The battle in the networks is fought with unequal weapons. Attackers have enough time to develop, to test and to improve malware and to only use it when all conditions are ideal. However, in case the attack fails, in most of the cases the attackers will be able to try again to compromise a system. Thereby, a single successful try is often sufficient to achieve the targets of the attack. In this post, you will read how Cisco AMP and the Firepower Management Center could be a crucial component of a continuous security process.

Download now a short report about the actual threats of IT security.

For example, Malware does not necessarily have no know where sensitive data is stored. Ransomware like the encryption Trojan Locky for instance can be utilized as a suitable demonstration object. Files and folders that are accessed by the users are encrypted with an unknown code and the owner of the files will be blackmailed accordingly.

Against a payment, the code can be acquired and the files can be made accessible again. Even agencies such as the Federal Bureau of Investigation are recommending to give in to the blackmailers and to pay the requested amount (https://securityledger.com/2015/10/fbis-advice-on-cryptolocker-just-pay-the-ransom/).

SECURITY NEEDS CONTINUITY

To oppose this unequal game, security needs to be a continuous process that happens everywhere at any time. Today attackers possess a whole variety of means for a possibility to attack: out-of-date browsers, unsecure plug-ins, weak points in network protocols or inquisitive or untrained users. Additionally, attacks can creep along for a long time and some individual steps of compromising can easily remain undetected. To be able to protect oneself sufficiently from today’s threats, a solution is required that is not only used at the network edge but that expands the protection to as many components as possible.

Like the security process itself, security products need to be compared with the latest knowledge and where applicable a new decision will have to be made, like for instance if a file may contain malware.

Additionally, like the security process itself, security products will have to permanently compare the decisions they took, like for instance if a file may contain malware, with the latest knowledge and where applicable a new decision will have to be made. On top of that, the individual components of the solution will have to share the collected information and the detected incidents with a central location. Only this facilitates to gain useful information out of the recorded data of an intrusion detection system, of a malware protection solution or of any other security relevant technologies in order to raise the security level in a constant way.

ENTERING CISCO AMP

Cisco AMP (Advanced Malware Protection) and the Firepower Management Center can be a crucial component of this process. Cisco AMP offers visibility and malware protection on a large number of components – from the next generation firewalls of the ASA and firepower series to the email and web security gateways all the way to desktops and mobile phones. Several detection mechanisms make it possible to discover even modified versions of malware. This is for instance achieved by comparing millions of already known malicious as well as harmless files. Additionally files can be executed in a virtual environment that is difficult to recognize for malware. This serves the purpose to evaluate the behavior of the file.

With all its possibilities, Cisco AMP is not only collecting information on the supposedly damaged file, but also on each file that is scanned, irrespective of if it is currently rated as malicious or harmless. As the already collected information is constantly compared with new examples, it will be possible to detect malware even in case the malware managed to escape an earlier detection.

If a judgement on a file is revised, all AMP clients will be able to access this information and the infected system can either be cleaned up or the malware can at least be prevented from spreading further. As the so-called disposition, i.e. the judgement if a file contains malware, is provided by the AMP Cloud, users that are outside of the company network are also protected automatically.

Even systems without Cisco AMP are able to benefit from a deployment of network components. If an attacker tries for instance to send the malware via email as a word macro and this mail gets past a Cisco email security appliance with an activated AMP protection, the attachment will be analyzed and if necessary it will not be delivered to the user.

The installation at the endpoint though has additional advantages like the visibility of process relations for instance. If a program that is reloading malware (dropper) is started, then is it possibly very difficult to be identified as a malicious operation. However, in case the process connection is known, then it will also be possible to stop the dropper process as long as the malware is identified and a fresh infection can be prevented.

CENTRAL INTELLIGENCE WITH THE FIREPOWER MANAGEMENT CENTER

The information of the AMP clients is collected centrally in the Firepower Management Center (FMC). Not only is the AMP reporting its discoveries to the FMC, also other components such as Intrusion Detection / Prevention or Access Control are reporting events to the central administration. This enables the linkage of events from different sources.

In the event that network components uncover a communication between a client and a command and control server by means of data from the security intelligence or by means of rules of the IDS/IPS systems and if the AMP is also reporting a suspicious behavior on this device, then this information will be linked and the client will be regarded with a high probability as infected.

Beyond the malware it is also possible to compile guidelines for the FMC for any type of file. Thus, it can for instance be prevented that office documents will be uploaded from the company network via HTTP or that executable files are spread within the network.

A sensor (any type of compatible hard- or software) with AMP functionality that is integrated in the FMC constantly collects information involving files that it recognizes in the network stream. This leads to a detailed listing of files. Additionally it will be documented in the so-called File Trajectory who sent, moved or copied files where, when and where to.

An additional interesting approach of Cisco AMP is an analysis of how often a file is identified in a network. Most businesses install their clients with the help of a universal image (Golden Image) respectively by means of a central software distribution. This has the effect that clients are very similar on file level. If now a file that is just present on only one or on very few clients is discovered, it can be considered as suspicious. Next to obvious exceptions such as IT, R&D etc. it is a very good indication, where perhaps an infection has taken place already.

 

CONCLUSION

Advanced Malware Protection and the Firepower Management Center offer the protection that an antivirus program can no longer provide. A distributed system of AMP clients, a continuous analysis of files and the correlation of collected information renders the system a serious opponent for malware.

The NTS security experts are gladly available for in-depth questions respectively and for any further information.

Thomas Fellinger
Senior Systems Engineer
03.04.2018

Similar topics