Solved: Re: Attributes for anomalous behaviour

Mannyteck · ‎01-27-2020

One of my client requested for implementing anomalous behavior on Endpoints, however I have gone through Cisco documentation on this but still have unclear explanation.

The default condition on ISE for anomalous behavior states:

Endpoints:AnomalousBehaviourEQUALStrue AND Device:LocationEQUALSAllLocations

Is there any other attributes that can be added to enforce anomalous behavior based on the the three major attributes provided so has not to deny legitimate endpoints or user access on the network.

NAS-Port-Type

DHCP Class ID

Endpoint Policy

Also I have about more than 500 endpoints on the network that anomalous behaviour = true, How do I narrow down to endpoints that are malicious or illegitimate.

Greg Gibbs · ‎01-27-2020

As per the document you attached (Configure Anomalous Endpoint Detection and Enforcement on ISE 2.2), there are specific behaviours that the Anomalous Endpoint Detection feature looks for:

NAS-Port-Type - Determines if the access method of this endpoint has changed. For example, if the same MAC address that connected via Wired Dot1x is used for Wireless Dot1x and visa-versa.

DHCP Class ID - Determines whether the type of client/vendor of endpoint has changed. This only applies when DHCP class ID attribute is populated with a certain value and is then changed to another value.

Endpoint Policy - A change in endpoint profile from Printer or IP phone to Workstation.

While this might work for some strict customer environments, I found it to be prone to a large number of false positives in at least one large enterprise customer production environment. As such, they did not have the appetite to enable any policies that would enforce network restrictions based on the 'AnomalousBehaviour = True' attribute flag.

They were not interested in investigating further, but I suspect a factor might be a large number of endpoints having Virtual Machine guests that use a NAT mode to share the same MAC address as the host.

You would likely need to isolate one of the PCs with the 'AnomalousBehaviour = True' attribute and start doing packet captures to investigate further.

Cheers,

Greg

View solution in original post

Greg Gibbs · ‎01-27-2020

As per the document you attached (Configure Anomalous Endpoint Detection and Enforcement on ISE 2.2), there are specific behaviours that the Anomalous Endpoint Detection feature looks for:

NAS-Port-Type - Determines if the access method of this endpoint has changed. For example, if the same MAC address that connected via Wired Dot1x is used for Wireless Dot1x and visa-versa.

DHCP Class ID - Determines whether the type of client/vendor of endpoint has changed. This only applies when DHCP class ID attribute is populated with a certain value and is then changed to another value.

Endpoint Policy - A change in endpoint profile from Printer or IP phone to Workstation.

While this might work for some strict customer environments, I found it to be prone to a large number of false positives in at least one large enterprise customer production environment. As such, they did not have the appetite to enable any policies that would enforce network restrictions based on the 'AnomalousBehaviour = True' attribute flag.

They were not interested in investigating further, but I suspect a factor might be a large number of endpoints having Virtual Machine guests that use a NAT mode to share the same MAC address as the host.

You would likely need to isolate one of the PCs with the 'AnomalousBehaviour = True' attribute and start doing packet captures to investigate further.

Cheers,

Greg

Jason Kunst · ‎01-31-2020

I have also asked the SME @kthiruve to take a look. This is likely an enhancement for the future as well

To contact our product team for future enhancement requests, externally for cisco customers/partners at http://cs.co/ise-feedback for cisco employees internally at http://cs.co/ise-pm

kthiruve · ‎02-14-2020

Thank you for the pointers. I will bring this up with the PM/Engineering team.

In ISE profiler settings, there are two settings. Anomalous behavior detection and enforcement.

Start with detection and understand the false postives and investigate the reasons before turning on the enforcement and adding it to authz.

ISE determines the behavior based on what it receives from the endpoint. For endpoint policy, it will detect significant change such as workstation to printer and highlight that as anomalous behavior. It will not detect that change from Cisco IP Phone to IP Phone xxx model as anomalous.

-Krishnan

Colby LeMaire · ‎02-14-2020

The majority of false positives with anomalous behavior are due to ISE not taking into account applications that use DHCP Discover messages. For example, an enterprise organization using Skype will see a lot of false positives because Skype will send DHCP Discover messages with the class identifier of "MS-UC-Client" to try to discover SIP servers. This is normal behavior per the DHCP RFC. Some other applications do the same to discover things like proxy configuration files. There is already a bug filed for this issue but I am not sure when it will be addressed.

This issue is keeping a lot of customers from using anomalous behavior.

ajc · ‎02-08-2023

Hi Greg, I have a question:

We have a situation where a legit account username is being used by an unauthorized person who is entering continuously a wrong password and therefore locking out that legit account. Blocking the MAC is not possible due to the randomized MAC address added by Android and Apple to their software so I was wondering if Anomalous Behaviour could help but I do not see it. Still trying to find out the user but not possible yet. thanks in advance for any suggestion.

Greg Gibbs · ‎02-08-2023

I don't see how the Anomalous Behavior feature in ISE would help here. The feature is all related to attributes of the endpoints and has no visibility of the user.