“There are too many firewall features available today; I am using Cisco ASA as an example for this firewall topic.” Cisco ASA is a versatile network security device that combines firewall, antivirus, intrusion prevention, and virtual private network (VPN) capabilities. Cisco ASA is designed to protect networks and ensure secure communications and data transfer.
Cisco ASA Log Parameters:
- %ASA- Syslog ID: Unique identifier for the type of message logged.
- Action: Specifies what action the ASA took (e.g., permit, deny, drop).
- Source IP/Destination IP: IP addresses involved in the traffic.
- Source Port/Destination Port: Port numbers involved in the traffic.
- Protocol: Network protocol used (e.g., TCP, UDP).
- Interface: The network interface involved (e.g., inside, outside).
- Severity Level: Indicates the severity of the event.
- Timestamp: Date and time when the event occurred.
- Syslog Message: The descriptive message providing context about the event.
Use Cases for SIEM:
Unauthorized Access Attempt Detection
- Objective: Detect and alert on unauthorized access attempts to secure resources.
- Method: Configure SIEM to alert when Cisco ASA logs a “deny” action on critical ports or IP addresses. Monitor for repeated denied access attempts from the same source IP to identify potential threats or brute-force attacks.
- MITRE: T1110 (Brute Force), T1078 (Valid Accounts), T1199 (Trusted Relationship), T1046 (Network Service Scanning)
External Threat Detection
- Objective: Identify potential external attacks such as scanning or probing from foreign IP addresses.
- Method: Set up SIEM rules to monitor for high volumes of “deny” actions from external IPs across various ports and protocols. Alert when thresholds exceed normal activity levels to detect scanning or other reconnaissance activities.
- MITRE: T1595 (Active Scanning), T1590 (Gather Victim Network Information)
Inside Threat Monitoring
- Objective: Monitor for potentially malicious activity originating from inside the network.
- Method: Analyze logs for traffic patterns that involve high-risk protocols or destination ports from internal sources going out. Look for unusual large data transfers or access to uncommon external destinations.
- MITRE: Various MITRE Technique (T1078, T1057, T1049, T1039, T1048, T1020, T1018, T1567, T1564, T1496)
Compliance with Security Policies
- Objective: Ensure all network traffic complies with organizational security policies.
- Method: Utilize SIEM to track and report on all “permit” and “deny” actions taken by Cisco ASA, focusing on compliance with established firewall rules and security policies. Regular reports can help identify deviations and necessary policy adjustments.
- MITRE: T1562.004 (Impair Defenses: Disable or Modify System Firewall), T1592.002 (Gather Victim Network Information: Network Configuration)
DDoS Detection
- Objective: Detect and mitigate Distributed Denial of Service (DDoS) attacks.
- Method: Configure SIEM to detect abnormal increases in traffic volume that do not correlate with normal usage patterns, especially when involving critical resources. Alert on sustained high rates of denied inbound connections, which could indicate a DDoS attack in progress.
- MITRE: T1498 (Network Denial of Service)
author : hendryadrian.com