Endpoint Threat Detection and Response (ETDR) and Endpoint Detection and Response (EDR)

Before diving deep into AMP for Endpoints, let’s define what the industry refers to as Endpoint Threat Detection and Response (ETDR) and Endpoint Detection and Response (EDR). Gartner defines EDR as the “tools primarily focused on detecting and investigating suspicious activities (and traces of such) other problems on hosts/endpoints.”

EDR solutions monitor endpoint and network events and record the information in a central database so that you can perform further analysis, detection, investigation, and reporting. Typically, software (an agent) is installed on the endpoint that allows ongoing monitoring and detection of potential security threats.

The minimum capabilities of a good EDR solution are as follows:

• Filtering: The ability to filter out false positives (to help reduce “alert fatigue,” which increases the potential for real threats to go undetected).

• Threat blocking: At the end of the day, the EDR solution must be able to contain the threats, not just detect them.

• Help with digital forensics and incident response (DFIR): The ability to allow an organization to effectively perform DFIR tasks, as well as threat hunting to prevent data loss (data breaches).

Outbreak Control

With a solution as powerful and extensive as AMP for Endpoints, it is difficult to determine where to start describing how to configure and use the system; however, it makes logical sense to begin with Outbreak Control because the objects you create within Outbreak Control are key aspects of endpoint policies.

Outbreak Control allows you to create lists that customize AMP for Endpoints to your organization’s needs. You can view the main lists from the AMP cloud console by clicking the Outbreak Control menu, which offers options in the following categories: Custom Detections, Application Control, Network, and Endpoint IOC (indicators of compromise), as shown in Figure 11-2.

You can think of custom detections as a blacklist. You use them to identify files that you want to detect and quarantine. When a custom detection is defined, not only do endpoints quarantine matching files when they see them, but any AMP for Endpoints agents that have seen the files before the custom detection was created can also quarantine the files through retrospection, also known as cloud recall.

Simple custom detection allows you to add file signatures, while the advanced custom detections are more like traditional antivirus signatures.

Creating a simple custom detection is similar to adding new entries to a blacklist. You define one or more files that you are trying to quarantine by building a list of SHA-256 hashes. If you already have the SHA-256 hash of a file, you can paste that hash directly into the UI, or you can upload files directly and allow the cloud to create the SHA-256 hash for you.

To create a simple custom detection, navigate to Outbreak Control > Custom Detections > Simple and the list of all existing simple custom detections appears, as shown in Figure 11-3. To add a new one, you must type it in the Name box and click Save, as shown in Figure 11-3.

The detection is then added to the list, as shown in Figure 11-4, and automatically edited—with the contents displayed on the right side.

If you already have the SHA-256 hash of a file, simply paste it in, add a note, and click Save; otherwise, you can upload a file, add a note, and click Upload. Once the file is uploaded, the hash is created and shown on the bottom-right side. You must click Save, or the hash will not be stored as part of your simple custom detection.

Simple custom detections just look for the SHA-256 hash of a file. Advanced custom detections offer many more signature types to the detection, based on ClamAV signatures, including the following:

• File body–based signatures

• MD5 signatures

• MD5, PE section–based signatures

• An extended signature format (with wildcards, regular expressions, and offsets)

• Logical signatures

• Icon signatures

To create an advanced custom detection, navigate to Outbreak Control > Custom Detections > Advanced, and the list of all existing advanced custom detections appears, as shown in Figure 11-5.

To add a new custom detection, you must type it in the Name box and click Save to add it to the list. Click Edit to display the contents of the new advanced detection object on the right side, as shown in Figure 11-6. The signature types can be auto-detected, or you can manually select them from the drop-down list. Figure 11-6 shows the available signature types.

Next, you click the Build Database From Signature Set button, and a success message is displayed, showing the successful creation of the advanced custom detection signature set. A View Changes link is visible with every custom detection, both simple and advanced. The AMP cloud maintains an audit log for each of the detection lists, and you can view it by clicking that link.

Android detections are defined separately from the ones used by Windows or Mac. These detections provide granular control over Android devices in an environment. The detections look for specific applications, and you build them by either uploading the app’s .apk file or selecting that file from the AMP console’s inventory list.

You can choose to use Android custom detections for two main functions: outbreak control and application control.

When using an Android custom detection for outbreak control, you are using the detection to stop malware that is spreading through mobile devices in the organization. When a malicious app is detected, the user of the device is notified and prompted to uninstall it.

You don’t have to use these detections just for malware, but you can also use them to stop applications that you don’t want installed on devices in your organization. This is what AMP refers to as “application control.” Simply add apps to an Android custom detection list that you don’t want installed, and AMP notifies the user of the unwanted application and prompts the user to uninstall it, just as if it were a malicious app.

IP Blacklists and Whitelists

You can use outbreak control IP lists in conjunction with device flow correlation (DFC) detections. DFC allows you to flag or even block suspicious network activity. You can use policies to specify the behavior of AMP for Endpoints when a suspicious connection is detected and also to specify whether the connector should use addresses in the Cisco intelligence feed, the custom IP lists you create yourself, or a combination of both.

You use an IP whitelist to define IPv4 addresses that should not be blocked or flagged by DFC. AMP bypasses or ignores the intelligence feeds as they relate to the IPv4 addresses in the whitelist (also often called the “allow list”).

You use IP blacklists to create DFC detections. Traffic that matches entries in the blacklist are flagged or blocked, as the DFC rule dictates.

To create an IP list, navigate to Outbreak Control > Network > IP Block and Allow Lists, as shown in Figure 11-7.

In the screen shown in Figure 11-7, you click Create IP List to start a new IP list, and you’re brought to the New IP List configuration screen, where you can create an IP list either by typing the IPv4 addresses in classless interdomain routing (CIDR) notation or by uploading a file that contains a list of IPs. You can also specify port numbers to block or allow. After the list is created, you can edit it only by downloading the resulting file and uploading it back to the AMP console. Figure 11-8 shows the New IP List screen, with a mixture of entries entered as text. You name the list, choose whether it is a whitelist (IP Allow List) or a blacklist (IP Block List), and enter a series of IPv4 addresses, one line at a time. Each line must contain a single IP or CIDR.

You click Create IP List to create the text file in the cloud console, and your new IP list is shown on the screen. If you click Edit, you can change the name of the IP list. To update the contents of the list, you must click Download and then delete the list. Then you create a new list with the same name and upload the modified file.

As for custom detections, the AMP console maintains an audit trail for IP lists that you can view by clicking View Changes.

AMP for Endpoints Application Control

Like files, applications can be detected, blocked, and whitelisted. As with the other files, AMP does not look for the name of the application but the SHA-256 hash.

To create a new application control list for blocking an application, navigate to Outbreak Control > Application Control > Blocked Applications. Figure 11-9 demonstrates this process. As you would expect, to create a new list, you click Create. You must name the list and click Save before you can add any applications to the blocking list.

Once the list has been created and saved, click Edit to add any applications. If you already have the SHA-256 hash, add it. Otherwise, you can upload one application at a time and have the AMP cloud console calculate the hash for you, as long as the file is not larger than the 20MB limit. You can also upload an existing list. Figure 11-10 shows a blocking list with an existing application hash shown at the bottom of the right-hand column, while another file is being uploaded for hash calculation.

Exclusion Sets

There is one more object that you should try to create before you build your policies, and that is an exclusion set. An exclusion set is a list of directories, file extensions, or even threat names that you do not want the AMP agent to scan and subsequently not convict as malware.

You can use an exclusion set to resolve conflicts with other security products or mitigate performance issues by excluding directories that contain large files that are frequently written to, like databases. If you are running an antivirus product on computers with the AMP for Endpoints connector, you should exclude the location where that product is installed.

It’s important to remember that any files stored in a location that has been added to an exclusion set will not be subjected to application blocking, simple custom detections, or advanced custom detections.

These are the available exclusion types:

• Threat: This type excludes specific detections by threat name.

• Extension: This type excludes files with a specific extension.

• Wildcard: This type excludes files or paths using wildcards for filenames, extensions, or paths.

• Path: This type excludes files in a given path.

For Windows, path exclusions may use constant special ID lists (CSIDL), which are Microsoft given names for common file paths. For more on CSIDL, see https://docs.microsoft.com/en-us/windows/win32/shell/csidl?redirectedfrom=MSDN.

Cisco-maintained exclusions are created and maintained by Cisco to provide better compatibility between the AMP for Endpoints Connector and antivirus, security, or other software. Click the Cisco-Maintained Exclusions button to view the list of exclusions. These cannot be deleted or modified and are presented so you can see which files and directories are being excluded for each application. These exclusions may also be updated over time with improvements, and new exclusions may be added for new versions of an application. When one of these exclusions is updated, any policies using the exclusion will also be updated so the new exclusions are pushed to your connectors. Figure 11-11 shows Cisco-maintained exclusions.

Each row displays the operating system, exclusion set name, the number of exclusions, the number of groups using the exclusion set, and the number of computers using the exclusion set. You can use the search bar to find exclusion sets by name, path, extension, threat name, or SHA-256. You can also filter the list by operating system by clicking the respective tabs.

To create a new exclusion set, navigate to Management > Exclusions, as shown in Figure 11-12.

In Figure 11-12, you see a list of any existing exclusions and can create new ones. Click New Exclusion Set and select the operating system for the new exclusion set (Windows, Mac, or Linux), as shown in Figure 11-13.

After selecting the operating system for the new AMP for Endpoints exclusion set, the screen in Figure 11-14 is displayed.

In the example in Figure 11-14, Mac OS was selected. You can use the search bar to find exclusion sets by name, path, extension, threat name, or SHA-256. You can also filter the list by operating system by clicking the respective tabs. Click View All Changes to see a filtered list of the Audit Log showing all exclusion set changes. Click any exclusion set to expand its details. You can click View Changes in this view to see changes made to just that particular set.

AMP for Endpoints Connectors

AMP for Endpoints is available for multiple platforms: Windows, Android, Mac, and Linux. You can see the available connectors from the cloud console by navigating to Management > Download Connector. In Figure 11-15, you see the types of endpoints.

AMP for Endpoints Policies

You can configure different policies for each of the supported platforms, respectively. To create a new policy, navigate to Management > Policies, as shown in Figure 11-16.

A policy is applied to an endpoint via groups. Groups allow the computers in an organization to be managed according to their function, location, or other criteria as determined by the administrator.

You can create a new group by navigating to Management > Groups. The screen shown in Figure 11-17 will be displayed.

AnyConnect AMP Enabler

You can use the AMP Enabler add-on to AnyConnect to aid in the distribution of the AMP connector to clients who use AnyConnect for remote access VPN, secure network access, posture assessments with Cisco’s Identity Services Engine, and more. Figure 11-18 shows the AnyConnect Secure Mobility Client with the AMP Enabler tile.

AMP for Endpoints Engines

There are three detection and protection “engines” in AMP for Endpoints:

• TETRA: A full client-side antivirus solution. Do not enable the use of TETRA if there is an existing antivirus product in place. The default AMP setting is to leave TETRA disabled, as it changes the nature of the AMP connector from being a very lightweight agent to being a “thicker” software client that consumes more disk space for signature storage and more bandwidth for signature updates. When you enable TETRA, another configuration subsection is displayed, allowing you to choose what file scanning options you wish to enable.

• Spero: A machine learning–based technology that proactively identifies threats that were previously unknown. It uses active heuristics to gather execution attributes, and because the underlying algorithms come up with generic models, they can identify malicious software based on its general appearance rather than basing identity on specific patterns or signatures.

• Ethos: A “fuzzy fingerprinting” engine that uses static or passive heuristics.

AMP for Endpoints Reporting

AMP for Endpoints includes a series of reporting dashboards that can be very useful to understand what’s happening in your endpoints. The main dashboard, illustrated in Figure 11-19, provides a view of threat activity in your organization over the past 30 days, as well as the percentage of compromised computers. You can filter by platform, date ranges, and other attributes.

Figure 11-20 shows the AMP for Endpoint Inbox report. The Inbox is a tool that allows you to see compromised computers in your business and track the status of compromises that require manual intervention to resolve. You can filter computers to work on by selecting Groups in the heat map, selecting a day with compromises in the bar chart, selecting an SHA-256 hash checksum from the Significant Compromise Artifacts list, or selecting from the Compromise Event Types list. These filters can be saved and set as your default view. You can also filter the computer list by those that require attention, those that are in progress, and those that have been resolved by clicking the matching tabs. You can order the list by date or severity by selecting from the Sort drop-down menu. When a computer is marked as resolved, it is no longer reflected in data on the Dashboard or Inbox.

Figure 11-21 shows the AMP for Endpoints Overview dashboard, which displays the status of your environment and highlights recent threats and malicious activity in your AMP for Endpoints deployment. You can click the headings of each section to navigate directly to relevant pages in the console to investigate and remedy situations.

Figure 11-22 shows the AMP for Endpoints Events dashboard, displaying the most recent events in your AMP for Endpoints deployment.

Figure 11-23 shows the iOS Clarity dashboard in AMP for Endpoints. If you have already linked your Meraki SM or other mobile device manager (MDM), this tab displays a summary of activity, a list of the most recently observed applications on your managed iOS devices, and a list of devices that have not reported back in more than seven days.