Unleashing SecureX on duplicate paste compromises

There’s so a lot excitement round the general accessibility (GA) for SecureX. Allow’s have a look under the hood because the sector learns to define might know about all expect from the security platform. Even though I’ve your attention, I will attempt to describe how SecureX delivers simpleness thoroughly, efficiency and visibility by way of a cloud-native, built-in platform having an emerging use situation. Is the problem declaration &ndash here; you want to investigate cyber/malware advertisments impacting your atmosphere and if you can find any determined targets by considering historical activities from your own deployed security technologies. Every Cisco security customer is eligible for SecureX and you also are hoped by me personally found this use situation walk-through helpful. I will share the skeletal workflow &ndash furthermore; that you can run as your personal &lsquo either;playbook’ or modify to be as complicated or simple as your preferences merit.

Allow’s established the background. Recently we’ve been made aware that one Australian federal government owned entities and businesses have been targeted by way of a advanced state-based actor. The Australian Cyber Security Centre (ACSC) has titled these events as “Copy-Paste Compromises” and also have published a summary with hyperlinks to detailed TTPs (tactics, strategies, procedures). The ACSC furthermore published and is sustaining an evolving set of IOCs (indicators of compromise) that exist here. As as mitigations far, ACSC recommends prioritizing prompt patching of most internet facing techniques and the usage of multi-aspect authentication (MFA) across all remote control access services. Furthermore, the ACSC recommends applying the rest of the ASD Essential Eight controls. Cisco Security has a extensive portfolio of technology that can provide superior risk mitigation and security at level. My colleague Steve Moros discussed these in his latest blog. However, in case you are curious like me, you’ll first desire to understand the influence of the danger in your environment. Are usually these observables malicious or suspicious? Have we noticed these observables? Which endpoints linked to the domain/URL? So what can I now do about any of it right?

If you aren’t in Australia, don’t stroll just yet away! The name ‘Copy-Paste Compromises’ comes from the actor’s large use of proof concept exploit code, internet shells and other equipment copied identically from open up source almost. So you might see a few of these in your atmosphere even though you are not being particularly targeted by this advertising campaign. Also the example could be replaced by you above with any malware/cyber campaign. Typically you will discover blogs from Cisco (TALOS) or various other vendors or community posts, detailing the TTPs and much more the IOCs importantly. In other situations, you may receive IOCs over a threat feed or even scrape them from the webpage/blog/post simply. Irrespective with minimal tweaks the below process should work with some of those sources aswell still. Let’s begin!

Phase 1 – Threat Hunting & Response

In this task, We simply copied all of the IOCs from the published csv document and put them in to the enrichment search container in my own SecureX ribbon. This uses SecureX threat reaction to parse any kind of observables (domains, IPs, URLs, document hashes, etc) from basic textual content and assign a disposition to each observable. We are able to see you can find 102 observables which have been tagged as clean (3), malicious (59), suspicious (1) and unknowns (39). The unknowns are of increased concern, because the malicious and suspicious observables could have been blocked hopefully, if my threat feeds will work in collaboration with my security handles. Nonetheless, unless they’re of thoroughly clean disposition, any sightings of the observables within an environment are really worth investigating. The ACSC could keep adding new observables with their list also, as this strategy evolves. That presents the live character of today&rsquo just;s cyber promotions and how important it to remain along with things! Or it is possible to all automate it, utilizing the workflow I explain in Step two 2 a little in this website later.
Figure 1: Observables from Text within SecureX Dashboard
Allow’s discover if you can find any sightings of the observables in my atmosphere and identify any targets. I really do this by clicking the “Investigate in Risk response” pivot menu choice in the ‘Observables from Textual content’ pop-up. This brings all of the observables into SecureX risk response which in turn queries integrated security regulates (modules) from my atmosphere. In my case, 5 modules which includes AMP and Umbrella, had responses. I could see any historic sightings quickly, both global, and nearby to my environment.
Figure 2: Threat Hunting with SecureX threat reaction
There are few what to observe in the screenshot over. The horizontal bar at the top reduces the 102 observables from ACSC into 9 domains, 31 file hashes, 44 IP addresses, 6 URLs and email addresses. I could expand to find dispositions of every of them now. The Sightings section (best right) provides me a timeline snapshot of worldwide sightings & most importantly the 262 nearby sightings of the observables in my own environment during the last couple of weeks. And a significant detail at the top left we’ve 3 targets. Which means that 3 of my corporation’s resources have already been observed having several relationship with a number of of the observables in my own investigation. I’m also able to investigate each observable deeper in the observables area (bottom correct). The relations graph (base left) displays me any human relationships between all of the 102 observables and the 3 targets. This can help me identify ‘affected person zero’ and the way the danger vector infiltrated my distribute and environment.

Allow’s expand the relations graph to obtain a closer look. I could apply various filter systems (disposition, observable kind, etc.) to determine the proceedings. I could select any observable or focus on also, both in relations graph along with else in the SecureX/Threat Response user user interface‑ anywhere; to research it further using threat pivot or intelligence into related Cisco Security items for a deeper analysis. I’ve completed the analysis as soon as, I can start giving an answer to the risk, from the same display screen. With several clicks in the SecureX/Threat Response interface, I can prevent the observables in the particular Cisco Security products (data files in Cisco AMP, domains in Cisco Umbrella, etc.) and also isolate contaminated hosts (in Cisco AMP) to avoid further spread. I’m also able to exceed the default choices and result in pre-configured workflows (described in next area) to do this in virtually any other security item (Cisco or third party) using the energy of APIs/adapters. This is actually the illustrated by the ‘SecureX Orchestration Perimeter Prevent’ workflow choice in below screenshot amidst some other analysis/response options.
Figure 3: Incident Response with the click
Up to now, using SecureX threat response, we’ve simplified the threat response and hunting process. We could actually take all of the ACSC observables, operate them through different threat feeds and traditional events from our safety controls, while preventing the need to leap through each security item’s interface. We have prevented “the swivel chair effect”, that plagues the security business!

Stage 2 – Orchestrating everything with a workflow

While we achieved a whole lot above utilizing the power of APIs, what if we’re able to minimize the individual intervention and get this to an automated process additional. SecureX orchestrator allows you to create automatic workflows to provide further value. The workflow could be modified for just about any IOC source below, like the TALOS Blog RSS Feed, yet, in this case we will utilize the ACSC provided IOC csv file.

I’d prefer to credit score my colleague Oxana who’s deeply associated with our devnet security initiatives for the specific playbook I am going to share below. She actually is very more comfortable with various Cisco Security APIs.

This is actually the generic workflow:
Figure 4: the Workflow
The workflow itself is easy fairly. It uses SecureX threat reaction APIs for the majority of the ongoing work. For notifications we chose Webex SMTP and APIs, but this could be changed with any collaboration device of choice. The methods involved are the following:

  1. Obtain Indicators – by creating a generic http demand to ACSC hosted IOC csv document (or any source!), do some tidy up and store the natural indicators as textual content
  2. Parse IOCs – from raw textual content stored in step one 1, using SecureX threat response Inspect API
  3. Enrich Observables – with SecureX Threat Response Enrich API to get any global sightings (in my own built-in threat feeds) and much more importantly regional sightings/targets (in my own integrated security modules such as Umbrella, AMP, etc.)
  4. Notify – if any targets discovered (from local sightings). For every queried module, write-up the targets on Webex groups and/or send a message.
  5. Case Administration – by developing a new casebook the 1st time any targets are located. On subsequent runs maintain updating the casebook if targets found.

Are quite a few screenshots of the workflow in SecureX orchestrator here. This is a bit challenging to easily fit into one screen, which means you get 3 screenshots!

Figure 5: Workflow in SecureX orchestrator
It can be done to improve this workflow with the addition of a schedule, in order that workflow runs every couple of days or hours. This can be useful as ACSC keeps updating the indicators regularly. Another option is to build in response options (with or without approval) utilizing the SecureX threat response API. They are ideas and the options are limitless just. SecureX orchestrator may be used to modify this workflow to perform any API action for responses and notifications, both on Cisco and third party products. Simply utilize the built-in API targets or create (eg new ones. for third party products), add any account and variables keys and just drag and drop the modules to create logic into your workflow. Essentially, we’ve given you the charged power of workflow scripting in a drag and drop UI. Every environment differs and so we shall leave it for the readers to boost and adapt this workflow with their individual needs. As mentioned before lastly, you can also utilize this workflow for extracting observables from any web sources and not simply the ACSC Copy Paste Compromises IOC list. To do this modify the &ldquo just;ACSC Advisory Target” under Targets.
Figure 6: Modifying the observables source
The above workflow is hosted on github here. It is possible to import it into your personal SecureX orchestrator instance as a json file. Prior to going through the import process or once the workflow is run by you, you shall have to provide and/or adjust variables just like the Webex token, Webex teams room email and id account details.
Figure 7: Adding the notification variables
Lastly once you run the workflow, it could be seen by you running live, the output and input of each module and every ‘for’ loop iteration. This enables easy troubleshooting of things from exactly the same friendly graphical interface!
Figure 8: Running the workflow in SecureX orchestrator
After running the playbook, you need to see email Webex or notifications Teams messages, indicating targets found (or not) for every queried module. You need to visit a case by selecting &ldquo also;Casebook” on the SecureX ribbon on the SecureX dashboard.
Figure 9: Webex Teams notifications on local sightings and targets

Figure 10: Casebook in SecureX dashboard
If you’re a Cisco Webex Teams customer, simply login and obtain your individual webex access token to utilize in the workflow from here. To obtain the area id for the Webex Teams room which will be useful for notifications from the workflow, add roomid@webex.bot to the available room and it’ll answer you with an exclusive message containing the area id. Oxana has documented everything had a need to get the workflow moving in the readme file.

To find out about how exactly to import/export workflows in SecureX orchestrator, adjust variables, targets, and build your personal workflows even, follow the SecureX orchestrator documentation here.


As we saw above, Cisco SecureX not merely simplifies threat investigations and response process, but lets you automate the complete process using playbooks also. Using SecureX Threat Response, we saw how easy it really is to measure the impact of security advisories quickly. That is threat response and hunting within a interface. But we didn’t stop there. We went ahead and automated the complete process with a straightforward playbook using SecureX orchestrator. This frees up critical recruiting to accomplish other operational tasks, or with leisure time on the hands perhaps, they can concentrate on automating other repeatable processes!

Getting started with SecureX and signing on only requires a few mins and is rather straightforward. When you have recently been using Cisco Threat Response your existing integrations will already maintain SecureX. If you’re not used to the platform, follow this playlist to really get your first integrations done and in addition find out about creating workflows.

Thanks for reading along and hope this post and the included workflows are of help! Feel absolve to leave a comment if any thoughts are had by you on SecureX, other ideas on workflows as well as your experiences building exactly the same on SecureX.

%d bloggers like this: