Malware Analysis
To protect a network from the latest malware, Cisco Secure Firewall is empowered with the malware defense technology (also known as advanced malware protection or AMP). This technology enables a threat defense to analyze a file for potential malware and viruses while the file traverses a network. To expedite the analysis process and to conserve resources, the threat defense can perform both local and dynamic analysis. Let’s take a look at the technologies behind them.
Figure 16-3 illustrates the purposes of any interactions between Secure Firewall and the Cisco clouds.
Figure 16-3 Communications Between Secure Firewall and Cisco Clouds for Malware Analysis
The threat defense calculates the SHA-256 hash value (Secure Hash Algorithm with 256 bits) of a file and uses the value to determine a file’s disposition (malware, clean, unknown, unavailable). The management center caches previous cloud lookups and begins the process of disposition checking by performing a lookup in its local cache before it sends a new query to the malware analytics cloud (also known as AMP cloud). It provides a faster lookup result and improves overall performance. Depending on the action you select in a file policy, Secure Firewall can perform additional advanced analysis in the following order:
- Spero analysis: The Spero analysis engine examines MSEXE files only. It analyzes the structural metadata and header of an MSEXE file and submits them in the form of a Spero signature to the malware analytics cloud. You can configure a file policy to perform Spero analysis locally without submitting any information to the malware analytics cloud.
- Local analysis: The local analysis engine enables a threat defense to inspect files locally. It uses rules provided by the Cisco Talos threat intelligence group to detect the most common types of malware. Since the analysis is performed locally in the system without sending the query to the malware analytics cloud, the local analysis engine can help save time and resources.
A threat defense uses two types of rulesets for local analysis: high-fidelity rules and pre-classification rules. The management center downloads high-fidelity malware signatures from Talos and disseminates the rulesets to its managed threat defense devices. The threat defense matches the patterns and analyzes files for known malware. It also uses the file pre-classification filters to optimize resource utilization.
- Dynamic analysis: The dynamic analysis feature submits a captured file to the Cisco malware analytics sandbox for dynamic analysis. Sandboxing can be performed either in the cloud or by way of an on-premises appliance on the local network. Upon analysis, the sandbox returns a threat score, which is a scoring system for determining whether a file should be considered malicious. The file policy allows you to adjust the threshold level of the dynamic analysis threat score. Thus, you can define when a threat defense should treat a file as potential malware.
Dynamic analysis provides an option called capacity handling that allows Secure Firewall to store a file temporarily if the system fails to submit the file to a sandbox environment. Some of the potential reasons for such a failure include communication issues between Secure Firewall and the sandbox (cloud or on-premises) or exceeding the daily file submission limit.
Figure 16-4 shows an architectural workflow of the malware analysis techniques on Secure Firewall.
Figure 16-4 Architecture of the Malware Defense Technology
Leave a Reply