Archive

Category Archives for "Security"

Capture w/Trace in Firepower Threat Defense

A few days ago I wrote an article demonstrating the Packet Tracer feature for troubleshooting Firepower Threat Defense. Another very cool tool for troubleshooting is the Capture w/Trace Feature. The power of this tool comes from both capturing a PCAP file (for Wireshark or your tool of choice) and a separate window pane that has a view of the device operation (very similar to the Packet Tracer output).

Similar to Packet Tracer, to initiate Capture w/Trace in the Firepower Management Console, choose ‘Devices‘ then ‘Device Management‘. Next, select the device that you want to perform the operation and select the icon that looks like a screwdriver and wrench.

DevDevMgmt

Note to reader: All Firepower can be accessed by clicking here (or choosing Firepower from the menu at the top of the page).

This will produce the screen that provides health monitoring and troubleshooting for the device. Selecting “Advanced Troubleshooting” will change the view to a multi-tab troubleshooting screen.

AdvTroubleshoot

Select the Capture w/Trace tab. The Add Capture button will allow for selection of filter criteria for the capture.

CapturewTrace

Add Capture

AddCapture

After filling out this information and choosing “Save“, an entry will be created for Continue reading

What is FlexConfig in Firepower Threat Defense?

Earlier this year, Cisco released Firepower 6.2.0. With that release came a feature called FlexConfig. Someone is digging around the UI might not initially understand the purpose or function of this configuration option. A really quick answer to this is that the user interface is incomplete when compared to the underlying feature capability found in Firepower Threat Defense.

A good way to better understand FlexConfig is to work through an example. Those with an ASA background will understand the modular policy framework (MFP). This feature exists in Firepower Threat Defense but its non-default configuration options are absent from the user interface. So if there is a need for a specific configuration, FlexConfig is the tool to complete this task. One use case might be the need to disable SIP inspection. In the ASA configuration, this would typically be as simple as the following.

policy-map global_policy
 class inspection_default
  no inspect sip

Since Firepower Management Console is GUI driven and is the UI for FTD, this is not an option. Ideally, there would be a complete menu system and API. Since this is not currently the case, FlexConfig is the tool that provides us an override of the defaults that aren’t exposed in the UI.

Continue reading

The Real Need for Cybersecurity

According to the US Department of Homeland Security, “Our daily life, economic vitality, and national security depend on a stable, safe, and resilient cyberspace.” Digital infrastructure has infiltrated most aspects of our daily lives. When you start thinking about this in depth, it is easy to see how quickly things can turn s ugly.

Have you ever considered what would happen if our power grid was attacked? Beyond some of the domino effects the power grid itself has, think about the work to bring it back online. We are all accustomed to managing systems with other systems. A widespread power issue could create some very interesting chicken and egg problems.

Maybe some are smug enough to think they cannot be affected–they have built resilient systems and have a diesel generator. Ever consider the likelihood of that fuel supply being available for the long term if there’s no electricity? The affected part of the world would be so challenged by such an event that everyone would be impacted, directly and indirectly. No power, no computers, no network and no ability to transact business in the ways that we are accustomed to. In other words, the possibility of impacting physiological layer of Maslow’s pyramid Continue reading

The Real Need for Cybersecurity

According to the US Department of Homeland Security, “Our daily life, economic vitality, and national security depend on a stable, safe, and resilient cyberspace.” Digital infrastructure has infiltrated most aspects of our daily lives. When you start thinking about this in depth, it is easy to see how quickly things can turn s ugly.

Have you ever considered what would happen if our power grid was attacked? Beyond some of the domino effects the power grid itself has, think about the work to bring it back online. We are all accustomed to managing systems with other systems. A widespread power issue could create some very interesting chicken and egg problems.

Maybe some are smug enough to think they cannot be affected–with their resilient systems and diesel generators. Ever consider the likelihood of that fuel supply being available for the long term if there’s no utility power available at other places? The affected part of the world would be so challenged by such an event that everyone would be impacted, directly and indirectly. No power, no computers, no network and no ability to transact business in the ways that we are accustomed to. In other words, the possibility of impacting physiological layer of Continue reading

The Real Need for Cybersecurity

According to the US Department of Homeland Security, “Our daily life, economic vitality, and national security depend on a stable, safe, and resilient cyberspace.” Digital infrastructure has infiltrated most aspects of our daily lives. When you start thinking about this in depth, it is easy to see how quickly things can turn s ugly.

Have you ever considered what would happen if our power grid was attacked? Beyond some of the domino effects the power grid itself has, think about the work to bring it back online. We are all accustomed to managing systems with other systems. A widespread power issue could create some very interesting chicken and egg problems.

Maybe some are smug enough to think they cannot be affected–with their resilient systems and diesel generators. Ever consider the likelihood of that fuel supply being available for the long term if there’s no utility power available at other places? The affected part of the world would be so challenged by such an event that everyone would be impacted, directly and indirectly. No power, no computers, no network and no ability to transact business in the ways that we are accustomed to. In other words, the possibility of impacting physiological layer of Continue reading

Networking Challenges in OpenStack Clouds

Did you decided that is time to implement OpenStack to build your Cloud? Have you tested in the lab? Evaluated many distributions available and hired specialized OpenStack resources? However, when the environment goes into production, Neutron is not integrating with the physical network?

If the above story closely resembles what you have faced, this post will unconceal the many challenges of Networking with any OpenStack distribution and how VMware NSX is the missing piece for your Cloud.

Networking and Security Challenges with OpenStack

Since its creation, the biggest challenges of OpenStack Clouds implementations are automation, integration and orchestration of the required networking and security components at the physical infrastructure layer. The main difficulty is that these environments are extremely heterogeneous and most of the devices do not have an open and programmable interface for configuration and, thus, the initial way of running OpenStack was to pre-provisioning the network manually and only use basics functionalities when implementing security services.

With the rise of Network Virtualization solutions and evolution of Open vSwitch, some of these challenges were solved, making it possible to create an abstraction layer from the physical elements of infrastructure and automate the virtual network through the programmable interface Continue reading

Three Issues of Being a Part-Time Security Professional

In Information Technology, we commonly hear the mantra of “doing more with less.” That may sound great, and in some cases it can actually be beneficial. It obviously drives the requirement of streamlining performance and the simplification of processes. It can drive innovators to innovate and the attrition of unnecessary systems. The predominate reason for this philosophy is cost cutting.

My argument would generally be that IT should NOT simply be keeping the lights on, it should be adding value by creating competitive differentiators for the business. Being able to execute on that effectively SHOULD change the perspective of IT as it is viewed by the rest of the leadership team. One particular concern I have in regards to those businesses that continue aggressively down this path of cost cutting (or don’t proper initially fund) IT, is in regards to Cybersecurity.

In many cases smaller shops, or shops that don’t fully understand the risks, tend to place their technical team members into split roles. Maybe the view is that someone should be a part-time security person and a part-time network or system administrator. This introduces several concerns and I wanted to quickly share three that are top of mind.

Issue One — What do I Continue reading

Burner laptops for DEF CON

Hacker summer camp (Defcon, Blackhat, BSidesLV) is upon us, so I thought I'd write up some quick notes about bringing a "burner" laptop. Chrome is your best choice in terms of security, but I need Windows/Linux tools, so I got a Windows laptop.

I chose the Asus e200ha for $199 from Amazon with free (and fast) shipping. There are similar notebooks with roughly the same hardware and price from other manufacturers (HP, Dell, etc.), so I'm not sure how this compares against those other ones. However, it fits my needs as a "burner" laptop, namely:
  • cheap
  • lasts 10 hours easily on battery
  • weighs 2.2 pounds (1 kilogram)
  • 11.6 inch and thin
Some other specs are:
  • 4 gigs of RAM
  • 32 gigs of eMMC flash memory
  • quad core 1.44 GHz Intel Atom CPU
  • Windows 10
  • free Microsoft Office 365 for one year
  • good, large keyboard
  • good, large touchpad
  • USB 3.0
  • microSD
  • WiFi ac
  • no fans, completely silent
There are compromises, of course.
  • The Atom CPU is slow, thought it's only noticeable when churning through heavy webpages. Adblocking addons or Brave are a necessity. Most things are usably fast, such as using Microsoft Word.
  • Crappy sound and Continue reading

Packet Tracer in Firepower Threat Defense

I wanted to share a quick post on a feature that I have found incredibly useful on the ASA and has been extended to Firepower Threat Defense. The feature is called Packet Tracer and is an easy way to apply “packet walk” logic to a flow that would be initiated through the platform. Like most things FTD, the Firepower Management Console is the point of contact for initiating the process.

To initiate Packet Tracer in FTD, open the Firepower Management Console and choose ‘Devices‘ then ‘Device Management‘. Next, select the device that you want to perform the operation and select the icon that looks like a screwdriver and wrench.

DevDevMgmt

This will produce the screen that provides health monitoring and troubleshooting for the device. Selecting “Advanced Troubleshooting” will change the view to a multi-tab troubleshooting screen.

AdvTroubleshoot

Selecting the Packet Tracer tab will allow for input like Source/Destination, Protocol, Port, SGT, etc.

PacketTracer

After filling out this information and choosing “Start“, the device would be put through the same process as an initial packet of a new connection. The resulting packet walk is shown in an expandable tree view or raw text (user selectable).

Tree View

TreeView

Continue reading

Yet more reasons to disagree with experts on nPetya

In WW II, they looked at planes returning from bombing missions that were shot full of holes. Their natural conclusion was to add more armor to the sections that were damaged, to protect them in the future. But wait, said the statisticians. The original damage is likely spread evenly across the plane. Damage on returning planes indicates where they could damage and still return. The undamaged areas are where they were hit and couldn't return. Thus, it's the undamaged areas you need to protect.

This is called survivorship bias.

Many experts are making the same mistake with regards to the nPetya ransomware. 

I hate to point this out, because they are all experts I admire and respect, especially @MalwareJake, but it's still an error. An example is this tweet:


The context of this tweet is the discussion of why nPetya was well written with regards to spreading, but full of bugs with regards to collecting on the ransom. The conclusion therefore that it wasn't intended to be ransomware, but was intended Continue reading

Latest Ransomware Techniques Show Need for Layered Security

I think everyone that touches security has had multiple conversations about the hardened edge and soft center, commonly found in networks. This usually accompanies some discussion around the overlapping concepts of difference in depth, layered security and security ecosystems. It seems like many of the recent exploits have used a C2 connection for instructions. In those cases, assuming a perfect NGFW product and configuration actually existed that caught 100% of the malicious traffic, it would have the capability to impact those attacks.

However on June 27, Cisco Talos published an article about a ransomware variant known as Nyetya. As of today, Talos has been able to find no evidence of the more common initial infection vehicles. Both Cisco and Microsoft have cited the upgrade process for a tax accounting package as the initial point of infection.

Per Cisco Talos:

The identification of the initial vector is still under investigation. We have observed no use of email or Office documents as a delivery mechanism for this malware. We believe that infections are associated with software update systems for a Ukrainian tax accounting package called MeDoc. Talos is investigating this currently.

So what does this mean to the majority of the world that Continue reading

1 116 117 118 119 120 177