This weblog is continuation of the earlier weblog on utilizing Cisco Safe Community Analytics. On this half, we cowl leveraging public Cisco Talos blogs and third-party menace intelligence information with Cisco Safe Community Analytics. You’ll want to learn the primary half as this half makes references again to Host Group and Customized Safety Occasion directions lined within the unique weblog.
Cisco Talos Blogs
The gifted researchers at Cisco Talos repeatedly publish blogs on threats and vulnerabilities. These blogs break down the ways, strategies and procedures (TTPs) utilized by menace actors. Talos’ analysis publications typically embrace pattern supply code, phishing emails, reverse engineering of malicious binaries, instruments, scripts, command and management methodology, attacker infrastructure, file hashes, domains and IP addresses utilized in malicious operations. The symptoms of compromise (IOCs) are revealed on GitHub as JSON and plain textual content information. We are able to use these blogs and GitHub information to construct Customized Safety Occasions in Cisco Safe Community Analytics.
Let’s take a look at a weblog: MoonPeak malware from North Korean actors unveils new particulars on attacker infrastructure. This weblog focuses on a state-sponsored group from North Korea. The group leverages an open-source distant entry trojan (RAT) from a household being referred to as MoonPeak.
Scroll by way of the article and take note of the extent of element offered. Close to the very backside of the weblog discover the part titled IOCs.
Click on on the hyperlink to the GitHub repository. You may be taken to the Cisco Talos GitHub repository the place you’ll find the IOCs can be found as JSON and plain textual content information, and are sorted by the month the weblog was revealed in. Be happy to discover different information, months, and years to get conversant in the symptoms repeatedly offered.
Click on on the file “moonpeak-infrastructure-north-korea.txt” or comply with the direct hyperlink. Scroll right down to line 35 of the file the place the Community IOCs start. This checklist incorporates twelve IP addresses we’re desirous about. Observed that the IP addresses and domains have been defanged with sq. brackets across the dots so you can not by chance click on on them.
You’ll be able to both manually delete the sq. brackets or use the discover and substitute performance in your favourite textual content editor to do the job. I favor to make use of Notepad++ when coping with textual content information. I set the “Discover and Substitute” to search for the sq. brackets across the dot and substitute all situations with a dot.
Delete the domains from the checklist and duplicate and paste these IP addresses right into a New Host Group utilizing the strategies described within the first a part of this weblog.
You may additionally think about using a device to extract IP addresses from textual content. I actually like iplocation IP Extractor. You’ll be able to paste in a block of textual content with IPv4 and IPv6 IP addresses and it’ll extract them to allow them to be simply reviewed and pasted into a bunch group. The IPs you paste into this device can’t be defanged. It requires full and proper IP addresses to work.
At all times contemplate the sensitivity of the data you present to public instruments earlier than utilizing them. It is best to contemplate a domestically hosted device for delicate data
Third-party menace intelligence
If you happen to take part in any Data Sharing and Evaluation Facilities (ISACs), subscribe to industrial feeds or repeatedly make the most of bulletins and blogs geared in the direction of your trade, it’s also possible to make the most of their indicators in Cisco Safe Community Analytics. They work the identical manner we dealt with inside menace intelligence within the first a part of this weblog or Cisco Talos blogs proven above. Watch out when scraping menace intelligence to make sure you might be solely together with indicators you propose to make use of. For instance, if you’re scraping a whole bulletin that incorporates IP addresses you have an interest in, ensure you don’t by chance copy an IP tackle from an adjoining and unrelated entry.
You’ll be able to paste a block of IP addresses right into a New Host Group or use a device to tug them out of a block of textual content after which paste them. Watch out in case your supply defangs IP addresses, as this is quite common. You need to use the identical strategies I illustrated for the Cisco Talos GitHub entries above.
Host group mum or dad/youngster relationships
A superb follow for constructing mum or dad and youngster host teams is to create a brand new mum or dad host group for any distinct sources. Then create a baby host group for every new report. This lets you simply observe again each to the unique supply or the menace intelligence and establish which marketing campaign or menace actor is concerned. I like to incorporate a hyperlink to the supply within the host group description. That is particularly useful if you’re using a number of menace intelligence sources on your safety controls. Manage your host teams in a fashion that makes essentially the most sense to you.
You’ll be able to both create a brand new Customized Safety Occasion (see the primary a part of this weblog) for every youngster host group with a definite title or create one Customized Safety Occasion for the mum or dad host group with a generic title. Both case could have you lined, and the host group title within the alarm will enable you to shortly establish the supply of menace intelligence.
Different Concerns
You at all times need to carry out a Movement Search (Examine -> Movement Search) first earlier than constructing any Customized Safety Occasions. It will stop you from flooding your self with alerts when you by chance embrace the mistaken IP tackle or are already repeatedly speaking with an IP tackle you propose to incorporate in a brand new host group.
We’d love to listen to what you assume. Ask a Query, Remark Beneath, and Keep Linked with Cisco Safe on social!
Cisco Safety Social Channels
Share:
