6/17/2024

Introduction

Chapter 11.
Endpoint AMP for Endpoints
Protection and
Detection

Threat Response

Endpoint Devices Increasingly Difficult to Defend

Most challenging areas to defend:

57% 56% 56%

Mobile Devices Cloud Data User Behaviour

1
 6/17/2024

How Does the 1% Escape and Get Through?

Advanced evasion techniques:

• Fileless malware
• Environmentally-aware malware
• Polymorphism
• Exploit legitimate processes

• EDR monitor endpoint & network events.

• Record the info in a central DB.
• Further analysis, detection, investigation, reporting.
Endpoint Threat • Agent installed on the endpoint, monitoring, detection of potential
security threats.

Detection & • Block malicious network connections based on custom IP

blacklists or intelligent dynamic lists of malicious IP.

Response (ETDR) • Resides on Win, Mac, Linux, Android.

Endpoint
Detection and
Response (EDR)

2
 6/17/2024

ETDR
& EDR

• The minimum capabilities of a good EDR:

• Filtering: filter out false positives.
• Threat blocking: contain the threats, not just detect them.
• Help with digital forensics and incident response (DFIR): perform DFIR tasks, threat hunting to
prevent data loss.
• Powerful & detailed reporting.

How Cisco Addresses Endpoint Challenges

Reduce
Prevent Detect Risk
• Antivirus • Static analysis • Vulnerable software
• Fileless malware detection • Sandboxing • Low prevalence
• Cloud lookups (1:1, • Malicious Activity • Proxy log analysis
1:many) Protection
• Client Indicators of • Machine learning
Compromise
• Device flow correlation
• Cloud Indicators of
Compromise

3
 6/17/2024

Agentless Detection with Proxy Analysis

Identify Anomalous Traffic Occurring Within Your Network

VoIP Printers Security Thermostats

Phones Cameras

Prevent Fileless Malware

Malware Evolved – We Need to Protect Against More than Just Files
Monitor process activity and guard against
attempts to hijack legitimate applications.

• Monitor Process behaviour at execution

• Tuned to detect tell-tale ransomware signs
• Quarantine and terminate associated files and processes
• Log and alert encryption attempt

4
 6/17/2024

Cloud Based Analysis - See Once, Block Everywhere

Share Intelligence Across Network, Web, Email, Endpoints
• The cloud constantly updates itself.The cloud resources used instead of endpoint resources.
• The endpoint remains very lightweight.

Talos
Talos AMP Cloud Threat Grid

Endpoint

NGFW NGIPS ISR CES/ESA WSA/SIG

Continuous Monitoring
What happened?
Where did the malware come from?

Where has the malware been?

What is it doing?

How do we stop it?

• Historical view of malware activity:

• File trajectory (quỹ đạo, dấu vết): What endpoints seen the files.
• Device trajectory: Actions the files performed on given endpoints. To allow a connector to communicate with
cloud servers for file and network disposition lookups, a FW must allow the clients to connect to servers over
TCP 443 (default)/32137.

10

5
 6/17/2024

OUTBREAK CONTROL

• Create customized lists to your organization’s

needs.
• Main lists from the AMP:
• Custom Detections
• Application Control
• Network
• Endpoint IOC (indicators of compromise).
 Custom detections as a blacklist.
 Identify files that you want to detect,
quarantine.

11

OUTBREAK CONTROL
 When a custom detection defined,
any AMP for Endpoints agents seen
the files before can also quarantine
the files through retrospection/cloud
recall.
 Simple custom detection allows
you to add file signatures.
 The advanced custom detections
are more like traditional antivirus
signatures.

12

6
 6/17/2024

OUTBREAK CONTROL
 Creating a simple custom
detection is similar to adding
new entries to a blacklist.
 You define one/more files to
quarantine by building a list of
SHA-256 hashes.
 If you already have the SHA-
256 of a file, you can paste that
directly into the UI.
 You can upload files directly,
allow the cloud to create the
SHA-256 hash.

13

OUTBREAK CONTROL
 Offer many more signature types
to the detection, based on ClamAV
signatures:

• File body-based signatures

• MD5 signatures
• MD5, PE section–based
signatures
• An extended signature
format (with wildcards,
regular expressions, offsets)
• Logical signatures
• Icon signatures

14

7
 6/17/2024

OUTBREAK CONTROL
• Use Android custom detections for two main functions:
outbreak control & application control.

• When a malicious app detected, the user notified/prompted to

uninstall it.

• You don’t have to use these detections just for malware, also
use them to stop applications that you don’t want installed on
devices. (“application control”)

• Simply add apps to an Android custom detection list, AMP

notifies the user of the unwanted application. User prompted
to uninstall it.

15

• Outbreak control IP lists used in conjunction with device flow correlation (DFC) detections.

• DFC allows you to flag/even block suspicious network activity.

• Policies used to specify the behavior of AMP when a suspicious connection detected.

• To specify whether the connector should use addresses in the Cisco intelligence feed/ the custom IP lists
you create yourself, or Both.

• IP whitelist to define IPv4 that should not be blocked/flagged by DFC.

16

8
 6/17/2024

• AMP bypasses/ignores the intelligence feeds as they relate to the

IPv4 in the whitelist (“allow list”).
• IP blacklists used to create DFC detections.
• Traffic that matches entries in the blacklist flagged/blocked.
• Outbreak Control > Network > IP Block and Allow Lists.

IP Blacklists -
Whitelists

17

Creating a New IP List

18

9
 6/17/2024

AMP for Endpoints Application Control

• Like files, applications detected, blocked, whitelisted. AMP not look for the name of the
application but the SHA-256 hash.
• Outbreak Control > Application Control > Blocked Applications.

19

• Blocking list with an existing application hash shown at the bottom of the right-hand
column, while another file being uploaded for hash calculation.

20

10
 6/17/2024

Exclusion Sets

• Available exclusion types:

• Threat: excludes by
threat name.
• Extension: excludes files
with a specific extension.
• Wildcard: excludes files/
paths using wildcards for
filenames, extensions,
paths.
• Path: excludes files in a
given path.

21

22

11
 6/17/2024

Selecting the OS for the New AMP for Endpoints Exclusion Set

23

24

12
 6/17/2024

• Management > Download Connector.

AMP for
Endpoints
Connectors

25

AMP for Endpoints Policies

26

13
 6/17/2024

AMP for Endpoints Groups

27

AnyConnect AMP Enabler

28

14
 6/17/2024

AMP for Endpoints Engines

• Three detection & protection “engines”:
• TETRA: A full client-side antivirus solution.
• NOT enable TETRA if existing antivirus product in place.
• Default disabled.
• It changes the AMP connector from being a very lightweight to being a “thicker”.
• Consumes more disk space for signature storage, more bandwidth for signature updates.
• When enable TETRA, another configuration subsection displayed, allowing you to choose what file
scanning options you wish to enable.

• Spero: A ML–based technology that proactively identifies threats previously unknown.

Active heuristics to gather execution attributes, because the underlying algorithms come up with generic
models, they identify malware based on its general appearance rather than basing identity on specific
patterns or signatures.

• Ethos: A “fuzzy fingerprinting” engine that uses static/passive heuristics.

29

AMP for Endpoints Reporting

30

15
 6/17/2024

AMP for Endpoints Overview Dashboard

31

AMP for Endpoints Events dashboard, displaying the most recent events in your AMP for Endpoints deployment.

32

16
 6/17/2024

AMP for Endpoints Events iOS Clarity Dashboard

33

Dynamic Analysis and Sandboxing

Execute, Analyse & Test Malware Behaviour to Discover Unknown Zero- Day Threats

Suspicious File

Analysis Report
AMP for Endpoints Threat Grid

34

17
 6/17/2024

THREAT RESPONSE
• “One-pane-of-glass” console that automates integrations
across Cisco security products & threat intelligence sources.
• Integrates with:
• AMP
• AMP for Endpoints
• Threat Grid
• Umbrella
• Email Security
• NGFW
• NGIPS

35

18