12.

1 Understanding Endpoint Security Technologies

Introduction
As a security analyst, you not only need to understand endpoint security in general; you also need to be
familiar with endpoint security products and technologies. You must know how to read and interpret logs that
are generated by endpoint security products. You must also know how to efficiently utilize the reporting
capabilities and aggregated information that is provided by traffic analysis tools and other endpoint security
products.

By the time you complete the lesson, you should have a good basic understanding of endpoint security and be
familiar with common endpoint security technologies. You will also know how to generate log files on
Windows systems and have a basic understanding of what to look for in those log files.

12.2 Understanding Endpoint Security Technologies

Host-Based Personal Firewall

Personal firewalls protect a single host, in contrast to traditional firewalls. Traditional firewalls are installed at
policy enforcement points between networks. Therefore, traditional firewalls control traffic arriving at and
leaving networks, while personal firewalls control traffic arriving at and leaving individual hosts. Originally,
personal firewalls were add-on systems for PC operating systems, but they have now been integrated into
most modern operating systems. Pervasive use of personal firewalls can be used to implement a distributed
firewall. A distributed firewall requires that the personal firewall policies are controlled by a centralized
administration system. A distributed firewall can provide similar protection as a traditional firewall. If all the
hosts on a network are configured to deny inbound HTTP, it is similar to a traditional firewall denying
inbound HTTP to that network.

Personal firewalls can be important in the protection of systems that can be moved between networks. A
laptop may be well protected by firewalls of an organization when it is within the campus network. But that
laptop needs to protect itself when it is connected to an Internet service at the airport, hotel, coffee shop, or
home of the user. Personal firewalls are an important tool when split tunneling is used for remote-access VPN.
If the VPN client can access the Internet outside of the VPN tunnel, then the Internet can access the client
outside of the VPN tunnel. If there is a back door running on the VPN client, without a properly configured
personal firewall, an attacker can access that back door and use the client VPN tunnel to access the internal
network.

The features that are provided by personal firewall solutions vary. Policies that are based on protocols and
ports, which is common among traditional firewalls, is a common option. Many personal firewalls also have
the ability to permit and deny traffic, based on the application, regardless of the protocols and ports. Traffic is
allowed to and from whitelisted applications and denied to and from blacklisted applications. When a new
application attempts to use the network, the personal firewall may query the user whether the application
should be whitelisted or blacklisted, which provides a level of protection against malware running as an
executable program. Personal firewalls may also have the ability to define policies for different classes of
networks, such as work, home, and public. When the personal firewall finds itself on a new network, it queries
the user to identify the class of the network.

There are many different host-based firewall products. In addition to protecting the host computer, some of
them have reporting capabilities, and some can automatically alert you of suspicious activity. Most host-based
firewalls monitor incoming and outgoing connections and have a logging feature that tracks the firewall’s
handling of various types of traffic.

Depending on the firewall and how you configure it, the logs that are generated may contain information such
as the following:
  Which connections or packets were blocked
 Data that is related to blocked connections or dropped packets, such as the IP addresses, port numbers,
and protocols
 Data that is related to permitted connections, such as the IP addresses, port numbers, and protocols

This information can be quite useful to the security analyst, who can use it to look for suspicious activity, such
as:

 Outbound connections that initiate from internal servers, which could indicate that your computer is
being used to attack other computers
 Repeated unsuccessful access attempts from a single IP address within a short time

As a security analyst, if you notice suspicious activity involving a certain IP address, you can use tools such as
WHOIS to determine the owner of that address. However, you should keep in mind that an IP address that is
listed in a log file may not actually belong to the attacker that you are trying to track down, because attackers
often use spoofed IP addresses.

Host-based firewall logs may contain large amounts of data, and much of that data may come from innocuous
activity. For optimal use of host-based firewall logs, you may need specialized search and event correlation
tools.

Microsoft Windows products come with a built-in firewall. By default, when the Windows Firewall is on, it
blocks all unsolicited incoming connections, which prevents attackers from accessing your computer and the
information that is stored on it. You can locate the Windows Firewall simply by typing firewall in the Search
box in your task bar.

In Windows 10, the firewall is on by default. You can select Turn Windows Firewall on or off to enable or
disable the firewall.
If you need to create advanced Windows Firewall rules, use the Windows Firewall with Advanced Security,
which you can locate the same way that you locate the Windows Firewall.

You can create the following types of rules:

 Program rules: Rules that control connections for an application or program

 Port rules: Rules that control connections for specific ports and protocols
 Predefined rules: Rules that apply to specific Windows services and features
 Custom rules: Rules that combine several different parameters, including programs, protocols, ports,
and services

To create a rule in Windows Firewall with Advanced Security, follow these steps:

1. In the navigation pane on the left, select the category for which you want to create a new rule:
Inbound Rules, Outbound Rules, or Connection Security Rules.
2. In the Action pane, click New Rule. The New Rule Wizard opens.
3. In the Rule Type screen, select the rule type.
 4. Follow the wizard through the process of creating the rule. Depending on the type of rule you create,
you may be prompted to select the action to be taken when a connection matches your specified
conditions. You may also be prompted to specify when you want the rule to apply (when your
computer is connected to its corporate domain, a private network, and/or a public network)

Windows Firewall logging can help you identify malicious activity. Logging is disabled by default. To create
a log file, complete the following steps:

1. In the panel on the right, click Properties.

2. In the dialog box that opens, click the Private Profile tab, and click the Customize button in the
Logging area. A new window opens.

Note

You will need to repeat this step (selecting the Public Profile tab instead of the Private Profile tab) and
the following step after you complete this process.

3. Choose the maximum log size, the location for the log file, and what you want to log (dropped packets,
successful connections, or both).
To view your log file, complete the following steps:

1. In the main Windows Firewall with Advanced Security window, click Monitoring.
2. In the Monitoring pane, click the file path link under Logging Settings and to the right of File Name.
The log opens in Notepad.

The log file contains the following information (and much more) about each event:

 Date
 Time
 Action taken
 Protocol used
 Source IP address
 Destination IP address
 Source port
 Destination port

For Linux, there are several host-based firewall variants, including the following:

 IPtables: This type of firewall is implemented in the Linux kernel and typically works at the network
layer. By using the iptables command, you can modify the kernel-level firewall in any Linux
operating system to control access to ports, protocols, and services. You can also specify source and
destination addresses in the iptables command to control access to ports, protocols, and services
based on host or network address.
 TCPwrappers: This type of firewall is implemented in the Linux user space, works at the application
layer, and is used to permit or deny access to a specific service. It can only be used with network
services that are Xinetd-based. The tcpwrappers firewall enables you to specify which hosts can access
which services.
 Uncomplicated firewall: UFW is a simplified front end for IPtables.

Note

Xinetd is a program, or service, that manages other services. It manages Internet-based connectivity on Linux
and Unix systems.

12.2 Understanding Endpoint Security Technologies

Host-Based Personal Firewall
Personal firewalls protect a single host, in contrast to traditional firewalls. Traditional firewalls are installed at
policy enforcement points between networks. Therefore, traditional firewalls control traffic arriving at and
leaving networks, while personal firewalls control traffic arriving at and leaving individual hosts. Originally,
personal firewalls were add-on systems for PC operating systems, but they have now been integrated into
most modern operating systems. Pervasive use of personal firewalls can be used to implement a distributed
firewall. A distributed firewall requires that the personal firewall policies are controlled by a centralized
administration system. A distributed firewall can provide similar protection as a traditional firewall. If all the
hosts on a network are configured to deny inbound HTTP, it is similar to a traditional firewall denying
inbound HTTP to that network.

Personal firewalls can be important in the protection of systems that can be moved between networks. A
laptop may be well protected by firewalls of an organization when it is within the campus network. But that
laptop needs to protect itself when it is connected to an Internet service at the airport, hotel, coffee shop, or
home of the user. Personal firewalls are an important tool when split tunneling is used for remote-access VPN.
If the VPN client can access the Internet outside of the VPN tunnel, then the Internet can access the client
outside of the VPN tunnel. If there is a back door running on the VPN client, without a properly configured
personal firewall, an attacker can access that back door and use the client VPN tunnel to access the internal
network.

The features that are provided by personal firewall solutions vary. Policies that are based on protocols and
ports, which is common among traditional firewalls, is a common option. Many personal firewalls also have
the ability to permit and deny traffic, based on the application, regardless of the protocols and ports. Traffic is
allowed to and from whitelisted applications and denied to and from blacklisted applications. When a new
application attempts to use the network, the personal firewall may query the user whether the application
should be whitelisted or blacklisted, which provides a level of protection against malware running as an
executable program. Personal firewalls may also have the ability to define policies for different classes of
networks, such as work, home, and public. When the personal firewall finds itself on a new network, it queries
the user to identify the class of the network.

There are many different host-based firewall products. In addition to protecting the host computer, some of
them have reporting capabilities, and some can automatically alert you of suspicious activity. Most host-based
firewalls monitor incoming and outgoing connections and have a logging feature that tracks the firewall’s
handling of various types of traffic.

Depending on the firewall and how you configure it, the logs that are generated may contain information such
as the following:

 Which connections or packets were blocked

 Data that is related to blocked connections or dropped packets, such as the IP addresses, port numbers,
and protocols
 Data that is related to permitted connections, such as the IP addresses, port numbers, and protocols

This information can be quite useful to the security analyst, who can use it to look for suspicious activity, such
as:

 Outbound connections that initiate from internal servers, which could indicate that your computer is
being used to attack other computers
 Repeated unsuccessful access attempts from a single IP address within a short time

As a security analyst, if you notice suspicious activity involving a certain IP address, you can use tools such as
WHOIS to determine the owner of that address. However, you should keep in mind that an IP address that is
listed in a log file may not actually belong to the attacker that you are trying to track down, because attackers
often use spoofed IP addresses.
Host-based firewall logs may contain large amounts of data, and much of that data may come from innocuous
activity. For optimal use of host-based firewall logs, you may need specialized search and event correlation
tools.

Microsoft Windows products come with a built-in firewall. By default, when the Windows Firewall is on, it
blocks all unsolicited incoming connections, which prevents attackers from accessing your computer and the
information that is stored on it. You can locate the Windows Firewall simply by typing firewall in the Search
box in your task bar.

In Windows 10, the firewall is on by default. You can select Turn Windows Firewall on or off to enable or
disable the firewall.

If you need to create advanced Windows Firewall rules, use the Windows Firewall with Advanced Security,
which you can locate the same way that you locate the Windows Firewall.

You can create the following types of rules:

 Program rules: Rules that control connections for an application or program

 Port rules: Rules that control connections for specific ports and protocols
 Predefined rules: Rules that apply to specific Windows services and features
 Custom rules: Rules that combine several different parameters, including programs, protocols, ports,
and services

To create a rule in Windows Firewall with Advanced Security, follow these steps:

1. In the navigation pane on the left, select the category for which you want to create a new rule:
Inbound Rules, Outbound Rules, or Connection Security Rules.
2. In the Action pane, click New Rule. The New Rule Wizard opens.

3. In the Rule Type screen, select the rule type.

 4. Follow the wizard through the process of creating the rule. Depending on the type of rule you create,
you may be prompted to select the action to be taken when a connection matches your specified
conditions. You may also be prompted to specify when you want the rule to apply (when your
computer is connected to its corporate domain, a private network, and/or a public network)

Windows Firewall logging can help you identify malicious activity. Logging is disabled by default. To create
a log file, complete the following steps:

1. In the panel on the right, click Properties.

2. In the dialog box that opens, click the Private Profile tab, and click the Customize button in the
Logging area. A new window opens.

Note

You will need to repeat this step (selecting the Public Profile tab instead of the Private Profile tab) and the
following step after you complete this process.

3. Choose the maximum log size, the location for the log file, and what you want to log (dropped packets,
successful connections, or both).
To view your log file, complete the following steps:

1. In the main Windows Firewall with Advanced Security window, click Monitoring.
2. In the Monitoring pane, click the file path link under Logging Settings and to the right of File Name.
The log opens in Notepad.

The log file contains the following information (and much more) about each event:

 Date
 Time
 Action taken
 Protocol used
 Source IP address
 Destination IP address
 Source port
 Destination port

For Linux, there are several host-based firewall variants, including the following:

 IPtables: This type of firewall is implemented in the Linux kernel and typically works at the network
layer. By using the iptables command, you can modify the kernel-level firewall in any Linux
operating system to control access to ports, protocols, and services. You can also specify source and
destination addresses in the iptables command to control access to ports, protocols, and services
based on host or network address.
 TCPwrappers: This type of firewall is implemented in the Linux user space, works at the application
layer, and is used to permit or deny access to a specific service. It can only be used with network
services that are Xinetd-based. The tcpwrappers firewall enables you to specify which hosts can access
which services.
 Uncomplicated firewall: UFW is a simplified front end for IPtables.

Note

Xinetd is a program, or service, that manages other services. It manages Internet-based connectivity on Linux
and Unix systems.
12.3 Understanding Endpoint Security Technologies

Host-Based Anti-Virus
Host-based anti-virus and anti-spyware programs are losing reputation due to their low level of efficacy, but
they are still valuable sources of telemetry for the security analyst.

As the name suggests, antivirus software was originally developed to detect and remove computer viruses. But
many other types of malware have emerged over the years, and antivirus software vendors have attempted to
keep up. Examples of other types of malware that may be detected by antivirus software include: keystroke
loggers, back doors, root kits, browser hijackers, trojan horses, and ransomware. The capabilities of antivirus
software vary from vendor to vendor, as does the efficacy against any particular threat or class of threats.
Unfortunately, the rate of malware proliferation is increasing and antivirus software efficacy is decreasing.

Note

A computer virus is a type of malware that propagates by inserting a copy of itself into and becoming part of
another program. It spreads from one computer to another, leaving infections as it travels. Viruses can range
in severity from causing mildly annoying effects to damaging data or software and causing DoS conditions.
Almost all viruses are attached to an executable file, which means the virus may exist on a system but will not
be active or able to spread until a user runs or opens the malicious host file or program.

Most antivirus software uses signature-based detection. Antivirus software vendors analyze known malware,
and catalog the characteristics that are used to recognize them in a signature database. Scanning files and
memory for these signatures reveals the malware. The obvious shortcoming of this methodology is that it
cannot protect against attacks that have not yet been recognized by the security industry—often called zero-
day attacks.

Antivirus software may also use heuristics to detect malware. Heuristics allow for recognition on imprecise
signature matches. Often malware will mutate over time into different variants. Sometimes, the intent of the
mutation is simply to evade detection. Other times, the mutation is the result of the malware author adding
new capabilities into the malware. The use of heuristics can help antivirus software to recognize entire classes
or families of malware.

A third detection technique that may be used by antivirus software is behavioral-based detection. Instead of
analyzing the code for signatures, the behavior of processes is monitored. If a process attempts to do
something that is recognized as malicious, such as modifying another executable program or capturing
keystroke information, behavioral-based analysis can detect the malware. This can provide a certain level of
protection against zero-day threats.

Whatever combination of detection methods that are employed by antivirus software, it is important that the
software databases are maintained. Most antivirus software has the ability to automatically check for and
install updates regularly.

Most modern antivirus software is capable of providing real-time protection. They are not wholly dependent
on running scans to find malware that has already obtained a foothold on a system. Real-time protection
analyzes data as it is loaded into the working memory of the computers, such as when an application auto-
executes upon insertion of a USB memory key, or when opening an email or completing a web transaction.

As its name implies, spyware is software which attempts to gather information without raising awareness.
Most consider spyware to be undesirable, but not as malevolent as malware. The line between malware and
spyware is blurred. For example, keystroke loggers gather information without raising awareness, so they may
be considered spyware. But keystroke loggers are generally considered to be insidious enough to cross the line
into malware. Adware is another related class of software. With adware, the user agrees to be exposed to
advertisements in exchange for use of the software. Often adware tracks usage in different ways so that the
advertisements are targeted to the user. When the behavior of the adware is clear and the user understands
what they are trading for use of the software, then adware is not considered to be spyware or malware.
However, if the adware is installed in such a way that the user is not aware that targeted advertisements will
be displayed in their browser, then the software may be considered spyware. Also, if the adware covertly
sends its tracking data to sites that will use the data to design phishing attacks against a particular target
audience, then it has crossed the line into the territory of malware. Most commonly, spyware is implemented
with tracking cookies in Internet browsers. Large retail sites may install tracking cookies, and based on what
they capture the retail site will show different content to the user with the intention of displaying merchandise
that will interest the user and lead to increased sales.

The emerging prevalence of spyware led to the development of another class of security applications that is
known as antispyware. Antispyware is typically a software program that is installed on an endpoint to detect
and remove spyware. Just as the line is blurred between what is malware and what is spyware, the line
between what antivirus software and antispyware software detect and mitigate is blurred. There is often a level
of overlapping protection between the two types of systems.

12.4 Understanding Endpoint Security Technologies

Host-Based Intrusion Prevention System

A HIPS is a software package that detects and prevents attacks on the host on which it is installed. A HIPS
combines the capabilities of antivirus, antispyware, and personal firewall software and protects the host from
both known and unknown attacks.

Because the HIPS is installed directly on the host that it is protecting, it can monitor processes and resources
on the system. It can also analyze encrypted traffic after it has been decrypted, which is something a network-
based IPS cannot do.

To detect suspicious activity, HIPS products use technologies such as the following:

 Signature-based IPS: Intrusive activity is detected by comparing traffic to a set of rules called
signatures. When traffic matches a signature, the IPS takes an action, such as dropping packets,
logging the event, or sending an alert. Signatures are developed by engineers who research known
attacks and vulnerabilities and then develop signatures to detect those attacks and vulnerabilities. An
IPS cannot detect a yet-unknown attack for which there is no signature in the database.

Signature-based intrusion detection can produce false positives because certain normal network
activity can be misinterpreted as malicious activity. For example, some network applications or
operating systems may send out numerous ICMP messages, which a signature-based detection system
might interpret as an attempt by an attacker to map out a network segment. You can minimize false
positives by tuning signatures.

 Anomaly-based IPS: Intrusive activity is detected by comparing real-time traffic to traffic that is
considered “normal.” For this type of detection to work, a baseline must be established to define what
is considered normal traffic.
 Policy-based IPS: Intrusive activity is detected by comparing real-time traffic to preconfigured
policies.
 Any combination of the above

When it detects suspicious activity, not only can a HIPS prevent attacks, it can also generate alarms, or alerts,
that the security analyst can use for investigation. There are four categories of "alarms," although two of them
are not actually alarms that are generated by an IPS.
  False positives (benign triggers): False positives occur when the IPS reports certain benign activity
as malicious. This requires human intervention to diagnose the event. Many false positives can
significantly drain resources, and the specialized skills that are required to analyze them are costly and
difficult to find.
 False negatives: False negatives occur when the IPS does not detect and report actual malicious
activity. The consequence can be catastrophic and signatures must be continuously updated as new
exploits and hacking techniques are discovered. Minimizing false negatives is given a very high
priority, sometimes at the expense of higher occurrences of false positives.
 True positives: A true positive occurs when the IPS correctly generates an alarm upon detecting
malicious traffic. In an ideal world, 100 percent of the alarms that are generated by an IPS would be
true positives, meaning that every alarm corresponds to an actual attack.
 True negatives: Like a false negative, a true negative does not represent an actual alarm that is
generated by the IPS. Instead, a true negative represents a situation in which the IPS does not generate
an alarm when examining normal user traffic, which is the correct behavior. Again, in an ideal world,
normal user traffic would not cause an IPS to generate an alarm, but false positives do occur. If an IPS
generates too many false positives, its credibility begins to suffer.

Of these categories, the easiest to manage are the "correct" types. A true negative is easily ignored, and a true
positive gives data for an organization's incident response process. The two error types, on the other hand,
present challenges for IPS users.

False positive events occur when an IPS system mistakenly identifies an attack where there is none. An
abundance of false positive alerts becomes a significant burden for IPS analysts. These false alerts cloud the
console and hide true positive alerts. An analyst's time is limited, so wasting time analyzing false positive
events is costly. These false positive alerts should be regularly tuned out.

A false negative occurs when the network is attacked, but the IPS fails to detect it. Much of the responsibility
for these failures falls to the IPS vendor. Vendors must work to ensure that their detection engines cannot be
evaded by hackers, and they must continually provide updated rules. Vendors do not bear all the
responsibility, however. IPS users must keep their systems up to date and tune the rule set to fit their
environment.

The primary purpose of the intrusion analysis process is, of course, blocking or identifying attacks. In order to
assist this end, the secondary goal is tuning events. Tuning is the process of filtering out unnecessary,
unwanted, or inaccurate event data. Removing useless data is a critical part of keeping an intrusion system
operating effectively.

HIPS products are similar to network-based IPS in several ways. They use the same technologies to detect
suspicious activity, they can take similar actions upon detecting suspicious or malicious activity, and they can
generate the same types of alarms. Host-based IPS tuning is also similar to network IPS tuning: a monitoring
period ensues after IPS installation that is governed by the number of alarms seen. As tuning proceeds, there
should be a decrease in the number of alarms. This period can last for several days. Once the final tuning is in
place, the policy can be locked in.

12.5 Understanding Endpoint Security Technologies

Application Whitelists and Blacklists

A security analyst's job description may include “maintain quality blacklist and whitelist inventory.”
Therefore, it is important for a security analyst to know what blacklists and whitelists are.

Blacklisting is a security technique whereby any entity that is found on a list is denied access to resources.
Examples of entities that might be blacklisted include IP addresses, ranges of addresses, applications,
domains, and URLs. For instance, if IP address 209.165.200.230 is on a blacklist, all traffic to and from
209.165.200.230 is blocked. If only that address is on the blacklist, all other traffic is allowed. Blacklisting
allows all traffic that is not explicitly denied. Another technique, called whitelisting, does the opposite. It
denies all traffic that is not explicitly permitted (listed on the whitelist).

Many security solutions support blacklisting and whitelisting. You can manually create blacklists and
whitelists in IPSs, firewalls, email security products, and other security solutions. You can also use dynamic
blacklist databases, which are a good idea due to the difficulty of keeping up with and blacklisting the
constant proliferation of new threats in today’s threat landscape. Dynamic blacklist databases contain known
malicious entities, such as domains and IP addresses that are known to be malicious. These databases enable
you to dynamically create and maintain blacklists that are based on a security intelligence service.

You can usually supplement dynamic databases with blacklisted addresses of your choosing by adding them
to a static blacklist; if the dynamic database includes blacklisted addresses that you think should not be
blacklisted, you can manually enter them into a static whitelist. Blacklists and whitelists can be used together
in this way in some security products (such as the Cisco FireSIGHT System) because the whitelist overrides
the blacklist.

There are various types of blacklists and whitelists in addition to lists that contain IP addresses or domains.
For example, an email security product may allow you to create blacklists and whitelists consisting of email
addresses to block or allow. A web security product may allow you to create blacklists and whitelists
consisting of URLs to block or allow.

Application blacklists and whitelists enable you to control which programs are allowed to run on an endpoint.
Applications can be identified for inclusion in blacklists or whitelists by various methods, such as certificates
and file hash values.

Below is an example of applications white listing. With the non-home versions of Windows 7 or 8, the Local
Group Policy Editor can be used to only allow specified programs to run. Run the gpedit.msc command then
navigate to User Configuration > Administrative Templates > System. Then under Setting, scroll down
and double-click Run only specified Windows applications. Set it to Enabled, then under the Options
section, click the Show button next to List of allowed applications. In the Show Contents dialog, enter the
applications to allow the users to run. When finished with the list, click OK then close out of Local Group
Policy Editor. If a user tries to access an application that is not on the specified list, they will get an error
message indicating that the operation has been canceled due to restrictions in effect on this computer.
Application whitelisting can help reduce the ability of exploit kits to deploy malicious payloads on an end
host, even if the malicious payload makes it through all the other security measures. Unfortunately,
whitelisting applications will not always stop the malware payloads, such as payloads that are designed to run
in memory. An example is Bedep malware, which is also associated with the Angler exploit kit. One of the
goals of the Bedep malware is to force infected machines to visit unsolicited web sites, which is known as
advertising fraud. These unsolicited web sites typically generate profit from displaying advertising content,
and profit increases with a higher volume of traffic.

Malware that runs in memory injects malicious code into a currently running process such as Internet
Explorer. This lets the malware run behind a legitimate application. To make the malicious code persist (after
a system restart, for example), the malware can also insert code into the hidden Windows registry keys to
allow it to run after the legitimate application starts again after the system restart.

12.6 Understanding Endpoint Security Technologies

Host-Based Malware Protection

Host-based malware protection products can provide actionable intelligence for security analysts, helping
them make better decisions, faster.

Antivirus and antispyware tools certainly provide a line of defense, but their efficacy is dropping. Studies
have been done on the effectiveness of commercial antivirus software, and the outcomes vary, based on
conditions of the study. Studies that concentrated on detection of the latest threats showed the lowest efficacy
and studies that concentrated on the average behavior of users browsing the Internet showed the highest
efficacy. Efficacy ratings of a shocking low 5 percent to a relatively comforting 90 percent were
demonstrated. Even at 90 percent, it must be assumed that malware will penetrate an organization’s network.

Due to the nature of malware threats in current networking environments, even the best commercial products
for malware detection can realistically achieve about 40 percent success in detection. Most enterprises
implement multiple layers of protection, so malware that makes it to an endpoint defeats all the safeguards.
Therefore, to effectively deal with malware, you must assume that, at some point, it will make its way into
your networks and potentially persist for long periods of time before it is detected and acted upon.

With malware, endpoints must be protected before, during, and after attacks. Cisco AMP for Endpoints goes
beyond point-in-time detection to provide the level of visibility and control you need to stop advanced threats
that are missed by other security layers. It provides that protection across the attack continuum: before, during,
and after an attack. Cisco AMP for Endpoints is an intelligent, enterprise-class advanced malware analysis and
protection solution that uses a telemetry model that uses big data, continuous analysis, and advanced analytics
to detect, track, analyze, control, and block advanced malware outbreaks across all endpoints: PCs, Macs,
mobile devices, and virtual systems.

The figure above shows the results of a Cisco AMP for Endpoints scan on a Windows system. Cisco AMP for
Endpoints provides a solution for dealing with this issue:

 It provides cloud-based detection of malware through the Cisco Collective Security Intelligence Cloud,
which is a powerful alternative to traditional malware detection and that offers these features:
1. Rapid detection of known malware by examining the file's SHA
2. Use of cloud resources to test files with unknown dispositions
3. Use of machine learning techniques to constantly keep itself up to date
 It gives you a historical perspective so that you can see, over time, the actions that files performed on a
system. You can trace back an infection and identify the root cause. The historical perspective gives
you visibility into the following:

1. File trajectory: Shows you the hosts where files were seen
2. Device trajectory: Shows you the actions that files performed on a given host
 You can block malicious network connections based on the following:

1. Security intelligence feeds (IP reputation)

2. Custom IP blacklists
 Because malware that employs stealth techniques to hide its true intent may not initially be identified
as malicious, the machine learning and behavior monitoring engines in the cloud may change the
disposition of a file from "unknown" to "malicious." Such a change is known as retrospective alerting,
or cloud recall. In other words, Cisco AMP for Endpoints can go back to the systems where the file
was previously seen and alert the client to the changed disposition and quarantine the file.
 You can deploy simple custom detections or advanced custom detections in which you can create your
own signatures for malware detection.
 Management is facilitated by giving you the ability to create groups of hosts which can run different
policies to suit the detection needs of specific environments.
 Cisco AMP for Endpoints also provides robust reporting tools.
As illustrated in the figure below, Cisco AMP for Endpoints consists of the following elements:

 Cisco Collective Security Intelligence Cloud: Where the various malware detection and analytics
engines reside
 Client Connectors: Components that run on the endpoints. Client Connectors communicate with the
cloud to send information about files and to receive file disposition information.
 AMP for Networks: Gives FirePOWER devices the ability to query the cloud to obtain file
disposition information on files that are detected by the FirePOWER device

The most critical component of the overall Cisco AMP for Endpoints architecture is the cloud. In general, the
cloud is responsible for the following:

 Detection publishing: Detection signatures are in the cloud, which reduces the size of the client
connector and reduces the amount of processing that has to take place on the connector, since the bulk
of the work is being performed in the cloud.
1. Administrators can create custom signatures in the cloud and push them down to the endpoint
connectors.
2. Cross-referencing of files and signatures is done in the cloud, so the cloud is self-updating
without having to communicate those updates to endpoints every time.
 Large-scale data processing (big data): Data comes to the cloud from many sources.

1. File samples are provided to the cloud for processing. If the disposition of a given sample is
deemed malicious, it is stored in the cloud and reported to endpoints that see the same file.
2. An important design goal of the cloud is to provide results as quickly as possible, so low
latency is a key characteristic.
3. The cloud includes advanced analytic engines that constantly correlate the incoming data. It
uses the analytic results to update its signatures.
4. It also includes machine-learning engines to further refine its signatures and reevaluate the
detections that it has already performed.
 Decision making that is performed real time: The cloud is not just a repository for signatures—it
evolves, based on the data that it receives.
 Reporting: The cloud leverages its analytic capabilities to provide robust reporting capabilities.
12.7 Understanding Endpoint Security Technologies

Sandboxing
Sandboxing is a key part of network security when it operates as an integrated component of a complete solution.
Sandboxing technology has the ability to emulate an environment, detonate a file without risk of infection, and
analyze the file behavior.

Traditional signature-based detection engines often miss many of today’s threats. While signature detection is
great for known malware, detecting new forms with signature profiles is extremely difficult. Polymorphic
malware is one of the main reasons signatures are less effective today. Polymorphic threats change their
appearance frequently, making signature-based detection a futile effort.

Sandboxes detonate unknown files in a safe environment and then record its actions. You can use the reports
to identify whether a corresponding file appears to be malicious. Because packers change only the outer
appearance of a threat, its underlying behavior generally stays the same. In a sandbox, two polymorphic
copies of the same threat yield virtually identical reports. Therefore, sandboxing can be thought of as a
noteworthy antidote to malware packers. Packed malware is malware that has been modified using a runtime
compression (or encryption) program. Sandboxes help address many of the weaknesses of signature-based
detection, so you can see exactly what a file does before it is labeled malicious or benign.

There are several specific attributes that sandboxes typically examine. The first are obvious indicators of a
threat, like antidebugging techniques or keystroke logging. It also searches for other suspicious activity, such
as accessing specific registry keys, specific system files, or dynamically linked libraries.

Sandboxes are not a silver bullet when it comes to comprehensive malware protection. They can be used to
address a portion of the problem, but have three deficiencies:

 Inherent efficacy: Running a file in a sandbox is no guarantee that the disposition will show the threat
that it poses to your environment.
 Evasion tactics: Malware authors deploy several techniques to bypass sandbox analysis.
 Means to an end, not an end itself: Sandboxing is a great tool for addressing malware in an
environment, but sandboxing needs to be coupled with other capabilities to provide comprehensive
malware protection.

An example of a sandbox solution is the Cisco ThreatGrid solution that is delivered either as a cloud-based or
on-premises appliance-based solution.

Below is a sample screen shot of the Cisco ThreatGrid sandboxing analysis results, showing the resulting
malware behaviors and the generation of outbound HTTP traffic. In this example, the HTTP outbound traffic
is the malware's command and control traffic. The full details including the exact URI path of HTTP-based
command and control activity are also shown.
12.8 Understanding Endpoint Security Technologies

File Integrity Checking

Security analysts can use file integrity checking tools to determine if files on a system have been modified in
any way. When attackers compromise a system, they usually alter its system files. In fact, it is hard to
compromise a system without altering a system file. By altering system files, an attacker can maintain
continued access to the system and avoid detection. For this reason, file integrity checking tools can be of
great value to the analyst.

File integrity checking tools work by calculating hash values of important files, storing the hash values, and
periodically comparing those hash values to hash values that it calculates later. If any values don't match, the
file has been changed in some way.

File integrity checking tools are included with most host-based IPSs. There are also open source file integrity
checking tools (such as Tripwire, AFICK, and AIDE) that function as host-based IPSs.

It’s a good idea to run a file integrity checking tool on a system when it is first installed. You can then run it
again any time you think the system might have been compromised. Keep in mind, however, that files are
modified any time that you apply a system patch.

It is also very important to verify all the software images running on the network devices are valid. For
example, around September 2015, it was discovered that attackers having valid administrative credentials (via
social engineering or other methods) or physical access to the victim’s router was able to gain control of the
affected router, and compromise the router integrity with a modified router software image.

To ensure that a network device, such as the Cisco ASA, image has not been tampered with, the image needs
to be verified by the network administrator. The Cisco ASA image is digitally signed to provide authenticity
of the software image running on the Cisco ASA. The Cisco public key that is used to decrypt the image
digital signature is bundled with the Cisco ASA image. The figure below shows using the verify <image-
name> Cisco ASA command to validate the Cisco ASA image. In this case, the Cisco ASA image is valid
since the computed image digital signature hash matched the embedded image digital signature hash.

ciscoasa(config)# verify lfbff.SSA

Verifying file integrity of disk0:/lfbff.SSA

Computed Hash SHA2: 7d4e8531f4552458b90f8619ca76a76b

2c8751668b060981f95ded6fcca92d21
e7fc950834209ab162e2b4daaa8b38e4
28eaa48e1895919b817b79e4ead0dfd6

Embedded Hash SHA2: 7d4e8531f4552458b90f8619ca76a76b

2c8751668b060981f95ded6fcca92d21
e7fc950834209ab162e2b4daaa8b38e4
28eaa48e1895919b817b79e4ead0dfd6

Digital signature successfully validates