cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1165
Views
1
Helpful
5
Replies
Highlighted
Beginner

Firepower Management Center: Indication of Compromise / URL Block

I frequently see devices listed in "Indications of Compromise by Host"

When i drill down to see what the issue is, it's usually "The host may connect to a phishing URL" or "Malware Site"

When i drill down further to the events that triggered the IOC, the Action and reason is always "Block" or "URL Block"  or "File Block"

this confuses me. was the computer compromised, or was the event blocked?

and if the event was blocked, why did it trigger IOC?

do i need to reconfigure something?

Thanks for your help.

Lee

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Hall of Fame Guru

Say an on-premises user logs

Say an on-premises user logs into his or her cloud-based personal email account and clicks a link in a phishing email. (Assuming here your corporate email is already protected by an ESA and no phishing email ever arrive there.)  The target domain is found to be on the blacklist or having a very poor reputation (part of the Cisco Security Intelligence feed) at the sensor and the connection is blocked.

So there was an IOC (user clicked a link) but the sensor worked as designed and blocked it.

No further action is required there. If the same user shows up in the top 10 day after day, a visit to their desk may be in order.

There is a less likely possibility that the computer itself may be compromised by malware and is trying to send local user data back to a phishing server.

View solution in original post

5 REPLIES 5
Highlighted
Hall of Fame Guru

Say an on-premises user logs

Say an on-premises user logs into his or her cloud-based personal email account and clicks a link in a phishing email. (Assuming here your corporate email is already protected by an ESA and no phishing email ever arrive there.)  The target domain is found to be on the blacklist or having a very poor reputation (part of the Cisco Security Intelligence feed) at the sensor and the connection is blocked.

So there was an IOC (user clicked a link) but the sensor worked as designed and blocked it.

No further action is required there. If the same user shows up in the top 10 day after day, a visit to their desk may be in order.

There is a less likely possibility that the computer itself may be compromised by malware and is trying to send local user data back to a phishing server.

View solution in original post

Highlighted
Beginner

That was an excellent

That was an excellent explanation.

Thank you.

Highlighted

Re: Say an on-premises user logs


@Marvin Rhoads wrote:

Say an on-premises user logs into his or her cloud-based personal email account and clicks a link in a phishing email. (Assuming here your corporate email is already protected by an ESA and no phishing email ever arrive there.)  The target domain is found to be on the blacklist or having a very poor reputation (part of the Cisco Security Intelligence feed) at the sensor and the connection is blocked.

So there was an IOC (user clicked a link) but the sensor worked as designed and blocked it.

No further action is required there. If the same user shows up in the top 10 day after day, a visit to their desk may be in order.

There is a less likely possibility that the computer itself may be compromised by malware and is trying to send local user data back to a phishing server.

 


Is there any way to find the URL that caused the flag when this happens?

Highlighted
Hall of Fame Guru

Re: Say an on-premises user logs

kguillory@nocp.org look under:

Analysis > Security Intelligence Events > Table View of Events. Filter on the IP address of the endpoint in question.

Highlighted

Re: Say an on-premises user logs

Thanks for your prompt response. Stay safe.