This article, We're going to cover indicators of compromise within cisco amp for endpoints. Let's jump in and take a look indications of compromise or iocs are simply pieces of data that can help us to identify specific information related to malicious files or behavior in our network or any abnormal behavior. Here we're going to look at how we can define some key aspects of our endpoint policies, Which is how we determine what will be an indicator of compromise for our network. The relevant section we want to examine within cisco amp is the outbreak control menu that we see here at the top.
This is going to allow us to create lists that will customize amp for our needs. So, First, Let's click on that and take a look at the custom detections area at the top you'll see that we have simple, Advanced and android custom detections are similar to creating and adding entries in a blacklist in order to block items. So let's first click.
The simple custom detection option to take a look at that once this loads you're, Going to see that we have some custom detections already in there. Let's click on one of these simple custom: detections, Let's just choose our first one here and we'll click the edit button. We can see information about the attached file. We see a file included. We can expand that area to see the sha-256 hash and some other information about that.
Let's say we have a particular file that we want to define as an indicator of compromise. We can click the create button near the top here and we can give this custom detection a name. Let's just call that cj test, We'll click save and it's going to save a new custom detection for us once that is saved.
You see that it shows up in the top of our list here and we can click edit for that custom detection. This is going to allow us to define one or more files that we want to be sure and quarantine, And those are identified, As you can see by the sha 256 hash for that file itself. If we know the hash, We can simply pop that into the box we see here. Otherwise we can click the upload file tab and we can upload the file itself that we want to be quarantined and once we save that the cisco amp cloud will create the sha-256 hash automatically for us. So these simple custom detections, As the name suggests, Only look for the sha-256 hash of a file.
Now we can perform more advanced techniques with an advanced custom detection. So let's go back under outbreak control at the top and let's choose our advanced custom detection option advanced custom detections provide many other signature types as you can see in the help text here on the right. These are based on clam av signatures and include md5 signatures file based body signatures, Wild cards, Regular expressions and more. We can do the same thing here to create a new detection.
We can click the create signature set button and I will similarly just name that cj hyphen test and I will click save we'll give that a moment to show up, And now we see that in our advanced custom, Detections list, We can go ahead and edit that, If we want to do that, And from here you'll see that again, We can add a signature, We have an add signature button and this is set if we click that this is going to set to auto, Detect the type of signature that we add, Or we Can, Of course, Choose the drop down box and specifically select which type we're using if we go back under our outbreak control section and we look at android, We also have a section dedicated to android detections defined separately from windows and mac os, For example. Here we can create detections for specific applications by uploading, The actual application file, Which is in a dot apk format. This provides outbreak control for android devices that will stop a malicious application that we define here from being used. It will also notify a user and prompt them to uninstall. Another indicator of compromise that we can define are based around ip addresses.
We can define ip access control lists, Allowing us to flag or block suspicious network activity in order to create a specific block listed network. We again want to go under outbreak control and you'll see that under the network section we have ip block and allow lists. Let's click on that and the default view that we land in here is to see all ip lists. We can choose to look at only our block lists or only our allow lists, But we'll go to our main default window for the time being. If we expand this blacklist section, We can see any range of ip addresses that we have blocked.
We can, Of course, Click the edit button here on the right and we can add our own ips and cidr blocks as needed. So these are the areas that we want to define, Along with our policies that we create, And these are going to determine what an indicator of compromise is on a particular network. We can see these iocs in our events area under the analysis tab. So, Let's go to the analysis, Tab at the top and choose events.
This is a tab that we've already looked at in a previous lesson, So we can see any events here that are indicators of compromise. We can also go under outbreak control once again and choose scan summary under the endpoint ioc section. This particular instance is, Of course empty because we have no scheduled scans any scans that we schedule using a policy as we looked at previously.
Those scans will be listed here also, Any individual computer scans that we kicked off from the management console would also appear in this area. If we go under our analysis, Tab once again at the top, We can choose the indicators area from here as well near the bottom of that menu and you'll notice that we have a list of dot ioc files displayed, All of which are used to suggest that A system has been affected by malware. These ilcs are our informational feed used by cisco amp to protect our endpoints. In addition to any custom detections that we set up, You can see that if we expand one of these, Let's expand this one.
That's rated critical. We see the critical rating on the right and if we expand that we're going to see more information about this ioc again, We see the critical rating. We see that this is a command and control ioc, And we also see that we had no observations of this.
Although no system is ever 100 percent protected, the ability for differentiating between typical network traffic as well as potentially harmful malware is considered crucial and provides the focus of this associate-level certification path. Also, if you wish to acquire this certification, you should gain the 350-501 Exam Questions, which are being offered at the EveDumps.
