Security: Cisco AMP, Cisco ThreatGrid

Cisco Threat Grid – купленная cisco компания. Threat grid решение позволяет анализировать malware в sandbox на основе threat intelligence данных (из cisco umbrella – напр. флаг для домена о том, что он CC server). Решение threat grid интегрировано с cisco CTA (подробнее в netflow/stealthwatch), Cisco AMP for endpoints. Позволяет понять на что похож ваш malware (категория и похожие примеры), какой вред он потенциально несет, сигнатуры и прочую информацию, связанную с угрозой.


Cisco AMP (Advanced Malware Protection)
– проверка файла на зловредность по хешам. В случае если хеш не найден TG (Threat Grid) позволяет проверить файл в песочнице в облаке (требует отдельный платный аккаунт TG).

Overview of Advanced Malware Protection
The Cisco Advanced Malware Protection is composed of three processes:

File Reputation: The process of using a 256-bit Secure Hash Algorithm (SHA256) signature to compare the file against the Advanced Malware Protection (AMP) cloud server and access its threat intelligence information. The response can be Clean, Unknown, or Malicious. If the response is Unknown, and if File Analysis is configured, the file is automatically submitted for further analysis.

File Analysis: The process of submitting an Unknown file to the Threat Grid (TG) cloud for detonation in a sandbox environment. During detonation, the sandbox captures artifacts and observes behaviors of the file, then gives the file an overall score. Based on the observations and score, Threat Grid may change the threat response to Clean or Malicious. Threat Grid’s findings are reported back to the AMP cloud, so that all AMP customers will be protected against newly discovered malware.

Note 
File analysis requires a separate Threat Grid account. For information about purchasing a Threat Grid account, contact your Cisco representative.

Retrospective: By maintaining information about files even after they are downloaded, we can report on files that were determined to be malicious after they were downloaded. The disposition of the files could change based on the new threat intelligence gained by the AMP cloud. This re-classification will generate automatic retrospective notifications.

Leave a Reply