Use Case: ACC—Path of Information Discovery

The ACC has a wealth of information that you can use as a starting point for analyzing network traffic. Let’s look at an example on using the ACC to uncover events of interest. This example illustrates how you can use the ACC to ensure that legitimate users can be held accountable for their actions, detect and track unauthorized activity, and detect and diagnose compromised hosts and vulnerable systems on your network.
The widgets and filters in the ACC give you the capability to analyze the data and filter the views based on events of interest or concern. You can trace events that pique your interest, directly export a PDF of a tab, access the raw logs, and save a personalized view of the activity that you want to track. These capabilities make it possible for you to monitor activity and develop policies and countermeasures for fortifying your network against malicious activity. In this section, you will Interact with the ACC widgets across different tabs, drill down using widget filters, and pivot the ACC views using global filters, and export a PDF for sharing with incidence response or IT teams.
At first glance, you see the Application Usage and User Activity widgets in the
ACC
Network Activity
tab. The User Activity widget shows that user Marsha Wirth has transferred 718 Megabytes of data during the last hour. This volume is nearly six times more than any other user on the network. To see the trend over the past few hours, expand the
Time
period to the
Last 6 Hrs
, and now Marsha’s activity has been 6.5 Gigabytes over 891 sessions and has triggered 38 threats signatures.
Usecase_ACC_1.PNG
Because Marsha has transferred a large volume of data, apply her username as a global filter (ACC Filters) and pivot all the views in the ACC to Marsha’s traffic activity.
Usecase_ACC_2.png
The Application Usage tab now shows that the top application that Martha used was rapidshare, a Swiss-owned file-hosting site that belongs to the file-sharing URL category. For further investigation, add rapidshare as a global filter, and view Marsha’s activity in the context of rapidshare.
Consider whether you want to sanction rapidshare for company use. Should you allow uploads to this site and do you need a QoS policy to limit bandwidth?
To view which IP addresses Marsha has communicated with, check the
Destination IP Activity
widget, and view the data by bytes and by URLs.
Usecase_ACC_5.png
To find out which countries Marsha communicated with, sort on
sessions
in the
Destination Regions
widget.
Usecase_ACC_5_2.png
From this data, you can confirm that Marsha, a user on your network, has established sessions in Korea and the European Union, and she logged 19 threats in her sessions within the United States.
To look at Marsha’s activity from a threat perspective, remove the global filter for rapidshare.
Usecase_ACC_6.png
In the
Threat Activity
widget on the
Threat Activity
tab, view the threats. The widget displays that her activity had triggered a match for 26 vulnerabilities in the overflow, DoS and code-execution threat category. Several of these vulnerabilities are of critical severity.
Usecase_ACC_7.png
To further drill-down into each vulnerability, click into the graph and narrow the scope of your investigation. Each click automatically applies a local filter on the widget.
Usecase_ACC_9.png
To investigate each threat by name, you can create a global filter for say,
Microsoft Works File Converter Field Length Remote Code Execution Vulnerability
. Then, view the
User Activity widget
in the
Network Activity
tab. The tab is automatically filtered to display threat activity for Marsha (notice the global filters in the screenshot).
Usecase_ACC_8.png
Notice that this Microsoft code-execution vulnerability was triggered over email, by the imap application. You can now establish that Martha has IE vulnerabilities and email attachment vulnerabilities, and perhaps her computer needs to be patched. You can now either navigate to the
Blocked Threats
widget in the
Blocked Activity
tab to check how many of these vulnerabilities were blocked.
Or, you can check the
Rule Usage
widget on the
Network Activity
tab to discover how many vulnerabilities made it into your network and which security rule allowed this traffic, and navigate directly to the security rule using the
Global Find
capability.
Usecase_ACC_11.png
Then, drill into why imap used a non-standard port 43206 instead of port 143, which is the default port for the application. Consider modifying the security policy rule to allow applications to only use the default port for the application, or assess whether this port should be an exception on your network.
negate_filter.png To review if any threats were logged over imap, check Marsha’s activity in the
WildFire Activity by Application
widget in the
Threat Activity
tab. You can confirm that Marsha had no malicious activity, but to verify that other no other user was compromised by the imap application, negate Marsha as a global filter and look for other users who triggered threats over imap.
WF_activity.png
Click into the bar for imap in the graph and drill into the inbound threats associated with the application. To find out who an IP address is registered to, hover over the attacker IP address and select the
Who Is
link in the drop-down.
WF_activity_who_is.png
Because the session count from this IP address is high, check the
Blocked Content
and
Blocked Threats
widgets in the
Blocked Activity
tab for events related to this IP address. The
Blocked Activity
tab allows you to validate whether or not your policy rules are effective in blocking content or threats when a host on your network is compromised.
Use the
Export PDF
capability on the ACC to export the current view (create a snapshot of the data) and send it to an incidence response team. To view the threat logs directly from the widget, you can also click the acc_jump_to_logs.PNG icon to jump to the logs; the query is generated automatically and only the relevant logs are displayed onscreen (for example in
Monitor
Logs
Threat Logs
).
Usecase_ACC_10.png
You have now used the ACC to review network data/trends to find which applications or users are generating the most traffic, and how many application are responsible for the threats seen on the network. You were able to identify which application(s), user(s) generated the traffic, determine whether the application was on the default port, and which policy rule(s) allowed the traffic into the network, and determine whether the threat is spreading laterally on the network. You also identified the destination IP addresses, geo-locations with which hosts on the network are communicating with. Use the conclusions from your investigation to craft goal-oriented policies that can secure users and your network.

Related Documentation