Cisco AMP or Advanced Malware Protection, is Cisco’s answer to the Next Generation of visibility, control, and protection against advanced threats for today’s internet connected world. AMP gives you real-time blocking of malware and advanced sandboxing, that is backed up by world class global threat intelligence, to provide rapid detection, containment and removal of advanced malware.
This post will highlight the features that make AMP’s continuous analysis, monitoring and retrospective security capabilities possible.
Comprehensive global threat intelligence
Cisco Talos Security Intelligence and Research Group, in conjunction with Threat Grid threat intelligence feeds, provides one of the largest collections of real-time threat intelligence with extensive visibility, the largest footprint, as well as the ability to put this collection of intelligence to work across multiple security platforms.
The image below displays a summary of the Talos groups make up and threat intelligence functions.
Cisco AMP combines the use of advanced file behaviour patterns, along with collective intelligence to determine whether a file is good (safe) or bad (malicious). This allows AMP to perform more accurate detections during file analysis and inspection.
File reputation is based upon a variety of factors determined over a period of time, it supports most file types, and identifies each file by its content, so is not dependant on the file extension to determine type.
Indications of Compromise (IOCs)
IOCs (also known as Indications or Indicators of Compromise) are pieces of information that can help identify specifics around abnormal or malicious behaviour on a network or system. With AMP, File activity and recorded events are linked together and prioritized as potential active breaches.
AMP automatically captures and links this security event data from multiple sources (such as intrusion and malware events) to help security teams connect the individual events to larger, coordinated attacks and prioritize them as high-risk.
The built-in AV engines perform offline system-based detections, which includes scanning for the presence of rootkits, to complement Cisco’s advanced endpoint protection capabilities such as local IOC scanning, and device and network flow monitoring.
If a customer wishes to consolidate both their antivirus and their advanced endpoint protection to run under a single agent, then the AV engine can be enabled in policy to achieve this. Two engines exist in the AMP for Endpoints product; the ClamAV engine is available for running on Linux and Mac based devices, while the Tetra engine is available for Windows devices.
Static and dynamic malware analysis
A safe and highly secure sandboxing environment helps you execute, analyse, and test both malware and files with unknown reputation or behaviour, in order to discover previously unknown zero-day threats.
Cisco has integrated Threat Grid’s advanced sandboxing, using it’s static and dynamic malware analysis technology, into their AMP solutions. This integration results in a more comprehensive analysis by performing checks against a large set, of more than a 1000 highly accurate behavioural indicator’s. Threat Grids analysis produces very few false positive results (a result which indicates something is bad when it is not), increasing your confidence, so you can make fast and accurate decisions.
Instead of just analysing network traffic or a file when it first arrives, Cisco AMP uses continuous analysis and retrospective security, even after the initial inspection occurs. We have come to realise over the years that traditional signature-based scanning and blocking methods are not 100% effective, especially against modern day threats.
Through continuous analysis techniques, AMP monitors and records file activity and network communications, to detect if behaviour changes, and help identify stealthy or malicious threats. Alerts are sent at the first sign of suspicious activity, i.e. when a file disposition changes after extended analysis (a good file turns bad); giving the security team awareness of and visibility into the malware that evades initial defences.
As AMP records all activity, it knows where these files or network communications have been seen across your organisation, then using retrospective security can quickly respond and remove, or quarantine, the malware for all users and endpoints, eliminating the threat.
The Prevalence feature displays all files that have been run in your organization, ordered by a prevalence rating from lowest to highest. This helps you become aware of previously undetected threats that have been seen by a small number of users.
Generally, files that are run by a large number of users (high prevalence) tend to be valid applications. Whereas files that are run by only a few users (low prevalence) may be considered malicious (such as a targeted advanced threats) or questionable applications you may not want on your extended network.
Prevalence is another powerful feature of AMP for the detection of advanced threats, with all low prevalence files being automatically sent to Threat Grid for analysis.
This feature is used to continuously track a files presence throughout your network environment over time, to achieve visibility and reduce the time required to scope a malware breach.
File trajectory maps the file to which endpoints it has been seen on, and how the file has been transferred across the network. It contains the files disposition (good, bad or unknown), determines the first endpoint that saw the threat, and whether you have other hosts containing the file that are also at risk. This is a key component of AMP’s retrospective security.
The below image shows the file trajectory from AMP for Networks.
Device trajectory v2
Device trajectory continuously tracks the file activity and communications at an endpoint device level to quickly understand both the root cause and the history of events leading up to and after a compromise. This trajectory is the view of the threat that is seen from a single endpoints perspective.
This feature allows us to see when the file was first executed on the endpoint, what process was involved in the creation of the file, and what happened as a result of the file executing.
The below image shows the device trajectory from AMP for Endpoints.
The improved version of Device Trajectory is cleaner, more usable and threats are easier to dig into. The event, file and threat information is now fixed to the right hand side of the device trajectory for easier navigation and switching between file, event and process information.
A time navigation bar has been added to the filters section so you can quickly identify when threat events have occurred. Clicking on the red dot focus’s device trajectory to the threat event.
Security administrators who use AMP have the ability to submit their own IOCs in order to catch new targeted attacks. These endpoint IOCs let security teams perform deeper levels of analysis and investigation on advanced threats that are specific to users or applications in their environment.
An Endpoint IOC feature is a powerful tool used in post-compromise incident response. It can be setup using custom made signatures to trigger on file attributes such as: name, type, size and hash to name a few.
Elastic search is simply a search tool that lets you search for all sorts criteria without specifying the type of item you are searching for. AMPs elastic search allows for queries on file properties, telemetry, security intelligence data, IP address and domains etc. to help you quickly understand the information related to an IOC or malicious application.
With AMP for Endpoints you can also scan for vulnerable software on your system. Once a scan is completed its shows a list of vulnerable software, the hosts containing that software, and the hosts most likely to be compromised. Powered by Cisco’s threat intelligence and security analytics, AMP also identifies vulnerable software being targeted by malware, as well as the potential exploit, this information is then displayed to give you a prioritized list of hosts that need software to be patched.
This feature does not scan all software for vulnerabilities but focuses on the common software found in most environments. E.g. Internet browsers (IE & Chrome etc.), Adobe Acrobat, Oracle Java Platform, Microsoft office etc.
You can achieve control over suspicious files or outbreaks and remediate an infection without waiting for a content update, with AMP’s outbreak control feature. Outbreak control provides:
- Simple custom detections can be created to quickly block a specific file across all or selected devices.
- Advanced custom signatures can be created to block polymorphic malware (malware that changes itself constantly to evade detection).
- Application block lists can be used to enforce an organisations application policy. There maybe an application for instance that you do not want your users to run, but you don’t want to quarantine it either. Or alternatively you may need to contain a compromised application being used as a malware gateway and stop the cycle of reinfection.
- Custom application whitelists can also help to ensure that safe, custom, or mission-critical applications continue to run no matter what.
- Network or IP Blacklists and Whitelists use Device flow correlation to stop malware call-back communications at the source, this is especially useful for remote endpoints outside the corporate network.
Exploit Prevention and System Process Protection
The exploit prevention engine protects your Windows endpoints from memory injection attacks, used against unpatched software vulnerabilities in applications such as web browsers, MS Office, Adobe Acrobat and remote management software. Memory attacks aim to compromise endpoints and are typically used in malware and zero-day attacks.
Exploits against protected system processes, such as LSASS (Local Security Authority Subsystem) and CSRSS (Client/Server Runtime Subsystem), can also be prevented by AMP. Both of these engines will block attacks against these processes and will trigger events in the cloud console.
In the event that you believe that an endpoint has been compromised Endpoint Isolation is there to help. Connector version 7.0.5 introduced the Endpoint Isolation feature for Windows, which allows you to block inbound and outbound traffic without losing access to the endpoint.
DNS and DHCP traffic are still permitted as is connectivity to the AMP cloud. A one-click isolation session can be established in the Computer Management section and allows you to prevent threats, lateral movement and data exfiltration.
Malicious Activity Protection
A great feature that was added in connector version 6.1.5 is the malicious activity protection (MAP) engine. MAP provides endpoints with much needed defensive measures against Ransomware, detecting processes that exhibit malicious encryption behaviour and stopping them in their tracks.
If a system is infected with a previously unknown variant of ransomware which has managed to evade detection by other security measures, AMP can block the process and prevent the encryption of your data.
It key to understand that AMP needs to detect the encryption of files before it can react to the attack and classify it as ransomware; this means that the encryption of the first few files will complete before the process can be blocked. AMP will identify any files that have been encrypted so that you can restore them from backup later.
Threat Hunting and Response
Threat hunting is the process of proactively (or even reactively) seeking out and identifying threats on your network and endpoints. AMP for Endpoints has the capability to integrate with Cisco Threat Response, a great free tool that is available to customers of their security products; such as Amp for Endpoints, Umbrella, Email Security and Next Gen Firewalls.
Threat Response can be used for both Threat Hunting and Incident Response scenarios, allowing security teams to save time and be far more efficient in their investigations.
By Clicking the blue Casebook icon in the bottom right corner of the AMP for Endpoints or Threat Response consoles, you can open or create casebooks for a specific incident or threat hunting session.
By adding observables (IPs, File hashes, domains etc.) to the casebook you can investigate their presence across your network, endpoints and supporting security products, to get clear visibility of their classification, where they originated, where they were sighted and their associated actions.
With Cisco AMP for Endpoints and Threat Response you can easily add Threat Hunting to your arsenal of security tools.
The information above gives you a breakdown of the many features that work together to make Cisco AMP a great Malware Protection technology. These features combined provide AMP customers with comprehensive levels of visibility, protection and control, that is necessary to quickly detect and respond to advanced modern-day threats.
New benefits and features are also on the horizon as all of Cisco’s security products continue to evolve on a regular basis. Integration to other products improves with each version, and the addition of great a tool like Cisco Threat Response can give that extra edge your security team needs.
This post has been updated to include a bunch of new features released throughout 2019.
Where do Ironshare fit in?
Ironshare are a security consultancy focused on delivery of fast and efficient solutions to businesses. Our experienced team aim to provide a fully managed service that takes the strain away from your employees and allows you to focus on your core business.
Ironshare can help you to get up and running with Cisco AMP for Endpoints within days.
We not only provide step-by-step guidance on deployment within your organisation, we can also manage the day-to-day running and reporting, leaving your teams to get on with their usual day job.
Our aim is to provide Security, Simplified. That means we can communicate in a non-technical manner (or technical if you prefer) and just give you the information you want.
Ironshare – Security, Simplified
If you have any questions or would like to get in touch to find out how Cisco AMP can be used to improve your organisations security, then please Contact Us here.
Originally published – March 2019
Updated – December 2019