Cisco Secure Network Analytics provides pervasive network visibility and security analytics for advanced protection across the extended network and cloud. The purpose of this blog is to review two methods of using threat intelligence in Secure Network Analytics. First, we will cover the threat intelligence feed, and then we will look at using your own internal threat intelligence in the product. The National Institute of Standards and Technology (NIST) defines threat intelligence (TI) as “threat information that has been aggregated, transformed, analyzed, interpreted, or enriched to provide the necessary context for decision-making processes.” We can use threat intelligence to help understand an adversary’s motives and detect their activity. Secure Network Analytics can use the product of the threat intelligence process to immediately alert you to that activity in your network.
Threat Intelligence Feed
Secure Network Analytics offers a global threat intelligence subscription feed to help make use of a variety of Cisco and information security industry sources to detect on analyzed threat intelligence indicators. Powered by the Cisco Talos intelligence platform, the feed is automatically updated every 30 minutes with known malicious command-and-control (C&C/C2) servers, bogon IP address space, Tor entry and exit nodes, and is updated daily with the Talos IP block list. The indicators are then populated into pre-built host groups. Any attempted or successful communications between your network and the hosts in the threat intelligence feed are detected and alerted on.
Figure 1. Host Group Management with the threat intelligence feed enabled. Note the Bogon, Command & Control Servers, and Tor parent host groups. The Command & Control Servers host group contains many child host groups named by the botnet or campaign family name.
Figure 2. The first several child host groups under the Command & Control Servers parent host group. There are currently 113 distinct child host groups at this time. Any command-and-control detections will include the child host group name so you will know which specific botnet or campaign family you are dealing with.
Enabling the Threat Intelligence Feed
To enable the threat intelligence feed, use the following instructions. You may also refer to these instructions in the Manager’s online help by searching for “threat feed.”
- From the main menu, select Configure > Global > Central Management.
- From the Inventory tab, click the ··· (Ellipsis) icon for the Manager.
- Select Edit Appliance Configuration.
- On the General tab, locate the External Services section.
- Check the Enable Threat Feed check box.
- To adjust the Feed Confidence Level, click the drop-down.
Enabling the threat intelligence feed powers 13 default security events. These events are looking for bot activity, Tor connections, and bogon connections:
- A bot is a system that is infected with malware that carries out specific tasks when sent instructions from a command-and-control server. A collection of bots under a malicious actor’s control is called a botnet.
- Tor, formerly The Onion Router, is a network used for anonymizing Internet connections which works by sending a connection through multiple relays before exiting the Tor network. A Tor entry node is the first server a Tor connection transits through before navigating through at least one relay node and exiting the Tor network via an exit node.
- A bogon address is an IP address which has not been allocated by the Internet Assigned Numbers Authority (IANA) or a Regional Internet Registry (RIP) and should not be used or seen. The presence of a bogon IP address is typically spoofed traffic or is a configuration error on the network.
The 13 security events, and their basic descriptions, powered by the threat intelligence feed are:
- Bot Infected Host – Attempted C&C Activity – A host on your network has attempted to talk to a known command and control (C&C) server, but was not successful in doing so.
- Bot Infected Host – Successful C&C Activity – A host on your network has communicated with a known command and control (C&C) server.
- Bot Command & Control Server – Indicates that a host in your environment is being used to assist in the compromise of other hosts beyond your environment by acting as a command and control (C&C) server.
- Connection From TOR Attempted – Detects attempted connections to host(s) inside your network from Tor exit nodes.
- Connection From TOR Successful – Detects successful connections to host(s) inside your network from Tor exit nodes.
- Connection To TOR Attempted – Detects attempted connections from host(s) inside your network to Tor entry guard nodes.
- Connection To TOR Successful – Detects successful connections from host(s) inside your network to Tor entry guard nodes.
- Inside TOR Entry Detected – A host inside your network is being advertised as a Tor entry guard node.
- Inside TOR Exit Detected – A host inside your network is being advertised as a Tor exit node.
- Connection From Bogon Address Attempted – Detects attempted connections to host(s) inside your network from a bogon IP address.
- Connection From Bogon Address Successful – Detects successful connections to host(s) inside your network from a bogon IP address.
- Connection To Bogon Address Attempted – Detects attempted connections from host(s) inside your network to a bogon IP address.
- Connection To Bogon Address Successful – Detects successful connections from host(s) inside your network to a bogon IP address.
You can find additional details on these and other security events in the Security Events and Alarm Categories document. The latest edition for Secure Network Analytics version 7.5.0 is located here. Be sure to check the settings for these events in your default Inside Hosts and Outside Hosts policies in Policy Management on the Core Events tab. I recommend setting them to “On + Alarm” for any events that you want to be notified on. These are typically set to “On” by default.
Figure 3. Configuration set to “On + Alarm” for the Connection To Tor Successful security event for the default Inside Hosts and Outside Hosts policies.
Tor Browser Detection
I tested one of the threat intelligence feed-based security events in my lab. An Ubuntu Linux virtual machine is perfect for testing purposes. I downloaded the Tor Browser, connected to the Tor network, and visited a popular dark web search engine with a .onion address. The Connection to Tor Successful security event fired within a couple of minutes.
Figure 4. Tor Browser visiting a popular dark web search engine. Note the .onion address in the URL bar.
Figure 5. The Connection to Tor Successful security event fired properly. We see two distinct connections to Tor entry nodes (I made two connections). Note the far right-hand column titled Target Host Group clearly identifies the target host as Tor Entrance and performed a geolocation match to the corresponding country. In this case we are using Tor entry nodes in Spain and the Netherlands.
Using Your Own Threat Intelligence in Secure Network Analytics
Talos does an amazing job in keeping up with the threat landscape and threat actors. If your organization has internal threat intelligence capabilities, you can use your own indicator data in Secure Network Analytics to compliment the threat intelligence feed. Suppose you are a retail organization, and you have some internal threat intelligence about a point-of-sale memory scraper that is stealing credit card track information. Your team reverse engineered the scraper and found three public command and control IP addresses. Here is how you can use Secure Network Analytics to alert you to any phone home activity related to the memory scrapers.
- Create an Internal Threat Intelligence host group in your Outside Hosts host group. We use Outside Hosts because we will be using public IP addresses. This new host group will serve as a parent host group, and you will create child host groups under this parent for specific purposes. To build the parent host group:
-
- Navigate to Host Group Management (Configure -> Host Group Management)
- Expand Outside Hosts, click on the ·· (Ellipsis) next to Outside Hosts
- Click on Add Host Group from the context menu
- Set the host group name to Internal Threat Intelligence
- Add a description
- Click on Save
- Do not add any IP addresses to this parent host group. You will build off this parent host group over time as you add more internal threat intelligence child host groups to it.
Figure 6. Creating the new parent host group Internal Threat Intelligence.
Figure 7. The new parent host group now shows up under Outside Hosts.
- Create a child host group for the Point-of-Sale Memory Scraper C&C. You want to use these child host groups to be able to quickly identify any traffic seen on your network. If one of your point-of-sale systems reaches out to a command-and-control server, you will see it appropriately tagged by that host group. To build the child host group:
-
- Click on the ·· (Ellipsis) next to the Internal Threat Intelligence host group
- Click on Add Host Group from the context menu
- Set the host group name to Point-of-Sale Memory Scraper C&C
- Add a description
- Enter the IP addresses from your internal threat intelligence
- Click on Save
- In this example I added three random North Korea IP addresses for demonstration purposes.
Figure 8. Creating the new child host group Point-of-Sale Memory Scraper C&C.
Figure 9. The new child host group is neatly organized under Internal Threat Intelligence.
- Build a Custom Security Event looking for an Inside Host communicating with the Point-of-Sale Memory Scraper C&C host group. To build the Custom Security Event:
-
- Navigate to Policy Management (Configure -> Policy Management)
- Click on Create New Policy (near top-right)
- Click on Custom Security Event from the context menu
- Set the name to CSE: Point-of-Sale Memory Scraper Phone Home
- Add a description
- Add the Alarm when… criteria Subject Host Groups: Inside Hosts and Peer Host Groups: Point-of-Sale Memory Scraper C&C
- Toggle the Status to On
- Click on Save
Figure 10. Creating the new Custom Security Event CSE: Point-of-Sale Memory Scraper Phone Home.
- I recommend keeping the Custom Security Event criteria very simple. We want to alert on any communications with the command-and-control servers at all. Note that it is possible to tighten up the criteria by adding more fields. An example might be that you are aware of an adversary that is scanning your network, but you only want to be notified if you detect full conversations with the adversary. In this case, adding the Total Bytes field to the Custom Security Event criteria and setting it to 1K (1,000 bytes) prevents firing by a single ping, but notifies if actual data is transferred. Adjust the value accordingly to your environment. Other criteria can be useful here such as Subject Bytes, Peer Bytes, Subject Packets, Peer Packets, Total Packets, Subject Orientation, Duration, and others.
Figure 11. A more restrictive version of the Custom Security Event will not fire until we see 1,000 total bytes.
- If you want to test out your configurations, you may run a test by adding a test IP to the child host group and communicate with that host to validate your settings. For example, if you have a public cloud instance, you could add that host’s public IP address to the Point-of-Sale Memory Scraper C&C host group, and then connect to your cloud host. The Custom Security Event would then fire. Once you have validated that everything is functioning, simply remove the test IP from the Point-of-Sale Memory Scraper C&C host group. For my test, I added the IP address 198.51.100.100 (resides in an IANA reserved test network defined in RFC 5737) and then pinged that IP address.
Figure 12. Pinging the test IP address I added to the Point-of-Sale Memory Scraper C&C host group.
Figure 13. The Custom Security Event fired based on the ping. Notice the Target Host Groups column lists the host group name, so we immediately know what it is without doing any research. Also note the Alarm column displays the exact name we used when building the Custom Security Event.
Conclusion
Cisco Secure Network Analytics provides outstanding visibility across your network. Leveraging the built-in threat intelligence feed helps protect your enterprise with additional default security events and it keeps those detections current with regular content updates. Include your own internal threat intelligence with Host Groups and Custom Security Events to alert your SOC in real time to specific threats. Be sure to watch out for a follow up blog discussing third-party threat intelligence in Secure Network Analytics.
References
NIST Glossary Entry for Threat Intelligence – https://csrc.nist.gov/glossary/term/threat_intelligence
Threat Intelligence License At-a-glance – https://www.cisco.com/c/dam/en/us/products/collateral/security/stealthwatch/stealthwatch-ti-lice-aag.pdf
System Configuration Guide – https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/system_installation_configuration/7_5_0_System_Configuration_Guide_DV_1_5.pdf
Security Events and Alarm Categories – https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/management_console/securit_events_alarm_categories/7_5_0_Security_Events_and_Alarm_Categories_DV_1_0.pdf
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Security on social!
Cisco Security Social Channels
Instagram
Facebook
Twitter
LinkedIn
Share: