topic That was an excellent in Network Security

Firepower Management Center: Indication of Compromise / URL Block

Lee Dress — Fri, 21 Feb 2020 14:02:13 GMT

I frequently see devices listed in "Indications of Compromise by Host"

When i drill down to see what the issue is, it's usually "The host may connect to a phishing URL" or "Malware Site"

When i drill down further to the events that triggered the IOC, the Action and reason is always "Block" or "URL Block" or "File Block"

this confuses me. was the computer compromised, or was the event blocked?

and if the event was blocked, why did it trigger IOC?

do i need to reconfigure something?

Thanks for your help.

Lee

Say an on-premises user logs

Marvin Rhoads — Mon, 13 Mar 2017 15:14:25 GMT

Say an on-premises user logs into his or her cloud-based personal email account and clicks a link in a phishing email. (Assuming here your corporate email is already protected by an ESA and no phishing email ever arrive there.) The target domain is found to be on the blacklist or having a very poor reputation (part of the Cisco Security Intelligence feed) at the sensor and the connection is blocked.

So there was an IOC (user clicked a link) but the sensor worked as designed and blocked it.

No further action is required there. If the same user shows up in the top 10 day after day, a visit to their desk may be in order.

There is a less likely possibility that the computer itself may be compromised by malware and is trying to send local user data back to a phishing server.

That was an excellent

Lee Dress — Tue, 14 Mar 2017 14:07:26 GMT

That was an excellent explanation.

Thank you.

Re: Say an on-premises user logs

kguillory@nocp.org — Sat, 04 Apr 2020 11:28:00 GMT

@Marvin Rhoads wrote:
Say an on-premises user logs into his or her cloud-based personal email account and clicks a link in a phishing email. (Assuming here your corporate email is already protected by an ESA and no phishing email ever arrive there.) The target domain is found to be on the blacklist or having a very poor reputation (part of the Cisco Security Intelligence feed) at the sensor and the connection is blocked.
So there was an IOC (user clicked a link) but the sensor worked as designed and blocked it.
No further action is required there. If the same user shows up in the top 10 day after day, a visit to their desk may be in order.
There is a less likely possibility that the computer itself may be compromised by malware and is trying to send local user data back to a phishing server.

Is there any way to find the URL that caused the flag when this happens?

Re: Say an on-premises user logs

Marvin Rhoads — Sat, 04 Apr 2020 14:27:58 GMT

kguillory@nocp.org look under:

Analysis > Security Intelligence Events > Table View of Events. Filter on the IP address of the endpoint in question.

Re: Say an on-premises user logs

kguillory@nocp.org — Sat, 04 Apr 2020 14:38:09 GMT

Thanks for your prompt response. Stay safe.