This weblog is a continuation of the earlier weblog about utilizing Cisco Safe Community Analytics. On this half, we cowl leveraging Cisco Talos public blogs and third-party menace intelligence knowledge with Cisco Safe Community Analytics. Make sure you learn the primary half as this half makes references to Host group and Customized safety occasion directions coated within the unique weblog.
Cisco Talos Blogs
The proficient researchers at Cisco Talos weblog often on threats and vulnerabilities. These blogs break down the techniques, methods, and procedures (TTPs) utilized by menace actors. Talos analysis publications usually embrace pattern supply code, phishing emails, reverse engineering of malicious binaries, instruments, scripts, command and management methodology, attacker infrastructure, file hashes, domains, and IP addresses utilized in operations malicious Indicators of Compromise (IOCs) are revealed to GitHub as JSON and plain textual content recordsdata. We are able to use these blogs and GitHub recordsdata to create customized safety occasions in Cisco Safe Community Analytics.
Let us take a look at a weblog: MoonPeak malware from North Korean actors reveals new particulars about attacker’s infrastructure. This weblog focuses on a state-sponsored group in North Korea. The group leverages an open supply Distant Entry Trojan (RAT) from a household known as MoonPeak.
Scroll by the article and take note of the extent of element supplied. Close to the top of the weblog, discover the part titled IOC.
Click on the hyperlink to the GitHub repository. You can be directed to the Cisco Talos GitHub repository, the place one can find that IOCs can be found as JSON and plain textual content recordsdata, and are sorted by the month the weblog was revealed. Be at liberty to discover different recordsdata, months and years to get them. conversant in the indications supplied periodically.
Click on on the file “infrastructure-moonpeak-north-korea.txt” both comply with the direct hyperlink. Scroll all the way down to line 35 of the file the place Community IOC start. This checklist comprises twelve IP addresses that curiosity us. I seen that IP addresses and domains have been disabled with sq. brackets across the dots so you may’t by accident click on on them.
You may manually take away the brackets or use the discover and exchange perform in your favourite textual content editor to get the job performed. I favor to make use of Notepad++ relating to textual content recordsdata. I set “Discover and Substitute” to seek out the sq. brackets across the interval and exchange all cases with a interval.
Take away the domains from the checklist and replica and paste these IP addresses right into a New host group utilizing the methods described within the first a part of this weblog.
You may additionally think about using a software to extract IP addresses from textual content. I actually prefer it Iplocation IP Extractor. You may paste a block of textual content with IPv4 and IPv6 IP addresses and it’ll extract them to allow them to be simply reviewed and pasted into a gaggle of hosts. The IPs you paste into this software can’t be disabled. Requires full and proper IP addresses to perform.
At all times contemplate the sensitivity of the knowledge you present to public instruments earlier than utilizing them. You need to contemplate a regionally hosted software for delicate data.
Third-party menace intelligence
If you happen to take part in an Info Sharing and Evaluation Middle (ISAC), subscribe to industrial feeds, or often use newsletters and blogs geared towards your trade, you can too use your metrics in Cisco Safe Community Analytics. They work the identical approach we dealt with insider menace intelligence within the first a part of this weblog or within the Cisco Talos blogs proven above. Watch out when amassing menace intelligence to make sure you solely embrace the indications you wish to use. For instance, if you’re extracting a complete e-newsletter that comprises IP addresses that you’re desirous about, make certain to not by accident copy an IP handle from an adjoining, unrelated entry.
You may paste a block of IP addresses right into a New host group or use a software to take away them from a block of textual content after which paste them. Watch out in case your supply alters IP addresses, as this is quite common. You need to use the identical methods I illustrated for the Cisco Talos GitHub posts above.
Relationships between dad and mom and kids of the host group
An excellent apply for creating main and secondary host teams is to create a brand new main host group for any totally different supply. Then create a secondary host group for every new report. This lets you simply hint each the unique supply and menace intelligence and determine which marketing campaign or menace actor is concerned. I like to incorporate a hyperlink to the supply within the host group description. That is particularly helpful when you use a number of sources of menace intelligence on your safety controls. Manage your host teams in the way in which that makes probably the most sense for you.
You may create a brand new Customized safety occasion (see the primary a part of this weblog) for every kids’s host group with a distinct title or create one Customized safety occasion for the principle host group with a generic title. Both case may have you coated, and the host group title within the alarm will provide help to rapidly determine the supply of menace intelligence.
Different issues
You all the time wish to make a Circulate search (Examine -> Circulate Search) first earlier than constructing any Customized safety occasions. This can forestall you from being inundated with alerts when you by accident embrace the improper IP handle or when you already often talk with an IP handle that you just wish to embrace in a brand new host group.
We might love to listen to what you suppose. Ask a query, remark beneath, and keep related with Cisco Safe on social media.
Cisco Safety Social Channels
Share:
