text Label
Update • URL
• Manually • Integer Range
• Via Host Input API • List of Labels based on current IP
• Via Remediation API
Attributes can be leveraged for additional data,

reporting, queries, and Correlation Rules.
Host Profile: Tuning IOCs
40 Pre-built IOCs selected from:

• Malware Events
• Some IPS Events
• Some Security Intelligence
Host Profile: Vulnerability Mappings
Vuln Mappings in Policy App Detectors
IPS Events
(Snort®)
Myth: “Vuln Scans make better Impact Scores”
Host Profiles
Informs
Impact Analysis
Vuln Data from dynamic V V V

Net Discovery
‘worst case’ V V V
fidelity 3rd Party Mappings:
• take priority
dynamic V V V • static
Vuln Data from
• do not change with host changes
3rd Party Scan V V V
precise • update only from a new scan
fidelity • Be mindful which hosts use
at the time Remember! network discover vs. 3rd party data
of the scan Host Profiles are • Consider change controls
usually meant to • Consider risk of “false negative”
change
IPS (Snort®) Events & Impact
Analysis
Understand How Intrusion Events Work
Understanding Detection Conditions is Important
• Snort® rules use variables to determine

“directionality”
• $EXTERNAL_NET -> $HOME_NET (inbound)
(state established) • $HOME_NET -> $EXTERNAL_NET
(outbound)
• TCP based events from the Snort® Engine are
Structure and Content Testing based on ESTABLISHED sessions
• Reduces false positives
★ IPS events are generated when sessions ARE
What makes a Host Profile THROUGH the perimeter
• Passive data collection (network packet analysis) TCP request responds map
• “State” table based on Discovery Events to Server Port
• Server Services: TCP based respond to UDP request sent map to
connections Server Port
UDP based initiate UDP packets
• Applications (generally TCP) Understanding directionality
detected during session initiation from host. is key to Impact Flags
Understanding Snort® Rule Directionality
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"MALWARE-CNC SambaCry ransomware download attempt";
flow:to_server,established; urilen:9; content:"/minerd32"; Outbound:
fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-
ips drop, policy security-ips drop, service http; Indication of
reference:url,www.virustotal.com/en/file/ef7ee620ce09cd8edca81dc786
6fbe87405c4a8ac88f985ac350269d8d081073/analysis/; Compromise
classtype:trojan-activity; sid:45472; rev:1; gid:1; )
alert tcp $EXTERNAL_NET 3690 -> $HOME_NET any

(msg:"SERVER-APACHE Apache Subversion svnserve integer overflow
attempt"; flow:to_client,established; content:"184467440737095516";
depth:18; content:"|3A|"; within:1; distance:2; metadata:policy max- Inbound Attack!
detect-ips drop, policy security-ips drop; reference:cve,2015-5259;
reference:url,subversion.apache.org/security/CVE-2015-5259-
advisory.txt; classtype:attempted-user; sid:40849; rev:1; gid:1; )
NOTE: Make sure your $Variables are appropriate for where your detection is placed.
Understanding Impact Flags
Intrusion Events Host Profile Impact Flag Action Why
[Outside Profile Range]
Source / Destination IP General info†† Event occurred
[Host not yet profiled]

0 Event outside outside profiled
profiled networks networks
IP Address
Protocol (TCP/UDP) Good information
Previously
User IDs
4 host is currently
unseen host
within monitored
not known
network
Source / Destination Protocols
Port Good information Relevant port not
Server Side Ports

3 event may not open or protocol
have connected not in use
Service Client Side Ports Relevant port or

Worth
protocol in use
Services
2 investigation.
but no vuln
Host exposed.
mapped
CVE
Snort ID Client / Server Apps
Act immediately. Host vulnerable
Operating System
1 Host vulnerable to attack or
or compromised. showing an IOC.
IOC: Predefined Impact
Potential Vulnerabilities †† If you have a fully profiled network
this may be a critical event!
Understanding Impact Flags
Intrusion Events Host Profile Impact Flag Action Why
[Outside Profile Range]
Source / Destination IP
[Host not yet profiled]
0
Ignore Impact Flag
Protocol (TCP/UDP) IP Address Definitions in the Docs
User IDs
4
Source / Destination Protocols
Port Impact Flag Logic
Server Side Ports
3
+
Service Client Side Ports Snort® Config
Services
2 +
Your Network =
CVE
Snort ID Client / Server Apps
1 Better Threat Hunting
Operating System
IOC: Predefined Impact
Potential Vulnerabilities †† If you have a fully profiled network
this may be a critical event!
Event Security
Why FMC Reporting
Healthy
Deployments
Sample Mapping of FMC Events to Kill Chain
Command
Recon Weaponise Deliver Exploit Install Action
& Control
Connection Intrusion Indications of Indications of Indications of Indications of

Events Events Compromise Compromise Compromise Compromise
Discovery File Intrusion AMP 4 Discovery Connection

Events Events Events Endpoints Events Events
Security Malware Security

Malware Connection
Intelligence Events Intelligence
Events Events
Intrusion Custom
User Activity Connection Security
Events Correlation
Events Intelligence
User Security Custom

Activity Intelligence Correlation Understanding the Kill Chain is the
beginning of understanding which
Conditions and data will vary based on the campaign event types will “show” the attack.
Goal: Getting to Remediation
Order of Investigation†
Remediation – Incident Response – Data Collection
You’ve been Owned! Under Attack Research & Tuning
Indication of Compromise Impact 0 Impact 1 Impact 3 (then 2) Impact 4
“Critical Assets”
Not Blocked
Internal Source
External
Source
Correlation
Dropped
Rules
†may vary based on corporate priority

POP QUIZ: Where Do I Start My Investigation?
From the FMC Dashboard From the FMC Context Explorer
This Is What Most Of Our Networks Look Like.
Some ways to choose
• Look for Malware Executed (Endpoint AMP)
• Dropper Infection (Endpoint AMP)
• Threat detected in file transfer
• CNC Connected Events
• Shell Code Executed
• Impact 1 (these were probably blocked)
• Impact 2 (these were probably blocked)
THEME: Start with what is compromised first.
Let’s see what these 63

From the FMC Context Explorer events are all about.
Drilling into the IOC
Busy event. Looks like

we’re getting more.
Digging into the IOC
Seems active across 6

hosts. Let’s drill into one.
Looks like Kim
Ralls has a lot
going on her
Windows host.
✔
✔
✔
✔
Events from multiple

sources:
• IPS Engine
• File Protection
• AMP for Networks
• .147 Tried to send the file 5 times
• .147 was sent the file once
• IPS blocked it! (yeah)
• What does Impact 4 mean?
• Should we investigate more?
Did you forget
about these?
Let’s see if that

file moved around
without the IPS
seeing it.
✔
✔
✔
✔
Yep. That file is
malware
We see it in the
malware
summary, too.
• A lot more than the 6
file transfers and hosts
the IPS engine
stopped.
• Good thing they have

AMP for Endpoints,
too.
Take Away
Be sure to look at every angle • Bet they wished they
enabled quarantining.
around an event. Try to tell the
whole story and find every part of • Problem scoped. Time
to remediate.
the issue.
• Maybe a good time to
look at file analysis /
Threatgrid to learn
what other artifacts are
left behind.
Good SecOps is Thorough
OODA Loop
Remediate Capture
Events
Choose & Determine

Prioritise Impact &
Response Scope
DURING an outbreak this must be as automated as possible.
Looking at an Impact 3 Attempt
• Source IP: all internal,

• Destination IP: all external
• Impact 3: no Host Profiles for external hosts
• Sourced from my Network = I’m the attacker? = Indication of Compromise
• TCP detection: means established connection
• These hosts definitely “launched” an attack.
• Next Step: Focus on the Source Host. Probably compromised.
Assessment:
This has has to be
stopped!
Breached? Follow an Order of Operations
Multiple Event Vectors Mission/Op Critical
IPS, Malware, Connection, File, Context

Correlation IOCs,
Trajectory, DNS, Impact Flags
Event
Check all the related data. Directionality
Protocol: TCP / UDP?
Leverage Rule Documentation
“See the big story” : Packet not

always necessary
Build a complete timeline – tell a
story.
Event Security
Why FMC Reporting
Healthy
Deployments
Default Reports
• Not just what’s in the templates
• Dashboard widgets are “mini”-reports
• Over 120 preset reports within a widget
• Create custom Widgets for more
• Think of the Dashboard as your
unlimited report designer.
• Tools:
• Searches
• Custom Workflows
• Custom Tables = Data goldmine
Event Viewing
Tables • Listing of events with a data set (IPS, Connection, Malware, etc.)
• Customised organisation of specific column headers

Workflows • Allows Analysts to go straight to meaningful data
• Search for specific or generalised matches within event tables

• Each table can have it’s own filters
Filters • Hundreds of filters pre-installed
• Customisable
Custom • Join of two or more individual event tables

• Aggregate useful data for faster decision making and reporting
Tables • Has it’s own Workflows and Filters
Workflows
A Default Event View
A Default View
Changing The View Helps Focus Analysis
Create a Custom Workflow
Create a Custom Workflow
How It Turned Out GEEK Tip: Bookmark these in your browser!
Remember order
of investigation
Actionable Data:
Hosts .52, .56, and .111
need to be investigated!
Custom Tables
Building Custom Tables Intrusion Events Host Data
Have all the data you need immediately in one view.

Custom Data
Custom Table: Intrusion Event with Host Data
Custom tables can even
have their own workflows
Custom Table: Includes Custom Filters
Custom Table: Includes Custom Filters
Tables, Custom Tables, and Filters can also be leveraged on the

Dashboard. Just choose the 1 column that is most meaningful.
Leveraging the Dashboard
Customise The Dashboard
▪ There are a number of default

dashboards
▪ All of them have customisable
widgets
▪ Create / Customise your own
for better visibility and report
designs
Custom Analysis Widget
This is your
most powerful
widget
Dashboards That Meet Your Needs Threat Focused
Dashboards That Meet Your Needs
Network Focused
Build Reports Straight from the Dashboard
Interesting Data for Filtering Potential ”new” Threat
List Int. Source IP List Ext. Source IP List Int. Source IP List Int. Source IP List Int. Source IP
Executable Exfil Retrospective

Threat Top File Odd URLs
Destinations Sources
Internal IPs that Internal IP
Internal IPs
send files to addresses
Top Sec Int. Top External connecting to
External Address Associated with
Events with Source IPs for (esp. exe, jar, pdf,
URL Categories
Retrospective
external Dest. IP files doc, archive, etc.) “of concern”
Malware
List Int. Source IP List Int. Source IP List Int. Source IP
Correlation Processes Invalid App

DNS Bad SSL Events Introducing Usage
Malware
Internal IPs Internal IPs using Internal IPs Internal IPs using
generating DNS invalid SSL Certs sourcing (prebuilt in FMC, Apps on non-
Sinkhole Events to external IP Correlation requires AMP 4 standard
Events Endpoints) protocols
* Create Correlation Rules

* Leverage Open AppID
Event Security
Why FMC Reporting
Healthy
Deployments
APIs Open Firepower to Orchestration
3rd Party Threat
Intelligence 3rd Party Vuln Data
Firepower Management
Centre ISE Stealthwatch
NGIPS
NGFW
AD
Tetration
AMP Threatgrid
Data
Web Security
AMP for
Endpoints
Logging
DNS
SEIM
Orchestration
Sending Data Umbrella
to SEIM Email Investigate
API transaction Security
Identity from ISE
API’s For Firepower
API Description
E-Streamer Transmission of 100% of FMC event database to SEIM. Sensor (generates events) ->
FMC -> FMC additional analytics / aggregation / custom correlation events -> all
original and additional events SEIM. Much richer data than syslog.
Host Input Customise Host Profile data, policy oriented labels, CVE data, etc. Programmatically
insert data into FMC for use with Impact Analysis and Firepower recommendations.
JDBC Direct query access to event database, rule documentation, host profile tables, etc.
Allows for external system to supplement data available in FMC for a common or
central dashboard (Splunk).
Remediation Programmatic interface for FMC to initiate command instructions to other devices.
Threat-Centric NAC (with ISE), Host Profile modification, 3rd party product introduction.
REST Programmatic interface for GET, PUT, and PUSH command with Firepower devices.
Command summary on next slide.
Estreamer API
Estreamer: Easy Setup
Estreamer: Easy Setup
Install Cert on SEIM

Estreamer Client
SEIM
Host Input API
Enabling a Host Input
• Provide the cert to your Vuln Input tool / Client App

• Added Benefits:
• Asset Integration Data
• Host Input + Host Profile Attributes : Provide any additional data re: endpoint that is meaningful
• The default Import Tool (in the SDK) + CSV File will meet most use cases
JDBC Connector
JDBC Connector
Why JDBC Connector is used:

• Customised Reporting tools
• Additional data lookups (packet data,
rule documentation).
• Useful for SEIMs that do not have
Estreamer support
• Programatic integration:
• Splunk, Huntsman
• Phantom Cyber
Remediation API
Automating Response
Automating Response – Remediation API
Boolean
Intrusion Events Correlation Rules
Conditios
Discovery Events
User Activity
Host Inputs
Connection Events Correlation Policies
Traffic Profiles
Malware Event Actions
Correlation Rules Correlation Events
(API, Email, SNMP)
Sample Remediation Modules

• Cisco ISE: Rapid Threat Containment
• Guidance Encase
• Set Host Attributes Use Case 2
• Security Intelligence Blacklisting
• Nmap Scan
• SSH / Expect Scripts
• F5 iRules
• Solera DeepSee
• Netscaler
• PacketFence
• Bradford
ISE + Firepower = Rapid Threat Containment
WWW
4. Endpoint
Assigned Quarantine
+ CoA-Reauth Sent
Controller MnT
3. pxGrid EPS
1. Security Action: Quarantine
Events / IOCs + Re-Auth
NGFW Reported
2. Correlation
FMC
Rules Trigger
i-Net Remediation Action
Remediation Modules
Configure Rapid Threat Containment
Open the
System:Integration
page
Enter ISE Server

details
ise-1.mynet.com
ise-2.mynet.com
Be sure to
configure your certs
for the integration
Notice your ISE

mitigation actions!
Be sure to assign
the action to a
Correlation Rule
within a
Correlation Policy
REST API
REST: Turning It On
Leverage REST for:

• NetOps integration & Monitoring
• Platform Status
• REST + Remediation API

• Programmatic integration means more changes to be initiated
based on anything you can build
Explore REST: https:<FMC_IP>:443/api/api-explorer>
Tip:
This is a great
way to update
firewall objects!
Integration Example: Working with Splunk
Syslog:
Event messages Splunk
System level information
Health Events
(FMC & Sensor)
E-streamer:
Contextualised event messages JDBC
AMP for Endpoints Events Snort Rule Docs Syslog:
Host Profile, Misc Event messages **
DB Queries System level information
FMC REST API
get, pull, post, delete
instructions
Sensor-FMC
Event messages
healthdata
FP Sensors
FP Sensors
FP Sensors
** event messages are richer from estreamer
Event Security
Why FMC Reporting
Healthy
Deployments
Recommended Rules
False Negatives Means You Are NOT Protected
Too many exploits succeed because: Cause Resolution
• Systems aren’t patched Event Overload! Impact Analysis
• Detections aren’t enabled Tuning Failures Understanding Detection Tools
Attackers succeed with “old” exploits Detections Disabled Knowing What Needs Protection
Verizon Data Breach Report(s)
Cisco Annual Security Report(s)
Firepower Recommendations Knows What I Do Not
Recommended Rules – How It Works
Snort Rules SVID Possible Vuln
SID: 24671, 32361 99675 CVE:2012-1528

Integer Overflow in Windows
Remotely exploitable
Remote exploit
vulnerability
SID: 33306
BLACKLIST: Connection to
a malware sinkhole.
Detection of behaviour that comes from a

compromised host or one that is about to
be compromised.
Recommended Rules – The Details
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE
ActiveX installer broker object sandbox escape attempt"; flow:to_server,established;
flowbits:isset,file.exe; file_data; content:"|55 8B EC 6A FF 68 A8 31 01 10 64 A1 00 00
00 00 50 83 EC 0C A1 20 B0 01 10 33 C5 89 45 F0 56 50|"; fast_pattern:only;
metadata:policy balanced-ips drop, policy security-ips drop, service smtp;
reference:cve,2014-4123; reference:url,technet.microsoft.com/en- Not all
us/security/bulletin/ms14-056; classtype:attempted-user; sid:32265; rev:1; )
rules
have a
Rule that will map to
CVE!
Recommended Rules
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLACKLIST Connection to
malware sinkhole"; flow:to_client,established; dsize:22; content:"Sinkholed by
abuse.ch|0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, service http; reference:url,en.wikipedia.org/wiki/Sinkhole_Server;
classtype:trojan-activity; sid:33306; rev:1; ) Rules disabling
by default
Some rules will

turned off by
Recommended
Rules
Recommended Rules
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE
ActiveX installer broker object sandbox escape attempt"; flow:to_server,established;
flowbits:isset,file.exe; file_data; content:"|55 8B EC 6A FF 68 A8 31 01 10 64 A1 00 00
00 00 50 83 EC 0C A1 20 B0 01 10 33 C5 89 45 F0 56 50|"; fast_pattern:only;
metadata:policy balanced-ips drop, policy security-ips drop, service smtp;
reference:cve,2014-4123; reference:url,technet.microsoft.com/en-
us/security/bulletin/ms14-056; classtype:attempted-user; sid:32265; rev:1; )
Rule that will map to

Recommended
Rules
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLACKLIST Connection to
malware sinkhole"; flow:to_client,established; dsize:22; content:"Sinkholed by
abuse.ch|0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, service http; reference:url,en.wikipedia.org/wiki/Sinkhole_Server;
classtype:trojan-activity; sid:33306; rev:1; )
Some rules will

ALWAYS be
turned off by
Recommended
Rules
You may want to uncheck this.
Correlation Rules
Custom: Correlation & White List Events
Correlation Events:
Internal events based on
FMC Events Correlation boolean conditions within and
Correlation Events across multiple event
Rules
databases within the FMC.
[Tip: Correlation Rules can
monitor changes in flow!]
Traffic
Profiles
White List Events / Violations:

Discovery Host Profile White List Internal events based on
Events Changes Events changes to individual or
grouped host Profiles
First step in
creating
automated
response!
Correlation Rules / Correlation Policy
Correlation Rules allow for
100,000 events BOOLEAN decisions on one or
Value:
more sets of data within the
• Automate Security Decisions Firepower console.
• Track Business Outcome 5,000 events Rules can then lead to Actions
• Trigger Automated Response to 500 events
such as: Email, Syslog, SNMP
events or remediation actions.
specific conditions
100 events
Correlation Policy
Correlation Correlation
Rule Event
Correlation
20 events Action
Rule
10 events Email
Syslog
SNMP
Remediation Module
3 Events
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
Correlation Rules Go Into Correlation Policies
Building a Correlation Rule
Sample Correlation Rule
Correlation Rule to:
• Ensure only HTTPS traffic is
used on port 443
• Ensure traffic is initiated by a

Host within a defined Location
(host Attribute) is POS
• Ensure the HTTPS traffic from

the POS host is received on
hosts in the PCI network.
• Any traffic outside this profile

will generate an event.
Correlation Rule Example: Production Network Change
Example: Production Network Change is Exfiltrating Traffic
Some Correlations Rules To Drive Action
If “an Intrusion Event occurs”. . . If “a Malware Event occurs”

“by retrospective network-based malware detection”
O Impact Flag is 3 - Yellow
R Impact Flag is 4 - Blue Sending IP is in 192.168.0.0/16
O Sending IP is in 10.0.0.0/8
Source IP is in 192.168.0.0/16 R
Sending IP is in 172.16.0.0/12
A O Source IP is in 10.0.0.0/8 O
N R Source IP is in 172.16.0.0/12 R
Receiving IP is in 192.168.0.0/16
D O Receiving IP is in 10.0.0.0/8
Destination IP is not in 192.168.0.0/16 R
O Destination IP is not in 10.0.0.0/8
R Destination IP is not in 172.16.0.0/12
A recently seen file has been retrospectively determined to
be malware!
Go Stop it NOW!
You have a compromised host
“attacking” systems off your network.
Some Correlations Rules To Drive Action
Make it even more actionable If “a Malware Event occurs”

based on the file TYPE “by retrospective network-based malware detection”
O
R
O
R Receiving IP is in 192.168.0.0/16
O
R
A recently seen file has been retrospectively determined to be

malware!
Go Stop it NOW!
Just add another Boolean Condition
White Listing
Whitelisting
• Tool to profile/snapshot a host or network segment to monitor for change.
• Changes generation a correlation event
Whitelisting
Whitelisting
Whitelisting
Whitelisting
Traffic Profiling
Traffic Profiles
• Graphically & Statistically monitors the change in traffic over time

• Build profiles based on multiple conditions: IP, Port, Protocol, VLAN, Application,
Base OS, Host Attribute (filter like correlation rules)
• Standard and velocity based views
Traffic Profiles
Traffic Profiles: Automate Alert w/ Correlation
Event Security
Why FMC Reporting
Integration Automation Deployment Closing

Packets and Policies: Know What’s Happening Where
Prefilter
Policy ASA/Lima
Fastpathed
Ingres Existing N Egress L3/L4 ALG L3, L2

RX Pre-Filter NAT TX
Interface Conn Interface ACL Checks Hops
VPN
Decrypt
Y QoS
VPN VPN Encrypt
Config DAQ
Discovery
SI:
NAP App
SI (IP) SSL Pre-proc DNS ID L7 ACL File/AMP IPS
IPS Pasv ID
URL
Host
Firepower
SSL Network DNS Identity Intrusion Network Access Malware Intrusion
Policy Analysis Policy Policy Policy Discovery Control & File Policy
Policy (NAP) Policy Policy Policy
$VAR
$VAR Objects
Knowing your detection process impacts:
• How you analyse the data
• How you tune your security appliance Element Enabled in AC Policy
Access Policy Tips
• Rule not turning off? Check your Network Analysis Policy
• Putting a monitor rule at the top of your AC Policy can impact performance.
• Be careful of overly precise rules
• Defining Zone AND Network AND VLAN (or SGT) can potentially lead to event duplication or
skipped threat detections
• IPS Rules can have a NOT condition in traffic matching ”!”

• AC Rules do not have this option
• Deploying in-line (non-routed) it’s handy to have a network object all non-RFC 1918 addresses.
• Especially if VLAN or Routing decisions are made “north of the appliance”
• This can help reduce excess connection events or duplicate IPS events
• FMC automatically checks rules for problems, leverage it, but don’t rely on it.
• Nothing beats reviewing connection and intrusion events for duplication
• Pre-FILTER un-inspectable or low impact traffic (backup, SIP, some SSL/TLS)

Event Security
Why FMC Reporting
Healthy
Deployments
Call to Action
• Firepower Management Centre can be the centre of your security operations.
• Look at FMC as security automation framework -> Automate Threat Hunting
• Don’t ”hunt the same problem twice” – Use Correlation Rules
• Look for cross product integration to strengthen FMC’s value.
• Be creative in creating solutions. Look beyond “IPS” or “Threat Protection” opportunities.
• FMC’s real value is in how it can merge security operations and business outcome.
• Look for additional consumers of FMC data.
• Security will have greater value as a business enabler.
• Check out Firepower more at the World of Solutions! What can you make it do?!
Thank you
And remember to fill out your surveys!
Q&A
Complete Your Online
Session Evaluation
• Give us your feedback and
receive a Cisco Live 2018 Cap
by completing the overall event
evaluation and 5 session
evaluations.
• All evaluations can be completed
via the Cisco Live Mobile App.
Don’t forget: Cisco Live sessions will be
available for viewing on demand after the
event at www.CiscoLive.com/Global.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Thank you

Brksec 2058 PDF

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Brksec 2058 PDF

Caricato da

Copyright:

Formati disponibili

A Deep Dive into using

the Firepower Manager

BRKSEC-2064 BRKSEC-2056 BRKSEC-3300

BRKSEC-3667 BRKSEC-3035 BRKSEC-3455

IP Sec URL Sec DNS User Threat

Policy Network App

The COST of security is not sustainable even in

Firepower Management Centre (FMC) manages threat detection. It also:

Security Traffic DNS SSL Application Network File IPS Engine

Security Connection Discovery Intrusion File Malware AMP 4

Authoritative Identity Sources

• Capture Internal Traffic

Attributes can be leveraged for additional data,

40 Pre-built IOCs selected from:

Vuln Mappings in Policy App Detectors

Vuln Data from dynamic V V V

• Snort® rules use variables to determine

alert tcp $EXTERNAL_NET 3690 -> $HOME_NET any

[Host not yet profiled]

Server Side Ports

Service Client Side Ports Relevant port or

Connection Intrusion Indications of Indications of Indications of Indications of

Discovery File Intrusion AMP 4 Discovery Connection

Security Malware Security

User Security Custom

†may vary based on corporate priority

From the FMC Dashboard From the FMC Context Explorer

THEME: Start with what is compromised first.

Let’s see what these 63

Busy event. Looks like

Seems active across 6

Events from multiple

Let’s see if that

• Good thing they have

Choose & Determine

DURING an outbreak this must be as automated as possible.

• Source IP: all internal,

IPS, Malware, Connection, File, Context

Leverage Rule Documentation

“See the big story” : Packet not

• Customised organisation of specific column headers

• Search for specific or generalised matches within event tables

Custom • Join of two or more individual event tables

Have all the data you need immediately in one view.

Tables, Custom Tables, and Filters can also be leveraged on the

▪ There are a number of default

Executable Exfil Retrospective

List Int. Source IP List Int. Source IP List Int. Source IP

Correlation Processes Invalid App

* Create Correlation Rules

Install Cert on SEIM

• Provide the cert to your Vuln Input tool / Client App

Why JDBC Connector is used:

Sample Remediation Modules

Enter ISE Server

Notice your ISE

Leverage REST for:

• REST + Remediation API

** event messages are richer from estreamer

SID: 24671, 32361 99675 CVE:2012-1528

Detection of behaviour that comes from a

Some rules will

Rule that will map to