Thursday, November 14, 2024

Utilizing Risk Intelligence in Cisco Safe Community Analytics

This weblog is continuation of the earlier weblog on utilizing Cisco Safe Community Analytics. On this half, we cowl leveraging public Cisco Talos blogs and third-party risk intelligence information with Cisco Safe Community Analytics. Be sure you learn the primary half as this half makes references again to Host Group and Customized Safety Occasion directions lined within the unique weblog.

Cisco Talos Blogs

The proficient researchers at Cisco Talos usually publish blogs on threats and vulnerabilities. These blogs break down the techniques, strategies and procedures (TTPs) utilized by risk actors. Talos’ analysis publications usually embody pattern supply code, phishing emails, reverse engineering of malicious binaries, instruments, scripts, command and management methodology, attacker infrastructure, file hashes, domains and IP addresses utilized in malicious operations. The indications of compromise (IOCs) are revealed on GitHub as JSON and plain textual content recordsdata. We are able to use these blogs and GitHub recordsdata to construct Customized Safety Occasions in Cisco Safe Community Analytics.

Let’s take a look at a weblog: MoonPeak malware from North Korean actors unveils new particulars on attacker infrastructure. This weblog focuses on a state-sponsored group from North Korea. The group leverages an open-source distant entry trojan (RAT) from a household being referred to as MoonPeak.

Graphic representation showing computer infected by malware
Fig. 1: Latest weblog put up from Cisco Talos

Scroll by means of the article and take note of the extent of element offered. Close to the very backside of the weblog discover the part titled IOCs.

Text that reads, IOCs for this research can also be found at our GitHub repository here.
Fig. 2: IOCs part with a hyperlink to GitHub

Click on on the hyperlink to the GitHub repository. You’ll be taken to the Cisco Talos GitHub repository the place you’ll find the IOCs can be found as JSON and plain textual content recordsdata, and are sorted by the month the weblog was revealed in. Be happy to discover different recordsdata, months, and years to get accustomed to the symptoms usually offered.

GitHub files from Talos blogs
Fig. 3: GitHub recordsdata from August 2024 for 3 Talos blogs

Click on on the file “moonpeak-infrastructure-north-korea.txt” or comply with the direct hyperlink. Scroll right down to line 35 of the file the place the Community IOCs start. This checklist comprises twelve IP addresses we’re desirous about. Seen that the IP addresses and domains have been defanged with sq. brackets across the dots so you can not by chance click on on them.

List of defanged IOCs
Fig. 4: Community IOCs offered by Talos utilized by North Korean risk actors

You’ll be able to both manually delete the sq. brackets or use the discover and exchange performance in your favourite textual content editor to do the job. I desire to make use of Notepad++ when coping with textual content recordsdata. I set the “Discover and Change” to search for the sq. brackets across the dot and exchange all cases with a dot.

Using Notepad++ with find and replace to remove square brackets in defanged IP addresses
Fig. 5: Utilizing Notepad++ with discover and exchange to take away sq. brackets in defanged IP addresses
Successful replacement in Notepad++
Fig. 6: Profitable alternative – discover the sq. brackets are all gone now

Delete the domains from the checklist and replica and paste these IP addresses right into a New Host Group utilizing the strategies described within the first a part of this weblog.

Creating a new host group for the IPs taken from this Cisco Talos blog
Fig. 7: Creating a brand new host group for the IPs taken from this Cisco Talos weblog

You may additionally think about using a instrument to extract IP addresses from textual content. I actually like iplocation IP Extractor. You’ll be able to paste in a block of textual content with IPv4 and IPv6 IP addresses and it’ll extract them to allow them to be simply reviewed and pasted into a number group. The IPs you paste into this instrument can’t be defanged. It requires full and proper IP addresses to work.

All the time think about the sensitivity of the knowledge you present to public instruments earlier than utilizing them. It is best to think about a regionally hosted instrument for delicate info

iplocation IP Extractor
Fig. 8: Utilizing an IP extractor to drag out all legitimate IP addresses from a block of textual content
Extracted IP addresses ready to copy to a host group
Fig. 9: Extracted IP addresses prepared to repeat to a number group

Third-party risk intelligence

In the event you take part in any Data Sharing and Evaluation Facilities (ISACs), subscribe to industrial feeds or usually make the most of bulletins and blogs geared in direction of your trade, you can too make the most of their indicators in Cisco Safe Community Analytics. They work the identical approach we dealt with inside risk intelligence within the first a part of this weblog or Cisco Talos blogs proven above. Watch out when scraping risk intelligence to make sure you’re solely together with indicators you plan to make use of. For instance, if you’re scraping a complete bulletin that comprises IP addresses you have an interest in, be sure you don’t by chance copy an IP tackle from an adjoining and unrelated entry.

You’ll be able to paste a block of IP addresses right into a New Host Group or use a instrument to drag them out of a block of textual content after which paste them. Watch out in case your supply defangs IP addresses, as this is quite common. You should utilize the identical strategies I illustrated for the Cisco Talos GitHub entries above.

Host group dad or mum/youngster relationships

A superb observe for constructing dad or mum and youngster host teams is to create a brand new dad or mum host group for any distinct sources. Then create a baby host group for every new report. This lets you simply monitor again each to the unique supply or the risk intelligence and determine which marketing campaign or risk actor is concerned. I like to incorporate a hyperlink to the supply within the host group description. That is particularly useful if you’re using a number of risk intelligence sources to your safety controls. Arrange your host teams in a way that makes probably the most sense to you.

You’ll be able to both create a brand new Customized Safety Occasion (see the primary a part of this weblog) for every youngster host group with a definite title or create one Customized Safety Occasion for the dad or mum host group with a generic title. Both case may have you lined, and the host group title within the alarm will make it easier to rapidly determine the supply of risk intelligence.

Different Concerns

You at all times need to carry out a Move Search (Examine -> Move Search) first earlier than constructing any Customized Safety Occasions. This can forestall you from flooding your self with alerts when you by chance embody the mistaken IP tackle or are already usually speaking with an IP tackle you plan to incorporate in a brand new host group.


We’d love to listen to what you suppose. Ask a Query, Remark Beneath, and Keep Linked with Cisco Safe on social!

Cisco Safety Social Channels

Instagram
Fb
Twitter
LinkedIn

Share:



Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles