Menace Traits: Firewall – Cisco Blogs



Nowadays, defending the community perimeter is a foregone conclusion. Nonetheless, there is no such thing as a longer a monolithic perimeter—there are sometimes a number of perimeters to guard. Unauthorized makes an attempt to cross perimeters are frequent, and the necessity to defend towards threats is important to guard your property.
In any perimeter protection a key element is firewalls—the proverbial guard towers in your fortifications. They’re mainly answerable for controlling and inspecting the visitors coming into, and going out of, the community. And in the event that they encounter unauthorized visitors or threats, they shield the community.
On this Menace Traits launch, we’ll be taking a look at Cisco Safe Firewall.  Specifically, we’ll be speaking about its Safe IPS element and the Snort guidelines it makes use of, inspecting what’s usually encountered and blocked.
To do that, we’ll have a look at Snort telemetry coming from Safe Firewalls, study probably the most ceaselessly encountered guidelines, rule classes, and contemplate these guidelines by means of the lens of the MITRE ATT&CK framework. The objective is to spotlight the frequent threats that organizations encounter and block with Safe Firewall.
Snort and detection insurance policies
Earlier than diving into the telemetry, let’s briefly cowl how Snort guidelines are used inside Safe Firewall. (An in depth clarification of Snort guidelines may be discovered within the Snort FAQ.)
Safe Firewall model 7.0 helps Snort 3 because the default inspection engine. Snort 3 gives higher efficiency and scalability than its predecessor, Snort 2, utilizing much less reminiscence and supporting extra intrusion guidelines and a bigger community map.
Snort is extremely configurable, providing tens of 1000’s of guidelines to detect several types of exercise. Nonetheless, merely enabling all of them is just not beneficial—doing so wouldn’t solely end in an unmanageable tsunami of alerts however might drastically impression community efficiency.
To make managing rulesets simpler, Snort guidelines are organized into insurance policies. There are 4 base insurance policies accessible to assist with preliminary configuration and operation, although it’s also possible to create your individual. The 4 base insurance policies are:

Connectivity over Safety
Safety over Connectivity
Most Detection

These insurance policies add extra rulesets as they lower in permissiveness. The “Connectivity over Safety” coverage is included in “Balanced” together with extra rulesets. “Connectivity over Safety” and “Balanced” guidelines are in flip included in “Safety over Connectivity,” along with additional rulesets, and so forth.
Which coverage you select is determined by the setting you’re defending. Cisco recommends utilizing the Balanced coverage in most environments to get the most effective combination of safety with the bottom variety of false optimistic alerts. Nonetheless, you might wish to contemplate the opposite insurance policies, relying on the place the firewall is deployed. (Safe Firewall even gives automated suggestions to tune your ruleset to your setting, decreasing false-positives and growing community efficiency.)
The ultimate coverage, Most Detection, is especially designed for testing environments, since it may possibly result in a excessive variety of false optimistic alerts. We don’t advocate that clients allow this coverage due to this.
Lastly, there are guidelines that don’t belong to any insurance policies.  These guidelines may be added to customized insurance policies, being tailor-made for particular conditions, and may be positioned by looking for product names, CVEs, or different key phrases.
The objective of this evaluation is to showcase the frequent threats that organizations encountered and blocked with Safe Firewall between April-September 2021 (Q2-Q3 2021). To do that, we’ve examined product telemetry that organizations have shared with us on an opt-in foundation, which has been anonymized and aggregated earlier than finishing up the evaluation.
The Snort guidelines we’re taking a look at are the usual textual content guidelines and Shared Object guidelines, each offered by Talos Intelligence. It’s value noting that using Snort and Safe IPS is just one element utilized by Safe Firewall to detect threats. There are different safety mechanisms, resembling Malware Protection, that may block additional threats.
Since we wish to see which threats organizations ceaselessly encounter, we’re analyzing guidelines in insurance policies 1-3 described above, filtering out guidelines from the Most Detection coverage and people that don’t belong to any insurance policies. Because the lion’s share of deployments make the most of one in every of these insurance policies, this may give a clearer image of what most organizations are going through, whereas additionally filtering out most false positives.
When blocking malicious exercise, totally different guidelines and assaults produce totally different numbers of alerts, which may make evaluating them troublesome. For instance, alerts produced by one firewall beneath a DDoS assault can simply dwarf the variety of alerts generated from a single exploit that hits a whole bunch of organizations. Merely wanting on the uncooked numbers on this case would give the misunderstanding that DDoS assaults have a far higher impression throughout the bottom of organizations.
To handle this, we’ll use distinct counts of organizations encountering guidelines. If a rule triggers at a selected group, then we depend that group solely as soon as. This not solely reduces the impression of noisy alerts within the knowledge, however it permits us to point out what proportion of organizations have encountered a selected rule. In essence, we will say that X p.c of organizations encountered a selected rule between April and September.
Lastly, the traits mentioned right here present what Safe Firewall is detecting. This will sound self-evident, however it’s essential to notice that what’s seen is just not essentially indicative of the bigger menace panorama. A firewall is prone to see extra of a selected kind of assault, whereas an endpoint safety utility will see extra of one thing totally different, as would an electronic mail gateway.
To start out, let’s have a look at Techniques and Methods from the MITRE ATT&CK framework. Lots of the guidelines launched in the previous couple of years, in addition to older, ceaselessly encountered guidelines, have been mapped to MITRE ATT&CK. (Nonetheless, as mapping is simply partial, the next ought to be taken as conservative estimates.)

P.c oforganizations
Methods seen(so as of frequency)

Preliminary Entry[TA0001]
Exploit Public-Going through Utility[T1190]

Drive-by Compromise [T1189]

Legitimate Accounts [T1178]

Phishing [T1566]

Native API [T1106]

Command and Scripting Interpreter[T1059]

Consumer Execution [T1204]

Shared Modules [T1129]

Home windows Administration Instrumentation[T1047]

Command & Management[TA0011]
Net Service [T1102]

Dynamic Decision [T1568]

File and Listing Discovery [T1083]

Utility Window Discovery [T1010]

Community Service Scanning [T1046]

Distant System Discovery [T1018]

Community Sniffing [T1040]

Account Discovery [T1087]

Credential Entry[TA0006]
OS Credential Dumping [T1003]

Unsecured Credentials [T1552]

Community Sniffing [T1040]

Compelled Authentication [T1187]

Enter Seize [T1056]

Privilege Escalation[TA0004]
Exploitation for Privilege Escalation[T1086]

Entry Token Manipulation [T1134]

Hijack Execution Circulate [T1574]

Legitimate Accounts [T1078]

Protection Evasion[TA0005]
Entry Token Manipulation [T1134]

Obfuscated Information or Data [T1027]

Deobfuscate/Decode Information or Data[T1140]

Rootkit [T1014]

Signed Binary Proxy Execution [T1218]

Hijack Execution Circulate [T1574]

Legitimate Accounts [T1078]

XSL Script Processing [T1220]

Use Alternate Authentication Materials[T1550]

Useful resource Hijacking [T1496]

Hijack Execution Circulate [T1574]

Legitimate Accounts [T1078]

Browser Extensions [T1176]

Server Software program Element [T1505]

Lateral Motion[TA0008]
Distant Companies [T1021]

Use Alternate Authentication Materials[T1550]

Automated Exfiltration [T1020]

Exfiltration Over C2 Channel [T1041]

Enter Seize [T1056]

Naturally, a firewall is extra prone to see extra Preliminary Entry makes an attempt given its place on the community perimeter, the place 90.9 p.c of organizations noticed alerts for this tactic. Organizations noticed exploit makes an attempt towards public-facing purposes, resembling Apache Struts, Bash, and Trade Servers. Drive-by Compromise strategies, resembling detecting connection makes an attempt to spoofed web sites and SMB share entry makes an attempt, have been additionally ceaselessly encountered.
Execution makes an attempt have been seen by 64.2 p.c of organizations. Frequent guidelines that alerted on such exercise coated vulnerabilities in content material administration techniques (CMSes), the Zeroshell Linux vulnerability, and an Apache Struts code execution vulnerability. (Apache Struts additionally options prominently beneath Privilege Escalation and Defensive Evasion.)
Command and Management exercise got here in third, the place 48.7 p.c of organizations noticed visitors of this sort. A lot of this visitors is comprised of suspicious DNS queries, which level to recognized or probably Command and Management websites.
Discovery ways resembling trying to traverse administration information in a CMS was ceaselessly seen. DNS BIND info disclosure makes an attempt have been additionally generally encountered.
Within the Credential Entry tactic, credential dumping assaults look like concentrating on routers and IoT units resembling CCTV cameras. Specifically, organizations noticed alerts for makes an attempt to use vulnerabilities that may present admin credentials or makes an attempt to entry PHP configuration information.
Snort classes
Now we’ll drill down deeper into the ruleset and discuss among the ceaselessly encountered guidelines. To do that, we’ll study the varied rule classes in Snort. Past the insurance policies described above, Snort guidelines are additionally organized into classes that group related guidelines collectively. These class teams can then be enabled and disabled in Safe Firewall as wanted.
So let’s discuss among the mostly encountered classes and the foundations in them.
Our most typical class largely strains up with probably the most encountered MITRE ATT&CK method, Exploit Public-Going through Utility. This class is without doubt one of the extra assorted of the bunch as effectively, together with guidelines to detect unwelcome connections to all kinds of purposes.

CMSes have been a preferred goal. Alerts for a vulnerability in PHPUnit, a broadly used PHP testing framework utilized by many CMSes, and alerts for a vulnerability within the Drupal CMS framework have been usually seen.
Alerts for vulnerabilities within the internet interfaces or authentication processes of a number of routers and IoT units have been a daily incidence. Unsurprisingly, the latest vulnerability is related to the Hafnium assaults found final March, which exploited Microsoft Trade zero-day vulnerabilities.
Most alerts seen on this class throughout this timeframe got here from guidelines designed to detect a bunch of vulnerabilities generally known as ShellShock. These vulnerabilities may give an attacker unauthorized entry to susceptible working techniques that use Bash.

Why are a sequence of exploits from 2014 exhibiting up so prominently in 2021? It’s probably as a result of these previous vulnerabilities have made their approach into automated scanners or botnets that hit each open HTTP server they will discover and launch a laundry listing of exploits.
A couple of SSL-related exploits comprise a lot of the exercise on this class. Specifically, the Heartbleed vulnerability from 2014. Like ShellShock, the exploit for this vulnerability is current in lots of automated hacking instruments.

Rule description
CVEs (if relevant)

OpenSSL TLSv1.1 heartbeat learn overrun try

The alerts seen on this class are predominantly made up of vulnerabilities in Apache Struts.

Alerts within the SQL class are inclined to focus on injection makes an attempt. Nonetheless, few of those have CVEs assigned to them, probably resulting from being the results of poor database safety practices, reasonably than an inherit flaw within the software program itself.

Rule description
CVEs (if relevant)

url ending in remark characters – attainable sql injection try

1 = 1 – attainable sql injection try

generic sql with feedback injection try – GET parameter

HTTP URI blind injection try

1 = 0 – attainable sql injection try

Different classes
Whereas this summarizes among the most seen classes, there are lots of different classes past this. For instance, CNC visitors from botnets resembling Ursnif, Remcos, and Lokibot appeared within the MALWARE-CNC class. And SMB exploits and overflow makes an attempt featured usually in OS-WINDOWS.
Defending the perimeter
At this level it could seem as if community perimeters are beneath fixed assault. Whereas largely true, this does range between organizations and which particular perimeter the firewall is defending. Some see 1000’s of alerts a day and others just a few.
It’s essential to notice that many organizations could not use the purposes or units that Safe Firewall can alert on. That’s the reason IPS tuning is essential to cut back analyst alert fatigue. The very fact is that many exploit makes an attempt are carried out in an automatic style, the place the attacker launches a software containing many exploits. In these instances, they’re most probably trying to see what works for future assaults.
However past this, it’s essential to fastidiously contemplate which techniques and purposes are public-facing. Be sure you hold these techniques up-to-date with the most recent patches as quickly as attainable to keep away from compromise when a brand new vulnerability is found.
Lastly, a firewall with IPS capabilities, resembling Cisco Safe Firewall, can go a good distance in direction of blocking these assaults.
Get began right this moment!


We’d love to listen to what you assume. Ask a Query, Remark Under, and Keep Linked with Cisco Safe on social!
Cisco Safe Social Channels