Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
12398
Views
11
Helpful
6
Replies

AMP endpoints/ESA, ThreatGrid

Go to solution
Patrick Moubarak
Level 4
Level 4

‎11-11-2015 08:04 AM - edited ‎02-20-2020 09:29 PM

Hi experts,

I have a question regarding ThreatGrid and AMP.

I know that files could be analyzed in a ThreatGRID sandbox when submitted through the AMP cloud management console. I was told this is a lightweight version of ThreatGRID that is licensed for free included in AMP and the full version requires a ThreatGRID subscription.

My question is say I submit through AMP cloud a Microsoft Office document (ex. Word) with a macro; does it run the macro to detect if the macro itself is malicious?

I also have another question regarding the AMP for Email Security Appliance.

In ESA with AMP licence; when an email contains an attachment that is malicious; is the entire email blocked (TCP reset like Firepower on ASA) or just that attachment is quarantined and the rest of the email can go ahead?

Is there a cleanup function that could remove 1 attached file and not all the files.

Thank you,

Patrick Moubarak

1 Accepted Solution

Accepted Solutions

Go to solution
brmcmaho
Cisco Employee
Cisco Employee
In response to schuang

‎11-11-2015 02:25 PM

Further on the ESA question:  This is determined by your settings in Mail Policies > Incoming Mail Policies on the ESA.  You can choose whether to deliver or drop the message, deliver after removing the troublesome attachment, warn the user in the message subject, etc.  Details can be found under "Configuring the Incoming Mail Policy for File Reputation Scanning and File Analysis" in the ESA User Guide (starts on page 17-8 in the AsyncOS 9.7 revision of the guide).

View solution in original post

6 Replies 6

Go to solution
jbair
Cisco Employee
Cisco Employee

‎11-11-2015 08:27 AM

Hi Patrick,

I can answer the first question. Yes, when you go to Analysis - > File Analysis in AMP for Endpoints, you can submit a file for dynamic malware analysis. The analysis is included with the AMP subscription. In this "Threat Grid Light", you have the full Threat Grid analysis features. The macros in the Microsoft Office document will be executed and malicious behavior will be detected and reported.

Now, some macros require user interaction to click "OK". In these cases, you can watch the Analysis Video inside AMP to see if there are any pop-ups in the console. If there are, then you will want to log into the Threat Grid Portal (with your full Threat Grid subscription), resubmit the sample and then click on "Interact with Running Sample" to go into the Glovebox. This is a unique feature that only Threat Gird provides.

What do you receive with the Threat Grid report inside AMP for Endpoints?

  • Sample Information / Metadata
    Behavioral Indicators
    Network Activity report
    Download PCAP
    Download Sample
    Process report
    Artifacts report
    File Activity report
    Simple search of SHA256, IP Address, and name
    View / Download Video of Screen Captures
    Download artifacts
    Threat Score

Good news is that AMP customers can subscribe to Threat Grid at nearly half price.

Why upgrade to the Threat Grid Subscription?

  • Threat intelligence context & correlation (pivot in reports with hyperlinks)
    Interact with malware samples in Glovebox
    Download Report JSON
    Registry Activity report / Download Registry contents JSON
    Process Graph and Process Timeline JSON
    Adjust run times of sample analysis
    Advanced search (samples, artifacts, registry, URLs, etc)
    API integration for automation of sample uploads and Threat Intelligence, including RSA's Security Analytics, Guidance Software's EnCase, TripWire Enterprise, Splunk, QRadar, ArcSight, etc.
    Threat Intelligence Feeds

 

.:|:.:|:.   Jessica Bair | Senior Manager, Business Development | Advanced Threat Solutions – AMP Threat Grid

  CISCO    Mobile: 310.614.9132 | jbair@cisco.com

Go to solution
Patrick Moubarak
Level 4
Level 4
In response to jbair

‎11-11-2015 08:42 AM

Thank you for the helpful answer. For now my customer does not have a ThreatGrid account but it is definitely something that I will suggest to them.

Patrick

0 Helpful

Go to solution
Akhtar Samo
Level 1
Level 1
In response to jbair

‎02-07-2016 12:57 PM

May I know if there are any docs on how all the solutions interact and integrate ?

AMP Private Cloud Virtual Appliance (AMPv)

public AMP cloud

Firepower Management Center (FMC)

ThreadGrid 5000 or AMP Threat Grid cloud

Some options in my mind

1. firepower will be managed through FMC

2. For Dynamic File Analysis(File policy) on firepower using on-prem sandbox; TG5000 will integrate with FMC (system also does public AMP cloud lookup to check if the file has been submitted before or not)

3. AMP endpoint agents will be managed using AMP Private Cloud Virtual Appliance (AMPv) or public AMP cloud

4. AMPv will integrate with FMC to feed endpoint data

5. Threat Grid file analysis for the AMP Virtual Private Cloud Appliance will be available in early 2016 upon integration with the Threat Grid On-Premises Appliance. Is this part of 6.0 ?

Regards,

Ak

Go to solution
schuang
Cisco Employee
Cisco Employee

‎11-11-2015 08:40 AM

Hi Patrick,

AMP Threat Grid would let the office document (e.g. Word doc) run with the macro and capture any malicious behavioral indicators. Full AMP Threat Grid subscription (Portal Access) also includes a really nice feature called "Glove Box" which will allow you to actually interact with the malware sample during execution in the sandbox, e.g. Click any pop ups etc to allow the malware to run it's course in the sandbox to collect telemetry for malware intelligence.

With regards to your ESA question, I believe it is based on the policy configured on the ESA once an AMP disposition is determined for a file attachment. Perhaps someone with more expertise around the ESA policy configuration can chime in.

Thanks and best regards,

Shyue Hong

0 Helpful

Go to solution
brmcmaho
Cisco Employee
Cisco Employee
In response to schuang

‎11-11-2015 02:25 PM

Further on the ESA question:  This is determined by your settings in Mail Policies > Incoming Mail Policies on the ESA.  You can choose whether to deliver or drop the message, deliver after removing the troublesome attachment, warn the user in the message subject, etc.  Details can be found under "Configuring the Incoming Mail Policy for File Reputation Scanning and File Analysis" in the ESA User Guide (starts on page 17-8 in the AsyncOS 9.7 revision of the guide).

Go to solution
Patrick Moubarak
Level 4
Level 4
In response to brmcmaho

‎11-13-2015 01:22 PM

Thank you all for the great insights. The information provided is very helpful.

Patrick

0 Helpful
Top