Mitigating malware from internal (partner) Laptop / PC

n-russell-biggie · ‎05-21-2021

Hello,

I have a client that has been infected with malware. They use Cisco Umbrella and also have Cisco Firepower (no AMP license).

It appears that the malware originated from a third party partner / contractor connection to my clients internal network with their laptop.

It has taken almost a week for my client to go through all their logs on all their different systems and they are still on their knees.

How would we mitigate this in future with Cisco solutions? I thought that Umbrella would have blocked this, but this was not the case. y

It appears that my client AlienVault is showing multiple connections from private IP addresses in subnets that do not exist on the network out to public IP addresses.

Would licensing the clients firepower for AMP help out here? Any suggestion on Cisco products that can mitigate this sort of issues would be great.

Many thanks

Nick

Rob Ingram · ‎05-21-2021

Hi @n-russell-biggie

If the laptop was already infected before connecting to the network umbrella wouldn't help much at that point, the device is free to infect the local network.

Yes you could get AMP for Endpoints, but usually that would be deployed to corp owned assets, it's not that practical to deploy to contractor devices.

Ideally use NAC, with ISE and TrustSec. The contractor would connect to the network, be classified differently to a corp user/device and have limited access to the network. Their limited access would prevent them from communicating with corp devices and give them only the required access. You could also use posturing to determine whether the devices connecting to the network are compliant.

If you have FTD you could also integrate with ISE and automatically/manually quarantine the device, restricting their access completely.