Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1581
Views
5
Helpful
5
Replies

25 Compromise host-FTD/FMC

Go to solution
anilkumar.cisco
Level 4
Level 4

‎05-14-2021 08:18 AM

Hello Team,

Getting Alarm for 25 Host compromised by SI system of FTD/FMC.

 

Source of the hit is showing CNC.. which is already blocked by the policy..

 

Not sure then why compromised host is showing.

 

This  devices are not there in prefilter policy..

 

The customer don't have Malware license..

 

Cisco FMC 6.4.0 version

 

Kindly advise the next action or suggestion..

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-16-2021 08:01 PM

@anilkumar.cisco

I don't think scanning with nmap will help much since the nature of CnC communications is that the communications are usually initiated from the infected host to the CnC server(s). As such, it will use an ephemeral port (i.e. 1025-65534) and not show up as an open port tom an external scan).

Your steps 2-4 look pretty good.

View solution in original post

5 Replies 5

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-14-2021 09:52 AM

Firepower will both block the CNC traffic as well as alert you to the hosts generating it. It is useful to remediate the endpoints so that they are no longer a source of traffic that needs to be blocked. The CNC compromise on them may have other effects that aren't apparent on the firewall (lateral movement in the network, potential for a more serious breach if the device is mobile and goes off-network at some point, etc.)

0 Helpful

Go to solution
anilkumar.cisco
Level 4
Level 4

‎05-14-2021 07:09 PM

Hello Marvin,

 

In view of that.. how should we confirm the followings:-

  • no connections established between CnC and inside IP’s.
  • FW performing as designed in response to malicious connection attempts by dropping traffic even though we don't have malware license in FMC, but we are seeing traffic is block in between.
  •  CnC alerts are a false alarm with no exposure to the customer base.

Best Regards

Anil Singh

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-15-2021 07:48 PM

It's not a false alarm - FMC is showing you that it blocked (dropped) an attempted CnC connection.

0 Helpful

Go to solution
anilkumar.cisco
Level 4
Level 4
In response to Marvin Rhoads

‎05-16-2021 12:45 AM

ok, I got it..

 

Was also going through the below thread about the same subject line..

 

Category=CnC Connected, Event Type=Intrusion Event - malware-cnc - Cisco Community

 

Solved: Firepower blocking CnC - Cisco Community

 

Solved: Re: The host may be under remote control - Cisco Community

 

my plan is :-

 

To  run NMAP Scan on the client and from FMC and check any open ports  that are there at the client side etc.

 

Similarly, we need to advise the local IT team to scan the such clients for virus and malware.

 

Need to monitor any additional alerts from the same client (host profile).

 

lookup destination ip whois, talos intelligence.

 

We need to do this exercise with all compromise hosts..

 

Any other suggestion from you!!

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-16-2021 08:01 PM

@anilkumar.cisco

I don't think scanning with nmap will help much since the nature of CnC communications is that the communications are usually initiated from the infected host to the CnC server(s). As such, it will use an ephemeral port (i.e. 1025-65534) and not show up as an open port tom an external scan).

Your steps 2-4 look pretty good.

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card