Unleashing SecureX upon a genuine Cyber Campaign

There’s so a lot excitement round the general accessibility (GA) for SecureX. Let’s have a look under the hood because the sector learns to define might know about all expect from the security platform. Even though I’ve your attention, I will attempt to describe how SecureX delivers simpleness thoroughly, efficiency and visibility by way of a cloud-native, built-in platform having an emerging use situation. Is the problem declaration &ndash here; you want to investigate cyber/malware advertisments impacting your atmosphere and if you can find any determined targets by considering historical activities from your own deployed security technologies. Every Cisco security customer is eligible for SecureX and you also are hoped by me personally find this use situation walk-through helpful. I will share the skeletal workflow &ndash furthermore; that you can run as your personal &lsquo either;playbook’ or modify to be while complex or simple like your needs merit.

Allow’s established the background. Recently we’ve been made aware that one Australian federal government owned entities and businesses have been targeted by way of a advanced state-based actor. The Australian Cyber Security Centre (ACSC) has titled these events as “Copy-Paste Compromises” and also have published a summary with hyperlinks to detailed TTPs (tactics, strategies, procedures). The ACSC furthermore published and is sustaining an evolving set of IOCs (indicators of compromise) that exist here. As as mitigations far, ACSC recommends prioritizing prompt patching of most internet facing techniques and the usage of multi-aspect authentication (MFA) across all remote control access services. Furthermore, the ACSC recommends applying the rest of the ASD Essential Eight controls. Cisco Security has a extensive portfolio of technology that can provide superior risk mitigation and security at level. My colleague Steve Moros discussed these in his latest blog. However, in case you are curious like me, you’ll first desire to understand the influence of the danger in your environment. Are usually these observables malicious or suspicious? Have we noticed these observables? Which endpoints have got the malicious documents or have linked to the domain/URL? So what can I now do about any of it right?

If you aren’t in Australia, don’t stroll just yet away! The name ‘Copy-Paste Compromises’ comes from the actor’s large use of proof concept exploit code, internet shells and other equipment copied identically from open up source almost. So you might see a few of these in your atmosphere even though you are not being particularly targeted by this advertising campaign. Also the example could be replaced by you above with any malware/cyber campaign. Typically you will discover blogs from Cisco (TALOS) or various other vendors or community posts, detailing the TTPs and much more the IOCs importantly. In other situations, you may receive IOCs over a threat feed or even scrape them from the webpage/blog/post simply. Irrespective with minimal tweaks the below process should work with some of those sources aswell still. Let’s begin!

Phase 1 – Threat Hunting & Response

In this task, We simply copied all of the IOCs from the published csv document and put them in to the enrichment search container in my own SecureX ribbon. This uses SecureX threat reaction to parse any kind of observables (domains, IPs, URLs, document hashes, etc) from basic textual content and assign a disposition to each observable. We are able to see you can find 102 observables which have been tagged as clean (3), malicious (59), suspicious (1) and unknowns (39). The unknowns are of increased concern, because the malicious and suspicious observables could have been blocked hopefully, if my threat feeds will work in collaboration with my security handles. Nonetheless, unless they’re of thoroughly clean disposition, any sightings of the observables within an environment are really worth investigating. The ACSC could keep adding new observables with their list also, as this strategy evolves. That presents the live character of today&rsquo just;s cyber promotions and how important it to remain together with things! Or it is possible to all automate it, utilizing the workflow I explain in Step two 2 a little in this website later.

IOC SearchFigure 1: Observables from Text within SecureX Dashboard
Allow’s discover if you can find any sightings of the observables in my atmosphere and identify any targets. I really do this by clicking the “Investigate in Risk response” pivot menu choice in the ‘Observables from Textual content’ pop-up. This brings all of the observables into SecureX risk response which in turn queries integrated security regulates (modules) from my atmosphere. In my case, 5 modules which includes AMP and Umbrella, had responses. I could see any historic sightings quickly, both global, and nearby to my environment.
Threat HuntingFigure 2: Threat Hunting with SecureX threat reaction
There are few what to observe in the screenshot over. The horizontal bar at the top reduces the 102 observables from ACSC into 9 domains, 31 file hashes, 44 IP addresses, 6 URLs and email addresses. I could expand to find dispositions of every of them now. The Sightings section (best right) provides me a timeline snapshot of worldwide sightings & most importantly the 262 nearby sightings of the observables in my own environment during the last couple of weeks. And a significant detail at the top left we’ve 3 targets. Which means that 3 of my corporation’s resources have already been observed having several relationship with a number of of the observables in my own investigation. I’m also able to investigate each observable deeper in the observables area (bottom correct). The relations graph (base left) displays me any human relationships between all of the 102 observables and the 3 targets. This can help me identify ‘affected person zero’ and the way the danger vector infiltrated my distribute and environment.

Allow’s expand the relations graph to obtain a closer look. I could apply various filter systems (disposition, observable kind, etc.) to determine the proceedings. I could select any observable or focus on also, both in relations graph along with else in the SecureX/Threat Response user user interface‑ anywhere; to research it further using threat pivot or intelligence into related Cisco Security items for a deeper analysis. I’ve completed the analysis as soon as, I can start giving an answer to the risk, from the same display screen. With several clicks in the SecureX/Threat Response interface, I can prevent the observables in the particular Cisco Security products (data files in Cisco AMP, domains in Cisco Umbrella, etc.) and also isolate contaminated hosts (in Cisco AMP) to avoid further spread. I’m also able to exceed the default choices and result in pre-configured workflows (described in next area) to do this in virtually any other security item (Cisco or third party) using the energy of APIs/adapters. This is actually the illustrated by the ‘SecureX Orchestration Perimeter Prevent’ workflow choice in below screenshot amidst some other analysis/response options.
Incident ReactionFigure 3: Incident Response with the click
Up to now, using SecureX threat response, we’ve simplified the threat response and hunting process. We could actually take all of the ACSC observables, operate them through different threat feeds and traditional events from our protection controls, while preventing the need to leap through each security item’s interface. We have prevented “the swivel chair effect”, that plagues the security business!

Stage 2 – Orchestrating everything with a workflow

While we achieved a whole lot above utilizing the power of APIs, what if we’re able to minimize the individual intervention and get this to an automated process additional. SecureX orchestrator allows you to create automatic workflows to provide further value. The workflow could be modified for just about any IOC source below, like the TALOS Blog RSS Feed, yet, in this case we will utilize the ACSC provided IOC csv file.

I’d prefer to credit score my colleague Oxana who’s deeply associated with our devnet security initiatives for the specific playbook I am going to share below. She actually is very more comfortable with various Cisco Security APIs.

This is actually the generic workflow:
Playbook flowFigure 4: the Workflow
The workflow itself is easy fairly. It uses SecureX threat reaction APIs for the majority of the ongoing work. For notifications we chose Webex SMTP and APIs, but this could be changed with any collaboration device of choice. The methods involved are the following:

  1. Obtain Indicators – by creating a generic http demand to ACSC hosted IOC csv document (or any source!), do some tidy up and store the natural indicators as textual content
  2. Parse IOCs – from raw textual content stored in step one 1, using SecureX threat response Inspect API
  3. Enrich Observables – with SecureX Threat Response Enrich API to get any global sightings (in my own built-in threat feeds) and much more importantly nearby sightings/targets (in my own integrated security modules such as Umbrella, AMP, etc.)
  4. Notify – if any targets discovered (from local sightings). For every queried module, publish the targets on Webex groups and/or send a contact.
  5. Case Administration – by developing a new casebook the 1st time any targets are located. On subsequent runs maintain updating the casebook if targets discovered.

Are a few screenshots of the workflow in SecureX orchestrator here. This is a bit challenging to squeeze in one screen, which means you get 3 screenshots!

Figure 5: Workflow within SecureX orchestrator
It can be done to improve this workflow with the addition of a schedule, in order that workflow runs every couple of days or hours. This may be helpful as ACSC retains updating the indicators frequently. Another option is to build in reaction choices (with or without acceptance) utilizing the SecureX threat response API. They are ideas and the options are limitless just. SecureX orchestrator may be used to modify this workflow to perform any API activity for responses and notifications, both on Cisco and third party products. Simply utilize the built-in API targets or create (eg new ones. for third party products), add any accounts and variables keys and simply drag and fall the modules to create logic into your own workflow. Essentially, we’ve given you the charged power of workflow scripting in a drag and fall UI. Every environment differs and so we shall depart it for the visitors to improve and adjust this workflow with their individual needs. As mentioned before lastly, you can also utilize this workflow for extracting observables from any web resources and not simply the ACSC Duplicate Paste Compromises IOC checklist. To do this modify the &ldquo simply;ACSC Advisory Focus on” under Targets.
modify observables sourceFigure 6: Modifying the observables source
The above workflow is hosted on github here. It is possible to import it into your personal SecureX orchestrator example as a json file. Prior to going through the import procedure or once the workflow is operate by you, you shall have to supply and/or adjust variables just like the Webex token, Webex teams space email and id accounts details.
Playbook variablesFigure 7: Incorporating the notification variables
Lastly once you operate the workflow, it could be seen by you operating live, the output and input of each module and every ‘for’ loop iteration. This enables easy troubleshooting of items from exactly the same friendly graphical interface!
Working the workflowFigure 8: Running the workflow within SecureX orchestrator
After running the playbook, you need to see email Webex or even notifications Teams messages, indicating targets found (or even not) for every queried module. You need to visit a case by selecting &ldquo also;Casebook” on the SecureX ribbon on the SecureX dashboard.
Figure 9: Webex Groups notifications on nearby sightings and targetsFigure 9: Webex Teams notifications upon nearby sightings and targets

Figure 10: Casebook within SecureX dashboard
If you’re a Cisco Webex Groups consumer, simply login and obtain your personal webex accessibility token to use within the workflow from here. To find the area id for the Webex Groups room which will be useful for notifications from the workflow, add roomid@webex.bot to the available space and it will answer you with an exclusive message containing the area id. Oxana offers documented everything had a need to obtain the workflow moving in the readme file.

To find out more about how exactly to import/export workflows within SecureX orchestrator, adjust variables, targets, and develop your personal workflows even, follow the SecureX orchestrator documentation here.


Since we saw above, Cisco SecureX not merely simplifies danger investigations and response procedure, but allows you to automate the complete process using playbooks furthermore. Using SecureX Threat Reaction, we saw how simple it is to measure the impact of security advisories rapidly. That is threat response and hunting within a interface. But we didn’t stop right now there. We went forward and automated the complete process with a straightforward playbook making use of SecureX orchestrator. This frees up essential human resources to accomplish other operational tasks, or with leisure time on the hands perhaps, they can concentrate on automating other repeatable procedures!

Getting started with SecureX and signing on just takes a couple of mins and is rather straightforward. For those who have recently been using Cisco Threat Response your existing integrations will currently be in SecureX. In case you are not used to the system, follow this playlist to really get your very first integrations done and in addition find out more about creating workflows.

Thank you for reading through along and wish this blog post and the included workflows are of help! Feel absolve to keep a comment if any ideas are experienced by you on SecureX, other concepts on workflows as well as your experiences building exactly the same on SecureX.

%d bloggers like this: