01-30-2017 12:36 PM - edited 03-10-2019 06:45 AM
We (like anyone) get a ton of malware via SMTP. It gets blocked but I have no way to report to management what the malware was, what the business risk is, etc.
Cisco support said to turn on capture so it can get the file on Firesight, but still there is no way I can see to give me a full "This was a Locky variant that has a CVE of xxx.x, you can read more on this here"
Surely there is a place to go in Talos or via the actual SHA value to see what the malware was' no?
Thanks
Bob James
01-30-2017 10:24 PM
If it is a black listed IP (aka "Security Intelligence") it will get blocked before you can even pull it. As a result, there is no way to tell which malware it even was.
If you turn off a lot of the protective measures, like security intelligence, you'll get prettier reports, since you are then relying on your last level of defence to detect the malware - but I wouldn't do it.
01-31-2017 07:18 AM
Same doesn't hold true for retrospective events.... The issue is we need to understand what the threats are;' they are getting the hash or looking at it retrospectively, so you can't tell me they don't know what the malware/vulnerability is.
http://www.talosintelligence.com/amp-naming/
There is a naming convention site that helps but doesn't help me describe to management what the threat vector is, how we can plan an incident response (if one gets through), or anything other IPS types systems provide.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide