Lab 7 - AI Endpoint Analytics Spoofing Detection
Task Goal
In this laboratory session, you'll explore the Spoofing Detection feature of Cisco AI Endpoint Analytics and you'll learn and how to use it to immediately spot (and block) devices behaving differently than what's expected by a devices matching the device type identified by the endpoint classification engine.
This lab task will guide you through the Spoofing Detection workflow:
- get an overview of the endpoints by trust score
- identify endpoints where a potential spoofing attack is being detected
- review the anomalous applications used by such endpoints, triggering the spoofing attack alert
- apply ANC policies to block these endpoints' network access
Spoofing Detection
AI Spoofing Detection is a feature in Cisco AI Endpoint Analytics released in Cisco Catalyst Center v2.2.2.3, identifying endpoints impersonating a legitimate endpoint connected to the network.
This helps preventing bad actors and unauthorized devices gaining access to the network to do further harm.
Typically, impersonation attempts use techniques such as MAC spoofing, Probe spoofing or man in the middle attack to gain access.
With MAC spoofing, bad actors clone the MAC address of a legitimate endpoint to a different device they use to connect to the network. With probe spoofing, bad actors forge packets that spoofs the identity of the endpoint using protocols such as CDP/DHCP etc. This could be in conjunction with MAC spoofing or separate. The man-in-the-middle attack is one where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other. The goal in all these cases is to get the same level of access as the legitimate endpoint
Here is how AI Spoofing Detection works. This feature builds a behavioural profile of the endpoint by looking at their traffic patterns. A legitimate endpoint type will have a certain type of traffic pattern. These traffic patterns from different endpoints are analysed by AI Analytics cloud service crowdsourced from many customers to create machine learning (ML) models. ML models are constantly trained in the cloud. These models are then used to compare with traffic flows coming from the endpoints connected to the network. Deviations from the models are detected and inference made about a possible anomaly. An anomaly event is triggered with high, medium and low probability along with an indicator called Trust Score.
Trust Score is a measure of trustworthiness of the endpoint's classification; the higher the Trust Score higher the trustworthiness and vice versa. Customers can use this additional context that identifies endpoint anomalies such as spoofing attacks and take action.
Usecase workflow
AI Endpoint Analytics is available under the Policy section:
Menu > Policy > AI Endpoint Analytics
Click on Endpoint Inventory
Filter for endpoints with lower trust score. Let’s select endpoints having trust score between 0-3 for this exercise
Trust score of an endpoint could be low due to various reasons. Hover over trust score to get a glimpse of what is causing low trust score.
In this case both the endpoints are given lowest trust score as spoofing attack is detected with high confidence. Click on mac address, select trust score section and expand AI Spoofing deduction section to see all the details.
In this section we can see that endpoint which is expected to be IP Phone is accessing applications like mysql, pop3 etc which we dont expect a genuine IP Phone to be accessing. Looking at this traffic pattern AI model is able to classify this endpoint as spoofed endpoint with 100% confidence.
After investigating the findings if you as an admin will have option to either reject the finding and reset trust score or take containment actions.
Rapid Threat Containment
Rapid Threat Containment (RTC) is a mechanism that allows Cisco Catalyst Center and other products to contain the threat by swiftly acting on the infrastructure to block or quarantine the endpoints. This is done via Cisco ISE Adaptive Network Control (ANC) policy a mechanism to receive action from other products such as Cisco Catalyst Center, Cisco Secure Network Analytics (Stealthwatch) or Firepower etc. as well as third party products, that are integrated with Cisco ISE via pxGrid.
When Security/IT admin sees an alert with a low or medium trust score, they can apply ‘ANC policy’ directly from Cisco Catalyst Center that allows Cisco ISE to carry out those actions on the switchports connected to the endpoint. Using ANC policy, ISE then sends a change of authorization to perform the action on the switchport connected to the endpoint that will limit or block access to the endpoint.
There are different actions that can be taken on the switchport connected to an endpoint such as shutdown or terminate connection/ reauthenticate etc.
Reset Trust Score
If you believe the trust score is incorrect or if you have taken necessary corrective actions then you can re-set trust score
You can leave a note for self as to why the trust score was reset and click on reset.
Key takeaways
Spoofing Detection is an advanced feature using network traffic based behavioral modeling for specific classes of devices, allowing to identify potential spoofing attempt when the protected endpoints exhibit a behavior that is significantly different than the known normal behavior for the device class a given endpoint is profiled with.
The identification of a spoofing attack contributes to lowering the device classification trust score in AI Endpoint Analytics and network access for compromised hosts can be easily and quickly blocked to protect the network integrity.
This concludes the exploration of the Spoofing Detection feature.
You can use the link below to proceed with the exploration of other use cases.