Evgeniy - In addition to

Evgeniy Ivanov · ‎02-23-2017

Hi, folks!
I have the questions about IOC scan in AMP.
1) What is the purpose of this feature? Is it like a full system scan in any other antivirus/antimalware software like McAfee?
2) Does every malware has it's own IOC? Or there is a one big cisco IOC file which is used for all malware types?
3) What will happen, if IOC scan find malware? Will AMP for endpoints be able to delete it?

Thanks!

David Janulik · ‎03-03-2017

Hi Evgeniy,

I will try to answer first part of your questions.

The Indications Of Compromise are a correlation of data which collect information in simple if..else template, that may indicate a compromised client. That means infected with some known or unknown malware.

This IOC is based on openioc.com framework. Either you or Cisco can build up some usefull IOC templates to be ready to deploy in the system through AMP scan on a daily basis.

David

Cyber security escalation engineer

David Janulik · ‎03-03-2017

What you want to achive is to have a catalogue. This is build up on full scan. Based of artifacts, where is taken from locations such as registry, system32 and memory.

Also an important note, this is resource intensive, endpoint with a large files will take hours/days to finish.

The added value from this results in events, which you can take an action of. If we talk about unknown malware, you are interested which workstations have such symptoms/files/behaviour.

To download Sample Cisco Endpoint IOC documents please open a support ticket.

I hope this answers your questions.

David

Cyber security escalation engineer

SDavidParker · ‎03-03-2017

Evgeniy - In addition to djanulik's reply, if you have the demo data turned on in your console, the CozyDuke and PlugX stories give you some hands on training for IOCs. Both end with you loading a pre-built IOC into AMP. Cisco has published some sample IOCs here: https://docs.amp.cisco.com/Cisco%20Endpoint%20IOC%20Attributes.pdf

If you want to build your own IOCs, there are many tools on the web to assist with this. Personally, I like this one: https://www.iocbucket.com/openioceditor, because it's fully web based, and I found the user interface to be very intuitive.

Back to your original question, to my knowledge, if an IOC is matched, AMP does not take action other than to raise an alert. As djanulik pointed out, and IOC is essentially nothing more than a search criteria that you can instruct AMP to alert you on when the criteria is matched. Now, if AMP determines that files that are associated with an IOC are otherwise malicious (using the ETHOS or SPERO engines), it will take the configured action against those files. If you take a look at the demo story for Demo_Command_Line_Arguments_Meterperter, while reviewing the Device Trajectory you'll see where they used CLI analysis to determine an IOC event had occurred on the endpoint. You'll also see that AMP only alerted on the IOC at the time that it occurred.

Hope this helps!

vaibhav581 · ‎09-17-2018

Hi Guys,

Thanks for the explanation . I had a quick query on this.

I made a IOC using Mandiant software which had couple of MD5 hashes. the query i had is do we need to scan the systems regularly to get the system who has those MD5 or can i get those alert as they are seen.

I do not want to run endpoint scan for IOCs. Just want to get alerted as soon as we see those hashes in the enviroment.

Regards

Vaibhav

Thomas Busch · ‎09-17-2018

Currently, any uploaded IOC would require a scan be run on the endpoint for the IOC to be triggered.

However, since you are only matching on specific MD5s you could potentially convert the IOC to match using an Advanced Custom Detection. The only caveat is that you would need to create this ACD logic yourself to ensure the correct results.

General questions about AMP