Firepower Indications of Compromise

Several days ago I wrote an article about Firepower Sinkhole rules. While I was confirming this in a lab, I temporarily created a custom DNS sinkhole rule. That rule classified requests for temp.packetu.com as Command and Control and returned an IP address of 1.1.1.1. What I later noticed is that this caused my laptop to be classified with an IOC.

Indications of Compromise (IOCs) can be thought of as reasons why Firepower Management Console believes a host cannot be trusted or is otherwise affected by malware. These can be found in multiple places in the UI. I find the Context Explorer to be a good middle ground for most SecOps team members and a good place to notice whether current IOC’s exist.

My network is rather simple and I only currently have one IOC. In any case, I can use the Context Explorer to launch the host information for the impacted host.

IOC Context Explorer

Once the Host Profile screen is launched, I can get a little more about information about the activity that causes Firepower to believe that this is a compromised host.

IOC Host Profile

Also notice that there is a garbage can icon to the right of the Indication of Compromise that was triggered on 07-05. Deleting the event or choosing Mark All Resolved are the two ways that the host status can be changed back to normal.

As the security team navigates the user interface, affected hosts may also be noticed by the color of the host icon. For example while viewing connection events, a blue host icon is normal and a red one indicates compromise. The interface is intuitive and choosing the host will take the administrator directly into the host profile view.

IOC Icon

Conclusion

Indicators of compromise can be a quick and easy way to determine what hosts may have been exploited and provide a good description of why that status is suspected. Pivoting into the host view will give a lot of information about the host and provide necessary information for the SecOps team to perform their remediation. Changing the compromised status back to normal is a process that should and does requires manual intervention by a Firepower administrator.

Disclaimer: This article includes the independent thoughts, opinions, commentary or technical detail of Paul Stewart. This may or may does not reflect the position of past, present or future employers.

 

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in Design and tagged . Bookmark the permalink.

One Response to Firepower Indications of Compromise

  1. Pingback: Firepower Access Control Policies - PacketU

Comments are closed.