27. Defending via FirePower
Now we have seen the attack, how we can defend in this case we are going to defend with Firepower. Firepower is really very powerful tool from Cisco and that is getting lots of update from the Cisco tallos what is Cisco Talos? You can do a little bit search on that. That house is updating all the IPS and all the signatures to the firepower power so it knows that what is the latest attacks or the vulnerabilities or how to prevent from those exploits? Okay so for that I will obviously go in and log in inside the firepower. First of all I will show you inside the events that the attacks that we have done from the outside say metasplot with that particular IP we will see that inside the events and then we’ll go inside the IPS say policies and intuition or IPS and we change the rule.
So initially say rule was not related to a strut vulnerability. I will edit modify that, okay drop when the attack happened these are the rules I am going to implement. On the top you can see that Cisco Talos is continuously updating the available signature based on the latest threads seen in the scene in the world or they are constantly updating everything. So what will happen? Say once you go and search a strat and then you select everything and then you apply the rule. Say in this case we’ll use drop and generate events. Everything will become red. Cut mark here. That means now we are good for those. And if such type of attack will happen it will be protected. Because I am going to drop whenever it is in line. Okay. So likewise I will go and update the access policy as well. I will show you in the lab section so I will go inside this tab called inspection.
Inside the inspection tab, I will update the IPS rule that we have created in the previous slide. So here you can see in the drop down menu, I will choose Hack MDS default IPS policy. And then in the next section, I will attack. The next section, next recording will attack and we’ll see that we are generating the logs related to attack and how it will be done via firepower. So let me go and log to my Firepower FMC. So here it is my firepower and inside this firepower you can see here on the top we have various tabs, we have tabs analysis, policies, device object, MP intelligence that is advanced, malware protection here you can see deploy system, help, admin et cetera. Okay? And thing here that suppose if you want to check the events, you can click to analyze this.
Once you click Analyzes, you can see that you have content Explorer, connection, intuition files, host users, correlations advanced such like these many options you have. Now, in this case, I want to go inside, say analysis, connection and events because I want to check that IPS event or the attack that happened with respect to a strat. Now there are so many other IPS as well. And actually I want to highlight or I want just one of the attack that happened. So what I can do here, let me try to filter out this. So let’s do this thing. If I check the initiator IP, so there are various ways that we can filter it. Let’s see, because we have done that tag long back.
So maybe that IP is not here at the moment. I need to go and search this. Here in the bottom you can see that you have option view all. So you can view all. Let me check the other options as well. So let me go back to the connections with application detail and try to filter from there. All right, so with application details, my particular IP, where are you? Okay, jump to you have here you can see jump to. Now it’s important because you have so many events. Now you can see that these events log. I can check with this regard as well, like Jump To, security, intelligence, intuition events, Malware, et cetera. At the moment I know that is malware, so I can sorry, that is intuition. So I can go to intuition events and I can click so it will quickly show me the events related to intuition.
After that I know that okay, that is related to a package server strut parameters. So this one is the event that I’m looking for. Let me go and click. I need to verify the IP address. So here, this IP is not that we have used. So let me go back. This is the way that you can play around with the events. You can go back and forth. So let me go one more time. Let me do this one more time. That is the IPS filter and let me quickly do that. That’s the thing. If so many events are there, at what time the attack happens, you need to be confirmed about that as well. And there’s then you have various options to go and check. Because already I filtered that particular message related to intrusion. So that’s why I’m not getting that option in the intrusion. So I’m back here. Now, here you can see that what was our actual attack? It was attack Say Apache servers, remote code execution, correct.
So let me click this. Even you can open in the new tab as well. So you have some more visibility. Now we reach to this point, we know that, okay, this was the source, this is the outside attacker IP and this was the destination destination, the source port, destination port SSL was zero because we haven’t done SSL. But here we can see the priority is high and what message I am getting. So this is the high priority message I have. But I am using my Firepower Say as an IDs means it is generating a log message. Now, if I use as an IPS means if it is an inline drop that packet so it will start dropping it, correct? So for that I can go to these policies. You can see here on the top and in the policy say now we are very much concerned about the intuition policy. So we’ll go inside intuition policy. I will click to this pencil icon. We’ll go inside that. Now here I want to first of all check mark this drop when in line. All right, then we’ll modify the rules. I’ll click to modify the rules. I have long list of rules here because remember who is updating this. Yeah, correct. Cisco tallows. So let’s filter it and then I can see that I have total 51 rules associated to this. Now, this is not recommended that you select everything related to a particular signature or vulnerability. You have to fine tune that, okay? This type of attacks, this type of IPS signature I want to enable because you can’t enable everything. Okay? So we have selected all those things and then I have to save this. So let us save this and move on. Okay? All right, so what we’ll do here, we’ll go to rule and set and we know that as per our document drop and generate events something like in line rule, we are doing it, 51 rules has been updated and you can see everything is cut mark now we are good up to this point.
Now, what we have to do next that we need to deploy this rule. So for that I can go to deploy her. You can see on the top, let me highlight so you can see it properly here on the top you can see the deploy option. So I’ll go and deploy this rule where I want to deploy. It will ask me, it’s a bit slow, but anyway it will come. I’m going to deploy showing that everything is already done. Okay? So that means that I don’t have any unsaved entries, correct? So if I go to policy information that in the top, that is checkmark, that is also correct. Here you can see three, one, four rules generate events this rules dropping the events, that summary is also there. So we are very good at up to this point. No problem on this, let me click back. I’m going back. I want to do the commit changes. So it’s very important while you’re doing this section, sometimes you’ll get option on the top to click and save and sometimes you have to commit the changes because why it is important. So these are IPS rules. IPS rules and it is important why? Because if you do not do this, that means you have not done any changes, correct? That means when you go and apply this, let me show you what’s the difference. So now if I go and click to deploy, you will get the option to deploy where I want to deploy this to FTD. So I’ll go to deploy because now you can see it is showing out of date events because you have done some changes in policies but your sensor doesn’t know this.
So I have my sensor and what is the order they will take those policies. So if I click to this plus sign the access policy file policy, intuition policy, identity policy and all these things in this order. So click here to deploy. While it is deploying the policy, I will walk you through the other policy segment that is the access policy itself. Because I have created the intuition policy. Now in this intuition policy I need to update so you can see Access Control. So inside the policy access Control intuition malware DNS identity SSL prefilter now I am going to the Access control in Access control you can see here that I have Hack MDS default policy. The same thing. Go and click to the pencil button. Now once you open this suppose if you have opened this first time in this particular policy rule you can see the rules. So let me highlight little quick and I am revising your Firepower FMC classes as well.
So I can see the rules security intelligence, Http response it’s something like header information if someone tried to access your browsers or web browsers logging advanced now because all these rules that is going via this access policy default rule. So I will go and click to the default rule and inside the default rule you can see here that you have Jones network VLAN tags, user defined rules, applications, ports. You can define your custom ports as well URL you can give n number of URL security tagging group or Ice attributes whenever you are integrating with the Ice. Then inspection, then this login. So log is already enabled. That’s why we got the log inspection. I am going to update this hack MDS policy. See it is already attached here.
So whatever changes that I have done with that policy once it is 100% pushed because we have deployed that policy behind the scene it is pushing that policy. If you want to see the status what you have to do, you have to go here and you have to check the status. So here on the top you can see there is one green button correct? So if you go there, let me quickly show that as well. So let me close this first I’ll come back to this and let me show you first of all the deployment status. So if I click here, deployment is successful 1 minute 26 seconds earlier. So now we are 100% sure that the policy IPS policy orientation policy has been successfully deployed. I’ll go back again here one more time action is allowed. That is 100% correct. Finally I have to go ahead in the inspection and verify that is that my actual policy that I am referring here inside my access policy.
Yes. Now save this. Now save this. Now here, we are getting this save button. And now if you go here and click deploy, if any uncommitted changes are there, we can deploy it. We can go to the green button. We can check that the status of the deployment, it is in progress. Once it is done, that means we are very much done with our policy. Let us stop here, because in the next section, we are going to verify. So again, we’ll try to attack and we’ll see that it is happening or not. If not, then which policy? Which event triggers? All right.
28. Attack then Defending via FirePower IPS
Let us do the attack one more time. So let me clean all these steps. And I’ll prepare the new attack. So here, inside my Linux colleague, I’ll go and start my engine one more time. Let’s do it connect yes. And then once it will come up, I will give the destination and whatever vulnerabilities that we have done previous videos back. So here I know that is struts. So let me give the correct spelling. This is the vulnerability. And I want to edit the remote host that is say 198-1925 then the port I am going to use is port 80 heady and then the target Uri is client profile something. So let me try that say client portal then file upload okay. And then upload action. So upload action I want to use the reverse connection. Yes, launch it. So once I launch it, use reverse connection.
Launch it what it is telling that set the given option value. If the value is omitted, failed to connect, fail to connect remote host still you can see that remote port and all those things are not set. So let me try to set one more time all these correct parameters. Okay. And no problem, we’ll do it little click this time let me give this 80 and here it is the same. So, client portal, correct file upload and then upload action. Let me click here to use a reverse connection. Launch it now you can see here running a background job seven reverse TCP double handler this. So now everything is set properly. Payload is still it is showing the CMD Unix reverse. So what I will do, let’s go to the firepower and let’s check that I’m getting event and my rules they are dropping this connection or not.
All right. So I am inside firepower. I want to check the logs related to say IPS. So I’ll go to analysis, intuition and events. Let me click to the events here I can see that. Yes. I have one rule related to a package. Do I have so I can’t see any. That means still I’m not able to attack it properly. Okay, so let’s do it. Let me go back to the attack from where I want to do the attack double click. So n number of times I’m doing it. But I just wanted to give the correct information if I missed anything, because last time we have done the correct attack. And this time also we have to do it. So let me give the target Uri, that is client portal file upload upload action and then use a reverse connection. So now you. Can see that. Although it is showing payload CMD Unix reverse. But everything is okay. And if I go back to the events here one more time so let me go back to the events and the Intuition events. I should see that remote execution. And it should be blocked. Okay, it is showing some old event. Let me just quickly verify that.
So we’ll go and verify because now this time it should apply with our new policy. Okay, we’ll wait. It is coming up. Yes. So here you can see here, you can see that impact to inline result that I was looking for. Inline result is down. Okay, so now it is stopping. That what I will do that I’ll go to this message. Let us see this message in detail. So here I can see this particular event message in the inline result. In the inline result is down arrow and you can see three times we have done the attack. So that’s why we have three IPS down alerts. Let us read this message thoroughly. It’s coming up.
It’s slow but it will come. Okay, so you can see that we have so many other options as well. But I just wanted to read this message in detail. So let me highlight all those things. So here you can see that it is showing that okay, we have all these messages related to IPS inline drop messages, impact. Also you can see now I just wanted to see this in more detail format. So let me go to the analysis host and the network map. So we have host it is a bit slow. Let me give this some time. So I’m using this analysis and then host and then the network map so we can check that message in detail. We have this network map in network map. I’ll click to host first. Alright, it’s a bit slow. Host inside host 198198 actually I’m looking for one 9819 25 yeah, this particular host.
So I’ll go and click to this particular host. But on the top you can see that we have analysis host, network map, network devices, mobile devices, indication, vulnerabilities, et cetera. So all those messages we have now if I go here and scroll this down, impact attack one impact one intuition, attempted admin, the host was attacked and likely vulnerable. You can see the time stamps as well. Okay, so that’s the thing, I just wanted to highlight that. If you see this in if you want to see this in detail, so you have to go inside the analysis host network map and if I scroll down so you have some other messages, you have this full detail of the enterprise vulnerability.
You can see that it and let me expand this so you can see this properly. A packet and port number and a package start. If you want, you can edit the vulnerability. So this is the way that we can go and check the network map with respect to this particular 25 host. Correct. The other thing we have here is the vulnerability and we have that vulnerability number. If you know that number from that number also we can go and verify. All right, so this was the verification. I hope you understand that how we can verify the attack. And because this is something like IPS. Thing means attack happens in line. Drop it.
