topic Re: Firepower Rule for Layer-2 Attack and APT in Network Security

Firepower Rule for Layer-2 Attack and APT

AudieO — Thu, 25 Aug 2022 14:24:32 GMT

Dear Cisco IDS/IPS Experts,

I have two questions:

1. Can the Firepower IDS/IPS detect Layer-2 attack based on EtherType and MAC address anomalies?

2. Based on my experience 4-5 years ago, no IDS/IPS can detect Advanced Persistent Threat (APT). The anomaly behavior based feature was useless. Experts gave up on it, since Zero-Day detection was just a dream. How is it now?

Thank You,

Audie

Re: Firepower Rule for Layer-2 Attack and APT

Divya Jain — Thu, 08 Sep 2022 13:24:23 GMT

Hello Audie,

1. To combat zero day attacks and Layer-2 attack based on EtherType and MAC address anomalies - its done at initial authentication level - 802.1x auth, LDAP authentication, ISE. IDS / IPS policies only works at application level.

2. IPS/IDS are signature based detectors

APTs often use social engineering tactics or exploit software vulnerabilities in organizations with high value information.
You can read more about it here -- https://www.cisco.com/c/en/us/products/security/advanced-persistent-threat.html

Now to talk about cisco's approach towards APT and tackling zero day attack -
A zero-day attack hits after a network vulnerability is announced but before a patch or solution is implemented. Attackers target the disclosed vulnerability during this window of time. Zero-day vulnerability threat detection requires constant awareness.

A Standalone product to tackle security threat will continue to have inherent gaps. To avoid these gaps in security, organizations need to take a holistic approach. This requires a multilayered, integrated security solution. Deploying a portfolio of products that can seamlessly work together is the best way to enhance security.
To combat these :
-- Sandboxing using Secure Malware analytics - https://www.cisco.com/c/en/us/products/security/threat-grid/index.html
-- With Cisco TALOS, we get intelligence feeds from all across the globe.
-- This is 1 article about secure end point and how it helps with zero day attack : https://community.cisco.com/t5/security-blogs/stop-ransomware-and-zero-day-threats-with-cisco-secure-endpoint/ba-p/4506378
-- This is link about how secure firewall provides malware defence - https://www.cisco.com/c/en/us/products/collateral/security/amp-appliances/datasheet-c78-733182.html
-- Other such solution is SASE network ( Secure Access Service Edge) -- https://www.cisco.com/c/en/us/products/collateral/security/at-a-glance-c45-2391315.html

In All cisco products we get feeds from Cisco TALOS all these solutions together help with Zero day attacks and APT.

Talking about IPS policy --
Guide link -- https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/overview_of_network_analysis_and_intrusion_policies.html

In the secure Firewall there is proper line of defence for different checks at every later before allowing the traffic.
Intrusion prevention as the system’s last line of defense before traffic is allowed to proceed to its destination. Intrusion policies govern how the system inspects traffic for security violations and, in inline deployments, can block or alter malicious traffic. The main function of intrusion policies is to manage which intrusion and preprocessor rules are enabled and how they are configured.

As a part IPS/IDS system, a network analysis policy governs how traffic is decoded and preprocessed so it can be further evaluated, especially for anomalous traffic that might signal an intrusion attempt.

-----------------------------------------
You can also learn more about Secure Firewall (formerly known as NGFW) through our live Ask the Experts (ATXs) session. Check out Cisco Network Security ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-network-security-ask-the-experts-resources/ta-p/4416493] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.
-----------------------------------------

Thanks and Regards
Divya Jain

Re: Firepower Rule for Layer-2 Attack and APT

AudieO — Thu, 08 Sep 2022 21:43:02 GMT

Thank you Divya for replying!

"1. To combat zero day attacks and Layer-2 attack based on EtherType and MAC address anomalies - its done at initial authentication level - 802.1x auth, LDAP authentication, ISE. IDS / IPS policies only works at application level.""

802.1x or other Authentication methods cannot prevent any workstation from advanced Malware infections. I'm referring to state-sponsored exploits.

"2. IPS/IDS are signature based detectors"

This signature based is useless against Zero Day and APT exploits. Yes, I had performed Sandboxing to see advanced Malware "Calling Home".

So it seems everything about IDS/IPS is still the same as 4-5 years ago. Anomaly behavior based still a dream.

Re: Firepower Rule for Layer-2 Attack and APT

Divya Jain — Thu, 15 Sep 2022 05:23:23 GMT

Hello Audie,

I agree, signature based cannot detect Zero-Day attaks. But Cisco Secure IPS (NGIPS) has both signature based and Anomaly based detection.

The anomalies detetcion will be done using the packet decoder and preprocessors. With the combination of Stateful Inspection Anomalies and TCP Session Hijacking part of the preprocessors, one can defend Mac address/layer-2 level anomaly dehaviour/attack.

As mentioned, ATPs are Often based on exploiting vulnerable softwares. (along with Social Engineering) and the exploitation happens (mostly) once the vulnerability info published/known.

Cisco Secure IPS solution can identify and block attack traffic that target vulnerabilities in a wide array of operating systems, network services, applications, and protocols, and provide protection from new worms and viruses prior to their vulnerabilities becoming known or published.

This is (the high level summary) how one can defend Zero-Day and ATP attacks, using only Cisco Secure IPS.

Again just to reiterate,a Standalone product to tackle security threat will continue to have inherent gaps. To avoid the gaps in security, organizations need to take a holistic approach. This will require a multilayered, integrated security solution.
Hope it helps.

Thanks
Divya Jain

Re: Firepower Rule for Layer-2 Attack and APT

AudieO — Thu, 15 Sep 2022 13:11:16 GMT

Thank you again Divya for the response!

My question directly specifically to state-sponsored APT's (by Russia, North Korea, Iran, etc.), not by organizations nor individuals. If a vendor can claim (and proof) that their product was able to stop a state-sponsored APT, I would like to know about it.

Most (if not all) cyber experts agreed that best way to prevent APT's are User Trainings (do not download and click), network and computer hardening, and multi-layer security. IDS/IPS has become a secondary layer defense, which is great for aftermath forensic if you can filter out the countless false-positives.

Hi Audie, This is Talos link and it give report for year...

Divya Jain — Fri, 08 Sep 2023 07:15:28 GMT

Hi Audie,
This is Talos link and it give report for year 2022.

https://blog.talosintelligence.com/apt-topic-summary-report-cisco-talos-year-in-review-2022/

Let me know if this helps.

Regards,

Divya jain