cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4213
Views
6
Helpful
5
Replies

Firepower Management Center: Indication of Compromise / URL Block

Lee Dress
Level 1
Level 1

I frequently see devices listed in "Indications of Compromise by Host"

When i drill down to see what the issue is, it's usually "The host may connect to a phishing URL" or "Malware Site"

When i drill down further to the events that triggered the IOC, the Action and reason is always "Block" or "URL Block"  or "File Block"

this confuses me. was the computer compromised, or was the event blocked?

and if the event was blocked, why did it trigger IOC?

do i need to reconfigure something?

Thanks for your help.

Lee

1 Accepted Solution

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

Say an on-premises user logs into his or her cloud-based personal email account and clicks a link in a phishing email. (Assuming here your corporate email is already protected by an ESA and no phishing email ever arrive there.)  The target domain is found to be on the blacklist or having a very poor reputation (part of the Cisco Security Intelligence feed) at the sensor and the connection is blocked.

So there was an IOC (user clicked a link) but the sensor worked as designed and blocked it.

No further action is required there. If the same user shows up in the top 10 day after day, a visit to their desk may be in order.

There is a less likely possibility that the computer itself may be compromised by malware and is trying to send local user data back to a phishing server.

View solution in original post

5 Replies 5

Marvin Rhoads
Hall of Fame
Hall of Fame

Say an on-premises user logs into his or her cloud-based personal email account and clicks a link in a phishing email. (Assuming here your corporate email is already protected by an ESA and no phishing email ever arrive there.)  The target domain is found to be on the blacklist or having a very poor reputation (part of the Cisco Security Intelligence feed) at the sensor and the connection is blocked.

So there was an IOC (user clicked a link) but the sensor worked as designed and blocked it.

No further action is required there. If the same user shows up in the top 10 day after day, a visit to their desk may be in order.

There is a less likely possibility that the computer itself may be compromised by malware and is trying to send local user data back to a phishing server.

That was an excellent explanation.

Thank you.


@Marvin Rhoads wrote:

Say an on-premises user logs into his or her cloud-based personal email account and clicks a link in a phishing email. (Assuming here your corporate email is already protected by an ESA and no phishing email ever arrive there.)  The target domain is found to be on the blacklist or having a very poor reputation (part of the Cisco Security Intelligence feed) at the sensor and the connection is blocked.

So there was an IOC (user clicked a link) but the sensor worked as designed and blocked it.

No further action is required there. If the same user shows up in the top 10 day after day, a visit to their desk may be in order.

There is a less likely possibility that the computer itself may be compromised by malware and is trying to send local user data back to a phishing server.

 


Is there any way to find the URL that caused the flag when this happens?

kguillory@nocp.org look under:

Analysis > Security Intelligence Events > Table View of Events. Filter on the IP address of the endpoint in question.

Thanks for your prompt response. Stay safe.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: