The 2022 ATT&CK Evaluations for Managed Services Call for Participation is now open. Click here to learn how to participate.
Home  >  Enterprise  >  Participants  >  Cisco  > Carbanak+FIN7 Configuration


Cisco Configuration

The following product description and configuration information was provided by the vendor and has been included in its unedited form. Any MITRE Engenuity comments are included in italics.


Product Versions

Cisco Secure Endpoint (AMP for Endpoints) Premier with the following connector versions:

Detection/Protection Scope Product Configuration
Domain Controller (Windows Server 2019) Cisco Secure Endpoint (AMP for Endpoints) Windows Connector 7.3.9 Detection Test Policy
Protection Test Policy
User Systems (Windows 10) Cisco Secure Endpoint (AMP for Endpoints) Windows Connector 7.3.9 Detection Test Policy
Protection Test Policy
File Server (CentOS 7.7) Cisco Secure Endpoint (AMP for Endpoints) Linux Connector 1.13.2 Detection Test Policy
Protection Test Policy

Product Description

Cisco® Secure Endpoint (AMP for Endpoints) integrates prevention, detection, threat hunting and response capabilities in a single solution, leveraging the power of cloud-based analytics. Secure Endpoint will protect your Windows, Mac, Linux, Android, and iOS devices through a public or private cloud deployment.

Included with Cisco Secure Endpoint (AMP for Endpoints), SecureX is a cloud-native, built-in platform experience that connects the Cisco Secure portfolio and your infrastructure. SecureX is integrated and open for simplicity, unified in one location for visibility, and maximizes operational efficiency with automated workflows to reduce threat dwell time and human-powered tasks to stay compliant and counter attacks.

To further enhance threat context and streamline investigation and response, Cisco maps extensively, where applicable, to tactics, techniques and procedures defined in MITRE ATT&CK. Examples include:

  • Detection Event Descriptions
  • Catalog of Cisco-curated Advanced Searches for Indicators of Compromise/Attack
  • Dynamic File Analysis Behavior Indicators

Product Configuration

Exploit Prevention engine was disabled during FIN7 Detection Test

Windows User Systems and Domain Controller

Detection Test Policy Protection Test Policy
Product’s default Audit policy settings from First Use Wizard:
  • Files: Audit
  • Network: Audit
  • Malicious Activity Protection: Audit
  • System Process Protection: Audit
  • Script Protection: Audit
  • Exploit Prevention: Audit*
  • Behavioral Protection: Audit
  • Tetra: Enabled
Product’s default Protect policy settings from First Use Wizard:
  • Files: Quarantine
  • Network: Block
  • Malicious Activity Protection: Quarantine
  • System Process Protection: Protect
  • Script Protection: Quarantine
  • Exploit Prevention: Block
  • Behavioral Protection: Protect
  • Tetra: Enabled
With the following modifications from default
Outbreak Control:
  • Custom Detections – Advanced
  • Advanced Settings:
    • Engines: Enable Event Tracing for Windows
    • Engines: Exploit Prevention – Script Control – Audit
    • TETRA: Enable Deep Scan Files
    • TETRA: Enable Detect Expanded Threat Types
    With the following modifications from default Outbreak Control:
  • Custom Detections – Advanced
  • Advanced Settings:
    • File and Process Scan – On Execute Mode - Active
    • Endpoint Isolation: Enable Allow Endpoint Isolation
    • Engines: Enable Event Tracing for Windows
    • Engines: Exploit Prevention – Script Control – Block
    • Network: Detection Action – Block

    Linux File Server

    Detection Test Policy Protection Test Policy
    Product’s default Audit policy settings from First Use Wizard:
    Files: Audit
    Network: Audit
    ClamAV: Enabled
    Product’s default Protect policy settings from First Use Wizard:
    Files: Quarantine
    Network: Audit
    ClamAV: Enabled
    With the following modifications from default
    Outbreak Control:
  • Custom Detections – Advanced
  • Advanced Settings:
  • ClamAV: AV Definitions – Full ClamAV
  • With the following modifications from default
    Outbreak Control:
  • Custom Detections – Advanced
  • Advanced Settings:
  • ClamAV: AV Definitions – Full ClamAV