This weblog is continuation of the earlier weblog on utilizing Cisco Safe Community Analytics. On this half, we cowl leveraging public Cisco Talos blogs and third-party risk intelligence knowledge with Cisco Safe Community Analytics. Make sure you learn the primary half as this half makes references again to Host Group and Customized Safety Occasion directions lined within the authentic weblog.
Cisco Talos Blogs
The proficient researchers at Cisco Talos recurrently publish blogs on threats and vulnerabilities. These blogs break down the ways, strategies and procedures (TTPs) utilized by risk actors. Talos’ analysis publications typically embrace pattern supply code, phishing emails, reverse engineering of malicious binaries, instruments, scripts, command and management methodology, attacker infrastructure, file hashes, domains and IP addresses utilized in malicious operations. The symptoms of compromise (IOCs) are revealed on GitHub as JSON and plain textual content recordsdata. We are able to use these blogs and GitHub recordsdata to construct Customized Safety Occasions in Cisco Safe Community Analytics.
Let’s have a look at a weblog: MoonPeak malware from North Korean actors unveils new particulars on attacker infrastructure. This weblog focuses on a state-sponsored group from North Korea. The group leverages an open-source distant entry trojan (RAT) from a household being referred to as MoonPeak.
Scroll via the article and take note of the extent of element supplied. Close to the very backside of the weblog discover the part titled IOCs.
Click on on the hyperlink to the GitHub repository. You can be taken to the Cisco Talos GitHub repository the place you can see the IOCs can be found as JSON and plain textual content recordsdata, and are sorted by the month the weblog was revealed in. Be happy to discover different recordsdata, months, and years to get acquainted with the indications recurrently supplied.
Click on on the file “moonpeak-infrastructure-north-korea.txt” or observe the direct hyperlink. Scroll right down to line 35 of the file the place the Community IOCs start. This listing accommodates twelve IP addresses we’re all for. Observed that the IP addresses and domains have been defanged with sq. brackets across the dots so you can’t by chance click on on them.
You possibly can both manually delete the sq. brackets or use the discover and substitute performance in your favourite textual content editor to do the job. I desire to make use of Notepad++ when coping with textual content recordsdata. I set the “Discover and Change” to search for the sq. brackets across the dot and substitute all cases with a dot.
Delete the domains from the listing and replica and paste these IP addresses right into a New Host Group utilizing the strategies described within the first a part of this weblog.
You may additionally think about using a device to extract IP addresses from textual content. I actually like iplocation IP Extractor. You possibly can paste in a block of textual content with IPv4 and IPv6 IP addresses and it’ll extract them to allow them to be simply reviewed and pasted into a bunch group. The IPs you paste into this device can’t be defanged. It requires full and proper IP addresses to work.
All the time take into account the sensitivity of the knowledge you present to public instruments earlier than utilizing them. You need to take into account a domestically hosted device for delicate data
Third-party risk intelligence
For those who take part in any Info Sharing and Evaluation Facilities (ISACs), subscribe to business feeds or recurrently make the most of bulletins and blogs geared in direction of your trade, you too can make the most of their indicators in Cisco Safe Community Analytics. They work the identical method we dealt with inner risk intelligence within the first a part of this weblog or Cisco Talos blogs proven above. Watch out when scraping risk intelligence to make sure you might be solely together with indicators you plan to make use of. For instance, in case you are scraping a whole bulletin that accommodates IP addresses you have an interest in, be sure to don’t by chance copy an IP handle from an adjoining and unrelated entry.
You possibly can paste a block of IP addresses right into a New Host Group or use a device to tug them out of a block of textual content after which paste them. Watch out in case your supply defangs IP addresses, as this is quite common. You should utilize the identical strategies I illustrated for the Cisco Talos GitHub entries above.
Host group mother or father/little one relationships
A great apply for constructing mother or father and little one host teams is to create a brand new mother or father host group for any distinct sources. Then create a toddler host group for every new report. This lets you simply monitor again each to the unique supply or the risk intelligence and determine which marketing campaign or risk actor is concerned. I like to incorporate a hyperlink to the supply within the host group description. That is particularly useful in case you are using a number of risk intelligence sources to your safety controls. Manage your host teams in a fashion that makes essentially the most sense to you.
You possibly can both create a brand new Customized Safety Occasion (see the primary a part of this weblog) for every little one host group with a definite identify or create one Customized Safety Occasion for the mother or father host group with a generic identify. Both case could have you lined, and the host group identify within the alarm will aid you rapidly determine the supply of risk intelligence.
Different Concerns
You all the time wish to carry out a Movement Search (Examine -> Movement Search) first earlier than constructing any Customized Safety Occasions. It will forestall you from flooding your self with alerts in case you by chance embrace the flawed IP handle or are already recurrently speaking with an IP handle you plan to incorporate in a brand new host group.
We’d love to listen to what you assume. Ask a Query, Remark Under, and Keep Related with Cisco Safe on social!
Cisco Safety Social Channels
Share:
:max_bytes(150000):strip_icc()/byr-best-colognes-to-gift-in-2024-tout--90d8c313b66542b0bdb7cc132b2139d4.jpg "The Finest Males’s Fragrances & Colognes, In keeping with a Teen Perfume Snob")
