The Cisco ASA Cyber Threat Defense solution is made up of 3 components. The first is a basic network threat detection tool and is enabled by default on all ASA’s with 8.0(2) or later firmware. Basic threat detection monitors the rate at which packets are dropped by the ASA device. Because it is just monitoring for dropped packets across the whole appliance, the information is typically not enough to provide information about the source or nature of a malicious threat but could be a sign that some sort of nefarious activity is occurring and can be very useful for internet threat defense when exported to a logging tool using NSEL or syslogs.
Basic cyber threat detection looks for the following events:
- ACL Drop (acl-drop)—Packets are denied by access lists
- Bad Pkts (bad-packet-drop)—Invalid packet formats, which includes L3 and L4 headers that do not conform to RFC standards
- Conn Limit (conn-limit-drop)—Packets that exceed a configured or global connection limit
- DoS Attack (dos-drop)—Denial of Service (DoS) attacks
- Firewall (fw-drop)—Basic firewall security checks
- ICMP Attack (icmp-drop)—Suspicious ICMP packets
- Inspect (inspect-drop)—Denial by application inspection
- Interface (interface-drop)—Packets dropped by interface checks
- Scanning (scanning-threat)—Network/host scanning attacks
- SYN Attack (syn-attack)—Incomplete session attacks, which includes TCP SYN attacks and UDP sessions with no data
For each, there is a set of rates needed to be exceeded for it to be considered a threat. There are both burst rates and average rates that range from seconds to 30 days depending on the event. The average, current, and total number of events for each threat category can be seen with the show threat-detection rate command. Basic threat detection does not take any actions to stop the offending traffic or prevent future attacks.
The 2nd component is called Advanced Threat Detection and unlike the first component, can track more granular objects such as host IP, ports, protocols, ACL, and servers protected by TCP intercept. By default this is only setup for ACL statistics and keeps track of the top 10 ACEs (both permit and deny) that were hit the most within a specific time period. When enabled for host, port, and protocol objects; Threat detection will look for packets, bytes, and drops that were both sent and received by that object within a specific time period. Like Basic Threat Detection, the Advanced Threat Detection is purely informational. No proactive actions are taken to block traffic based on the Advanced Threat Detection statistics.
The 3rd component is called Scanning Threat Detection and is used to keep track of suspected attackers who create connections to many hosts in a subnet, or many ports on a host/subnet. This functionality is disabled by default and is very similar to Basic Treat Detection only it maintains a database of attacker and target IP addresses that can help provide more contexts around the hosts involved in the scan. This is the only level of threat detection that can react to an attack by blocking the attackers IP address.
Although firewalls like the ASA are often a company’s best defense mechanism against advanced threats, their signature matching approach doesn’t stop them all. Using a tool to check the host reputation of IP’s on a network using the Cisco ASA’s NetFlow data can provide an extra threat detection mechanism. While in the past many organizations have used packet captures to look for suspicious connections, attacks are starting to get much more complicated. When you consider that most connections used by malware are encrypted, the NetFlow vs. packet capture debate becomes almost moot.
By the way, most advanced persistent threat intrusions are actually detected by 3rd parties such as law enforcement agencies and at this point a lot of valuable intellectual property could have been lost. A good network traffic monitoring tool will not only provide insight into historical flow data on the threat, but also aggregates logs from devices to perform even deeper network threat detection services.