Solved: Re: AMP endpoints/ESA, ThreatGrid

Patrick Moubarak · ‎11-11-2015

Hi experts,

I have a question regarding ThreatGrid and AMP.

I know that files could be analyzed in a ThreatGRID sandbox when submitted through the AMP cloud management console. I was told this is a lightweight version of ThreatGRID that is licensed for free included in AMP and the full version requires a ThreatGRID subscription.

My question is say I submit through AMP cloud a Microsoft Office document (ex. Word) with a macro; does it run the macro to detect if the macro itself is malicious?

I also have another question regarding the AMP for Email Security Appliance.

In ESA with AMP licence; when an email contains an attachment that is malicious; is the entire email blocked (TCP reset like Firepower on ASA) or just that attachment is quarantined and the rest of the email can go ahead?

Is there a cleanup function that could remove 1 attached file and not all the files.

Thank you,

Patrick Moubarak

brmcmaho · ‎11-11-2015

Further on the ESA question: This is determined by your settings in Mail Policies > Incoming Mail Policies on the ESA. You can choose whether to deliver or drop the message, deliver after removing the troublesome attachment, warn the user in the message subject, etc. Details can be found under "Configuring the Incoming Mail Policy for File Reputation Scanning and File Analysis" in the ESA User Guide (starts on page 17-8 in the AsyncOS 9.7 revision of the guide).

View solution in original post

jbair · ‎11-11-2015

Hi Patrick,

I can answer the first question. Yes, when you go to Analysis - > File Analysis in AMP for Endpoints, you can submit a file for dynamic malware analysis. The analysis is included with the AMP subscription. In this "Threat Grid Light", you have the full Threat Grid analysis features. The macros in the Microsoft Office document will be executed and malicious behavior will be detected and reported.

Now, some macros require user interaction to click "OK". In these cases, you can watch the Analysis Video inside AMP to see if there are any pop-ups in the console. If there are, then you will want to log into the Threat Grid Portal (with your full Threat Grid subscription), resubmit the sample and then click on "Interact with Running Sample" to go into the Glovebox. This is a unique feature that only Threat Gird provides.

What do you receive with the Threat Grid report inside AMP for Endpoints?

Sample Information / Metadata
Behavioral Indicators
Network Activity report
Download PCAP
Download Sample
Process report
Artifacts report
File Activity report
Simple search of SHA256, IP Address, and name
View / Download Video of Screen Captures
Download artifacts
Threat Score

Good news is that AMP customers can subscribe to Threat Grid at nearly half price.

Why upgrade to the Threat Grid Subscription?

Threat intelligence context & correlation (pivot in reports with hyperlinks)
Interact with malware samples in Glovebox
Download Report JSON
Registry Activity report / Download Registry contents JSON
Process Graph and Process Timeline JSON
Adjust run times of sample analysis
Advanced search (samples, artifacts, registry, URLs, etc)
API integration for automation of sample uploads and Threat Intelligence, including RSA's Security Analytics, Guidance Software's EnCase, TripWire Enterprise, Splunk, QRadar, ArcSight, etc.
Threat Intelligence Feeds

.:|:.:|:. Jessica Bair | Senior Manager, Business Development | Advanced Threat Solutions – AMP Threat Grid

CISCO Mobile: 310.614.9132 | jbair@cisco.com

Patrick Moubarak · ‎11-11-2015

Thank you for the helpful answer. For now my customer does not have a ThreatGrid account but it is definitely something that I will suggest to them.

Patrick

Akhtar Samo · ‎02-07-2016

May I know if there are any docs on how all the solutions interact and integrate ?

AMP Private Cloud Virtual Appliance (AMPv)

public AMP cloud

Firepower Management Center (FMC)

ThreadGrid 5000 or AMP Threat Grid cloud

Some options in my mind

1. firepower will be managed through FMC

2. For Dynamic File Analysis(File policy) on firepower using on-prem sandbox; TG5000 will integrate with FMC (system also does public AMP cloud lookup to check if the file has been submitted before or not)

3. AMP endpoint agents will be managed using AMP Private Cloud Virtual Appliance (AMPv) or public AMP cloud

4. AMPv will integrate with FMC to feed endpoint data

5. Threat Grid file analysis for the AMP Virtual Private Cloud Appliance will be available in early 2016 upon integration with the Threat Grid On-Premises Appliance. Is this part of 6.0 ?

Regards,

Ak

schuang · ‎11-11-2015

Hi Patrick,

AMP Threat Grid would let the office document (e.g. Word doc) run with the macro and capture any malicious behavioral indicators. Full AMP Threat Grid subscription (Portal Access) also includes a really nice feature called "Glove Box" which will allow you to actually interact with the malware sample during execution in the sandbox, e.g. Click any pop ups etc to allow the malware to run it's course in the sandbox to collect telemetry for malware intelligence.

With regards to your ESA question, I believe it is based on the policy configured on the ESA once an AMP disposition is determined for a file attachment. Perhaps someone with more expertise around the ESA policy configuration can chime in.

Thanks and best regards,

Shyue Hong

brmcmaho · ‎11-11-2015

Further on the ESA question: This is determined by your settings in Mail Policies > Incoming Mail Policies on the ESA. You can choose whether to deliver or drop the message, deliver after removing the troublesome attachment, warn the user in the message subject, etc. Details can be found under "Configuring the Incoming Mail Policy for File Reputation Scanning and File Analysis" in the ESA User Guide (starts on page 17-8 in the AsyncOS 9.7 revision of the guide).

Patrick Moubarak · ‎11-13-2015

Thank you all for the great insights. The information provided is very helpful.

Patrick