1 00:00:00,540 --> 00:00:08,400 Time different event data together to identify compromised hosts and drop actors can be challenging 2 00:00:09,480 --> 00:00:12,600 with next generation devices like firepower. 3 00:00:12,720 --> 00:00:21,720 You can easily map data together like IP addresses DNS requests and HTP you are Elle's. 4 00:00:21,920 --> 00:00:28,310 Now let's hop in the lab and we'll take a look at how you could use firepower event information to identify 5 00:00:28,490 --> 00:00:34,710 compromised hosts and threat actors on your network by simulating a malicious connection 6 00:00:37,750 --> 00:00:38,850 for example. 7 00:00:38,860 --> 00:00:44,550 I'm going to use a malware test link to trigger a blocked connection on the network. 8 00:00:45,100 --> 00:00:53,200 I like to use the W I see our DOT Oregon test site which I will provide the link for in the resources 9 00:00:53,200 --> 00:00:55,570 for this lecture. 10 00:00:55,570 --> 00:01:01,210 It just has a collection of some downloadable payloads that you can use to test to make sure that your 11 00:01:01,210 --> 00:01:04,390 malware defenses are working properly. 12 00:01:04,930 --> 00:01:11,470 So if I click on the last virus here of course I get blocked since my Firepower device is doing what 13 00:01:11,470 --> 00:01:13,140 it's supposed to be doing. 14 00:01:14,140 --> 00:01:22,060 And you can see here actually I didn't even get a chance to connect to each TTP site to download the 15 00:01:22,060 --> 00:01:31,960 test file because firepower blocked the actual DNS request to resolve the IP address of this Web site 16 00:01:31,960 --> 00:01:35,230 where I would download the virus. 17 00:01:35,230 --> 00:01:42,460 So I'm actually going to disable my DNS blocks so that we see all the connection information to help 18 00:01:42,460 --> 00:01:44,130 us analyze the connection. 19 00:01:46,000 --> 00:01:53,560 So to disable these security intelligence DNS blocks Lingula policies access control and then DNS 20 00:01:58,190 --> 00:02:02,840 and then I'll just disable these DNS blacklist rules. 21 00:02:06,910 --> 00:02:09,960 Just as a temporary thing for example 22 00:02:15,350 --> 00:02:24,320 save it and now deploy the new policy to my Firepower sensor in the lab and then I'll start the video 23 00:02:24,320 --> 00:02:24,800 back up. 24 00:02:24,800 --> 00:02:30,620 Once that's done deploying and then we should be able to resolve the task the miller site so that we 25 00:02:30,620 --> 00:02:35,390 get a full picture of the connections traversing the fire power devices 26 00:02:40,210 --> 00:02:46,750 OK now that the policy has successfully been pushed to my Firepower device I should be able to resolve 27 00:02:46,750 --> 00:02:52,420 the web page that is going to be used to download the test payload here. 28 00:02:52,490 --> 00:02:53,770 So let me try it again. 29 00:02:55,630 --> 00:02:56,050 OK. 30 00:02:56,060 --> 00:03:02,060 So it was still blocked but let's see if I am at least able to resolve it. 31 00:03:02,270 --> 00:03:09,440 All right there you go so that tells me that D-Nice is along the connection through but my you are l 32 00:03:09,440 --> 00:03:13,410 filtering blacklist blocked the connection so that's good. 33 00:03:13,430 --> 00:03:15,950 My device is doing what it's supposed to be doing. 34 00:03:16,490 --> 00:03:20,240 Let's go to analyze connections and events. 35 00:03:22,850 --> 00:03:30,830 And then I added it in my search to filter on anything destined to be IP address that I resolved for 36 00:03:30,830 --> 00:03:32,310 malware dot w. 37 00:03:32,480 --> 00:03:44,260 I see our dot org and as you can see here I see my host IP address as the potentially compromised host 38 00:03:44,650 --> 00:03:54,500 destined to the threat actor IP address as the responder IP and the Web site where the malware was attempted 39 00:03:54,500 --> 00:03:57,160 to be downloaded from malware. 40 00:03:57,200 --> 00:03:59,190 W I ca our dot org. 41 00:03:59,330 --> 00:04:02,000 And then the file name. 42 00:04:02,030 --> 00:04:11,690 So right here in this one line I have the compromise host throughout actor and the HTP data so that 43 00:04:11,690 --> 00:04:16,400 I know what site was trying to be accessed from the compromised host.