B Secure X Threat Response V 1 Bookmap

SecureX Threat Response v1
First Published: 2020-07-17

Last Modified: 2020-10-01
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
© Cisco Systems, Inc. All rights reserved.
CHAPTER 1
About
• This Solution, on page 1
• This Demonstration, on page 2
• Requirements, on page 5
• Before Presenting, on page 5
• Get Started, on page 5
This Solution
Cisco SecureX Threat Response automates integrations across select Cisco Security products and accelerates
key security operations functions: detection, investigation, and remediation. A key pillar of our integrated
security architecture, SecureX Threat Response dramatically cuts the time and manual effort required to
investigate and remediate cybersecurity incidents. It adds value to your existing Cisco security products like
Umbrella®, AMP for Endpoints®, Firepower®, and Threat Grid® by delivering quick, confident, consistent
answers when time matters most. Cisco and third-party Security Products are added into SecureX threat
response as Modules. Learn more at www.cisco.com/go/threatresponse.
This demonstration is designed for users to choose their own path. You can demonstrate the modules in the
order you choose. Although this demo leverages multiple products, customers only need one Cisco product
to get started with SecureX threat response at no cost. The more products they own, the faster they can conduct
investigations with SecureX threat response. Although not covered on this demo, SecureX threat response
also offers open APIs, so that customers can fully leverage SecureX threat response in their environment. For
more resources, check out our website and SalesConnect page.
This demo guide for SecureX threat response is meant to show the power of the Cisco Security integrated
architecture. Based on a real-world scenario known as the “Loda RAT,” this demo allows sellers to experience
and show prospects and customers how Security Operations Center personnel can conduct a security
investigation using our architecture.
The demo highlights the integration of the Cisco Security portfolio using the following:
• SecureX Threat Response APIs
• Cisco Firepower
• Cisco AMP for Endpoints
• Cisco Umbrella
• Cisco Email Security

1
About
This Demonstration
• Cisco Threat Grid

• Cisco Stealthwatch
• Cisco Web Security
This Demonstration
This SecureX demo is intended for Cisco and Cisco partners (SEs, TSAs, public presenters, etc.).
This demonstration is designed for users to choose their own path. You can demonstrate the modules in the
order you choose. Although this demo leverages multiple products, customers only need one Cisco product
to get started with SecureX threat response at no cost. The more products they own, the faster they can conduct
investigations with SecureX threat response. Although not covered on this demo, SecureX threat response
also offers open APIs, so that customers can fully leverage SecureX threat response in their environment. For
more resources, check out our website and SalesConnect page.
This demo architecture consists of three major pieces that work together. The first major piece is a network
environment that runs 24x7 in Cisco dCloud that simulates a real customer enterprise network. This network
environment contains various infrastructure components and Cisco security appliances, as well as some various
scripts that simulate real attacks. Many of these on-premise components in turn communicate with Cisco
SecureX threat response (SecureX threat response) by way of the Cisco Security Services Exchange (SSE),
and their applicable SecureX threat response modules. Additionally, some of these components communicate
with various Cisco security cloud-based services, such as AMP for endpoints, and Umbrella. This always on
network environment is *not* accessible by the demo user directly (With the one exception of the Stealthwatch
SMC). Its purpose is essentially to feed demo data into various cloud-based services that will be investigated
by the demo user from within SecureX threat response.
The second major piece of the demo architecture is made up by the multiple cloud-based Cisco security
products that integrate seamlessly with SecureX threat response, as well as with some of the on-premise
components. Specifically, the SecureX threat response environment is integrated with Umbrella, AMP, and
ThreatGrid.
Finally, there is a graphical demo front end we call the landing page that allows you to seamlessly navigate
to all the different cloud products. When you click “view” on this demo from within the dCloud catalog, you
will find yourself on the landing page. This landing page is specific for your session and will allow you access
to all the components for two hours. Think of the landing page as your “home base” for this demo. It allows
you to login to all the different accessible products from a single, unified pane of glass without needing product
specific credentials by utilizing single sign on. Make sure you keep the landing page tab open in your browser.
Ultimately, SecureX Threat Response is the glue that brings all these pieces together in a valuable way that
differentiates the Cisco security portfolio from anything else in the market today.

2
About
This Demonstration
Note When you are in the Investigate UI, the investigative and response functions are the same.

3
About
Attack Story and Timeline
Attack Story and Timeline

There are a number of scripted attacks that run weekly in our simulated customer enterprise network, designed
to show how real malware could spread inside an environment like this over the course of several days. As
you go through the demo, you will use SecureX threat response to observe this simulated environment. When
you get to the point in the demo where you are observing SecureX threat response investigations, you will
find references to this timeline to help provide context.
Timeline Attack Attempts & Activity
Sunday: 21:19 UTC Malicious email is sent with malicious attachment (MidYearBonus.com) to two users,
marble and flint (@dcloud.local).
Monday: 07:48 - A contractor’s infected machine joins an internal guest network and attempts to contact
UTC a malicious URL (drinkfoodapp.com).
- Attacker was able to pivot from this already owned machine to gain root access to
internal systems including the billing automation system, an IoT Thermostat, and an
HVAC system.
Monday: 08:04 - Attacker downloads sensitive data from an internal fileserver to the owned billing
UTC automation system.
- Attacker exfiltrates the stolen data to an off-site FTP server (108.62.141.250).
Monday: 08:37 - User on an internal Windows machine (Marble) gets into work, opens email, runs
UTC malicious attachment.
- Malware attempts to call back to its command and control server (CnC) on the internet
(108.62.141.250).
- Malware attempts to communicate with a malicious domain (drinkfoodapp.com).
Monday: 09:06 - User on another windows machine (Granite) gets into work, opens email, runs
UTC malicious attachment.
- Malware attempts to call back to its command and control server (CnC) on the Internet.
Monday: 10:08 - User on a windows machine at a remote site (Slate) clicks a link to the malware hosted
UTC on google drive.
- User on Slate successfully downloads the malware from Google Drive.
Monday: 14:12 - Owned thermostat attempts to make a network connection to a malicious domain that
UTC is blocked by Umbrella.
Tuesday: 07:17 - Owned HVAC system attempts to launch an exploit against an external host
UTC (31.210.117.131).
Tip Tip: Rehearse and tailor the demo to your style of presentation. For feedback or questions, reach out to our
internal mailer (for sales) threat-response-pm@cisco.com or external mailer (for partners)
threat-response-early@cisco.com.

4
About
Requirements
Requirements
The table below outlines the requirements for this preconfigured demonstration.
Required Optional
Laptop with Chrome or Firefox browser
Before Presenting
Cisco dCloud strongly recommends that you perform the tasks in this document before presenting in front of
a live audience. This will allow you to become familiar with the structure of the document and content.
PREPARATION IS KEY TO A SUCCESSFUL PRESENTATION.
Get Started
Step 1 Use Chrome or Firefox to log in to dCloud.
Step 2 Click Catalog and select Instant Demo from the sidebar. This lists all the dCloud Instant Demos.
Step 3 In the Search of Filter field, enter SecureX, and then press Enter.
Step 4 Find Cisco SecureX Threat Response v1 - Instant Demo in the catalog, and then click View.
Note Alternately, you can use the Search Catalog box to search for the Instant Demo name.
Step 5 You will be taken to a launch page where you have all the links you will need for this demo.

5
About
Set up your SecureX Threat Response Plugin
Important It is imperative tht you keep this landing page tab open in your browser throughout this entire demonstration.
Running the demo at the most basic level requires that you utilize the tiles on the landing page for Cisco SecureX threat
response (SecureX threat response) and the Talos Blog.
However, there are additional tiles that will log you in to AMP, Umbrella, ThreatGrid, and a Stealthwatch SMC if you
choose to do so. This enables you to optionally show how these products integrate with SecureX threat response, including
the effects of taking response actions in SecureX threat response such adding a file hash to an AMP SCDL; activating
isolation on an AMP endpoint; or adding a domain to the Umbrella blocklist.
Note Instructions for demonstrating features within the integrated products themselves are outside the scope of this
document.
Set up your SecureX Threat Response Plugin

Take some time to become familiar with the SecureX threat response browser plugin.
In Scenario 1, you will interact with SecureX threat response by using a downloadable browser extension /
plugin that you can add to either Firefox or Chrome. This browser plugin must be configured properly to
communicate with the dCloud SecureX threat response demo account via API keys. Scenario 1 walks you
through that process.
Keep these things in mind as you perform this demonstration:
• If you are using a browser that already has the plugin installed: Obtain the API credentials from the
dCloud environment and swap them in. Using API credentials from your own SecureX threat response
account will not work in the demo story and will significantly impact the quality and flow of the demo
experience. We recommend using a dedicated browser profile for demonstrations. That will enable you
to save the dCloud plugin credentials and your own credentials separately, and you can switch to your
instant demo profile at any time rather than configuring and reconfiguring the plugin.
• If you have already installed the browser plugin in the browser profile from where you will run
the demo: Use the dCloud account credentials and go straight to Scenario 1 on the following page.
• When you click the SecureX threat response tile from your session landing page, your browser
should open a new tab and automatically log you into SecureX threat response. However, if you get to
a page suggesting you need to login to SecureX threat response, please click the button "Log in with
Cisco Security", and that should get you into SecureX threat response without any prompts.

6
CHAPTER 2
Scenarios
• Get API keys, on page 7
• Launch Investigations from the Browser Plugin, on page 14
• Summary, on page 54
Get API keys

Step 1 From the landing page, click the Cisco SecureX threat response tile.

7
Scenarios
Get API keys
Important Disable your pop-up blocker or allow pop-ups from the Cisco dCloud landing page. When you click the
SecureX threat response tile, two tabs will open. The first tab will quickly (automatically) log you in to AMP
for Endpoints and SMC and then automatically close. This is expected and is a normal part of the authentication
process in this demo. The second tab will automatically log you in to SecureX threat response.

8
Scenarios
Get API keys
Step 2 At this point, you may or may not be prompted to select from a login menu. If you are prompted, select SecureX via
Cisco Security Account.
Note This screen might sometimes display. When it does, be sure to choose the middle option highlighted above.
Step 3 When you are logged in to Cisco SecureX Threat Response, browse to SecureX Demo User Preferences, and then select
Settings.

9
Scenarios
Get API keys
Step 4 When you are logged in to Cisco SecureX, browse to Settings > API Clients > Generate API Client
Step 5 In the Add New Client screen that displays, click Select All to select everything in the Scope list.
Step 6 To generate a set of API credentials with all scopes, click Add New Client with 14 scopes (or whatever the number
might be, because this is a dynamic environment. This provides unique credentials you will use to configure the browser
plugin.
Step 7 Use your Cisco internal ID or CCO ID as the start of the Client name.

10
Scenarios
Get API keys
Step 8 Copy your Client ID and Client Password, and then save them to your clipboard so you can use them again.

11
Scenarios
Get API keys
Install Browser Extension / Plugin

Important Watch the video at cs.co/ctr_plugins_video for additional installation guidance.
Step 9 Download and install the Cisco Threat Response Casebook extension for your browser:
• Chrome: cs.co/ctr4chrome
• Firefox: cs.co/ctr-4-firefox
Step 10 Configure the Browser Plugin for the NAM region using the credentials you generated in SecureX threat response.

12
Scenarios
Abstract of Loda RAT
Abstract of Loda RAT

Talos observed a malware campaign using obfuscation to host a new version of Loda, a remote access trojan
written in AutoIT. Talos has observed several changes in the string encoding Loda uses to exploit. The newest
versions of Loda continue to run even after a machine has been rebooted. The purpose of Loda RAT is to
steal usernames, passwords, sound recordings and screenshots. If not detected quickly enough, it can do even

13
Scenarios
Launch Investigations from the Browser Plugin
more more
.em
gad

This scenario gives Sales Teams an opportunity to showcase an investigation that leverages the SecureX threat
response browser plugin--a valuable tool that integrates all the capabilities of SecureX Threat Response into
the browser for use with any content. Walk through a simple threat hunt, an investigation, and quick first-strike
response actions, as performed daily by Security Operations teams. No competitor provides the same level
of visibility, speed, or out-of-the-box integration included in our integrated architecture.
On February 12, 2020, Cisco Talos discovered an attack campaign, called LODA RAT, in which threat actors
initially created a phishing email to inject the first stage document. The attackers re-pack the file as an MSI
file and use an obfuscation technique to avoid detection. The main purpose of Loda RAT is to steal usernames,
passwords, sound recordings and screenshots but if not detected quickly enough it could do more damage.
New threats are always being developed so keeping up with the latest threats is a crucial aspect of Security
efficacy. We will be using observables related to this real-world attack that are listed at the end of the blog to
kick off our SecureX threat response demo.
Before you begin

Ensure you’ve logged into SecureX threat response using the steps in the Get Started section of this guide
before you continue. It is imperative that you are already logged into the dCloud SecureX threat response
account before you launch an investigation from the browser plugin in the following steps. If you are not
already logged in, you will be taken to a “login” screen from where you cannot log in. At this point, you
should have a browser tab open that is logged into SecureX threat response. It is recommended that you use
an incognito window or clear your browsers cache before delivering this demonstration.

14
Scenarios
Step 1 From the landing page, click the TALOS blog post. This will open a new browser tab to a TALOS blog that describes
the Loda RAT.

15
Scenarios
Step 2 Scroll through the Talos Blog to the end to see observables, like IOCS, Docs,and MSI. Note that the browser plugin
we installed in the previous scenario searches web pages for these types of observables and brings them into Stealthwatch
threat response to support the investigation process.
Step 3 While at the Talos page, click the SecureX threat response extension button in your browser after the page has fully
loaded. When the extension launches, select the extension button that directs the extension to the Find observables in
page.
Example:
It is from this page we will determine what we would like to investigate.
The extension used the SecureX threat response APIs to do two things here that we can see so far:
Extract the observables from the raw unformatted text in the webpage, and look up each of those observables to
retrieve the disposition, or reputation, of the item (Clean, Malicious, Suspicious, or Unknown).

16
Scenarios
Step 4 Notice the down-arrow to the right of each item listed on the Find Observables window.
Step 5 Click the arrow beside any domain, URL, and file hash observable type, and then show some of the possibilities,
explaining that the Response API enables the SOC to respond right here and right now, without the need to go to
another interface. For example, some possibilities are:
• Domain Block – Click the pivot arrow next to any domain.
• File Block – Click the pivot arrow next to any file hash.
Note As this is a shared environment, another investigator may have issued block commands and left the system
in that state. If necessary, clarify this to your customers.
These drop-down arrow pivot menus effectively allow you to take immediate, direct action with regards to an observable.
For example, you could block a domain in Umbrella, or blacklist a SHA256 file hash in AMP, all directly from the
SecureX threat response plugin! The extension has also performed a third task already – it has queried SecureX threat

17
Scenarios
response APIs to find out what actions are available for each of the observables, based on the observable type and the
configured modules.
Step 6 From the Find Observations window, select Malicious, Suspicious, and Unknown. This will select everything in
those categories.
Step 7 Click Investigate.

Step 8 Next to each domain, URL, and file hash observable type, you will see a drop-down arrow. Click a few arrows to get
a feel for some of the possibilities. Explain that the Response API that allows the SOC to respond right here without
having to change to another interface.
Step 9 Notice that a new tab opens, and SecureX Threat Response begins the investigation, using all the observables we have
selected.

18
Scenarios
During this operation, which will take a moment to complete, the screen will change several times, because all the
observables data is being processed.
Step 10 Notice that when the observables have been processed, we see in the Investigation section on the left that all enrichments
are complete. In this example, 19 of 19 enrichments are complete.

19
Scenarios
Step 11 In the middle of the screen, toward the bottom, click the plus sign (+) to zoom in to the Relations Graph.

20
Scenarios
Step 12 Experiment with the flexibility to move the items in the Relations Graph to make connections clearer, keeping in mind
we will be adding the observables we select into a new Casebook a little later in this demonstration.
a) Click the Suspicious URL (the “drink food app”), find the IP address that starts with 108.62.141.250, and then
find the Target Endpoint (192.168.249.115.

21
Scenarios
a) Drag these three items around until they make a tidy triangle.

22
Scenarios
Step 13 Continue to explain the Investigate UI to the audience, being sure to highlight:
• Observables Panel (verdicts, judgements, indicators, sightings)
• Sightings Timeline

23
Scenarios
• Relations Graph
Step 14 Focus on the section with IPs, URLs and domains being connected. You can move uncorrelated information to the side
on the graph if necessary. Explain that this is the cluster of observables that have been seen in the user’s environment,
via one or more of their configured Cisco security technologies.
Step 15 Hover your mouse over the various observables to reveal the nature of the relationships.

24
Scenarios
Explore Targets & Modules, Create a Casebook, and Start Isolation

Your investigation will likely yield targets. In the example screenshot that follows, we find two targets. These
targets are being reported by multiple Cisco technologies that we have deployed in our environment. This is
the power of seeing data from the integrated architecture in a single console
Note A blue magnifying glass with a graph node indicates an investigated observable. A node on the graph without
a blue magnifying glass is a sighting that has been found by the configured modules as part of the enrichment
process.
Step 1 On the left of your screen, select Targets and then examine the target summary which shows a mix of network and
endpoint targets. Highlight the details of one or two example targets.
Step 2 Click the target to reveal more information, including the private IP address (192.168.249.111) and the external IP
address. Keep in mind that external IP addresses shown may differ from the screenshot shown below.
This target sighting was provided by the Umbrella module, specifically from the Umbrella Reporting Most Recent
Requests API.
This target sighting was provided by the Firepower module.

Explore Modules
Step 3 At the far right of the Summary toolbar, click the Modules (in this example, 5 Modules) to show the modules that
responded with additional details for this investigation. We can see there is a lot of integration power in SecureX threat
response which gets information from a variety of sources.

25
Scenarios
Note The number of sightings and judgements may not match the screenshot, because this is a dynamic environment.
Create a Casebook
Step 4 Now, we will create a new Casebook. First, let’s maximize the SecureX ribbon: Click the plus (+) sign in the bottom
of the screen to maximize the SecureX ribbon.
Note We call the name of the blue Casebook element the SecureX ribbon.
Step 5 In the Cases section on the left, click the plus (+) sign to add a case.
Step 6 Beside the name in the Title field, click the pencil icon, and then edit the case title to change the default title (which
is the date) to a new name. For our example, let’s name it My new casebook.

26
Scenarios
Step 7 Click the Collapse icon to minimize the SecureX ribbon.

Step 8 From the Relations Graph, let’s add two observables to our new casebook. Under the pivot menu (drop-down arrow)
for each observable, click Add to Active Case.
a) Suspicious URL: http://drinkfoodapp.com/AdminDF/assets/img/app/settings.doc
b) IP: 108.62.141.247
Step 9 We can see that there is no blue magnifying glass next to the 108 IP address, and remind the audience that this IP
address was returned as enrichment data. (It was not provided by the Talos blog.)

27
Scenarios

28
Scenarios
These observables correlate to the event on our timeline from Monday @07:48 UTC when the attacker was able to
compromise an internal HVAC system. From the compromised system (192.168.249.115), we see the attacker has
attempted to communicate with a suspicious URL (the suspicious disposition was learned from Cisco Talos) and an
external IP address (learned about from Firepower module). Refer to the observables panel to look up the sighting’s
timestamps
Step 10 Expand the SecureX ribbon, and make sure the case you created is selected. Notice the observables you added to the
case are listed. Then, click Investigate in Threat Response to launch a new investigation based on these additions we
have made.

29
Scenarios
Value Proposition: Upon the first pivot from the blog post to SecureX threat response, there is immediate value inseeing
data from both Umbrella and Firepower in a single console. Notice that the target network (192.168.249.111) identified
by Umbrella was an internal host beaconing out to a malicious domain. The target endpoint (192.168.249.115) is
provided from a Firepower sighting. In particular a security intelligence event of an internal host connecting to a
suspicious URL. This event also provides the 108.62.141.250 IP address as enrichment data returned by the pivot from
the blog to threat response. Using the casebook allows analysts to take notes, add observables and access their cases
from any page on their browser. The casebook allows for recordation of the information gathered as well as the ability
to link a casebook to an incident.
Step 11 When the enrichments are completed for the new investigation, the target count will increase from three to four. Notice
the new investigation including the 108.62.141.250 IP has returned additional enrichments we did not know about
before, including a file hash connecting to the IP in question (provided by AMP4E) and another internal host
(192.168.249.166) connecting to the same IP (provided by Stealthwatch Enterprise). Also note that 6 modules have
returned data to the relations graph.
Note These observables correlate to the events on our timeline from Sunday @21:19, Monday @08:04, Monday
@08:37, and Monday @09:06 UTC. Sunday evening, the attacker emailed a malicious attachment to two of
our users. Monday morning, the users executed this malware, and the malware (SHA256 ending in 8067)
made outbound connections to 108.62.141.250.

30
Scenarios
Step 12 Review the relationships and notice that 192.168.149.166 has connected to the 108.62.141.250 IP.
Step 13 Open the Indicators drop-down menu and discuss the Data Exfiltration indicator. Then, Expand the SecureX ribbon
and select your case.

31
Scenarios
Step 14 Add a note to the casebook to be sure to review the host report for 192.168.249.166 in Stealthwatch Enterprise, and
then click Save to save the note for later.
Note At this point, you can return to Step 4 and create a new casebook or skip to the [Optional Steps] at the end
of this guide to dive into the Stealthwatch Enterprise portion of demo.
Step 15 Review the relationships and notice that AMP for Endpoints has reported on a file hash that has communicated to the
IP address being investigated.
Step 16 Find the SHA256 observable 0d5a1c01c2706….cb8067.

32
Scenarios
Step 17 Use the pivot menu to Add to active case.

33
Scenarios
Step 18 Click Add to Investigation. Adding the SHA256 to the investigation will help us start to see how the attack really
unfolded.

34
Scenarios
Step 19 We can observe that both the Email Security and Web Security modules are reporting on that specific file hash. This
correlates with our timeline from Monday morning when users on Marble, Granite and Slate downloaded an executed
malware.
Step 20 Specifically, we can see that the file was emailed to marble@dcloud.local and flint@dcloud.local, and we can see
that a user on Slate downloaded the same file from Google Drive. We can even see the details of the filename, and the
domain that originated the email.
If the number of targets does not exactly match the screen shots, that’s fine. This is a dynamic environment.
Value Proposition: Endpoint isolation is a powerful feature that allows SecOps teams to control threats. At this point,
we can be pretty sure Marble has been negatively impacted by this attack. Since Marble runs AMP for endpoints, we
can start the mitigation process by isolating that host from the rest of the network by using AMPs endpoint isolation

35
Scenarios
feature. The best part is that since we have AMP integrated with SecureX threat response, we can do this right now,
immediately, directly through the SecureX threat response interface! SecureX threat response will utilize API calls to
AMP to isolate the endpoint
Step 21 Select the Marble Target in the Target Summary Bar to highlight it in the Relations Graph, and then in the details
box click the downward arrow next to AMP GUID.
Step 22 Click Start Isolation. This will cause Cisco Threat Response to tell AMP to isolate that host on the network.

36
Scenarios
Note Given that this is a shared environment, another investigator may have issued isolate/de-isolate commands
and left the system in that state. Clarify for customers, as necessary.
Step 23 Zoom in to the Relations Graph and move the icons around to get a good view of the Cisco message ID, sender domain,
and sender email address. Add the sender domain internetbadguys.com to the casebook, and then click Add to
Investigation. At this point, the investigation is run again to see what else we can learn.

37
Scenarios
Step 24 Observe that adding the sender domain from the email to the investigation will yield an Umbrella sighting for an IoT
device (DemoCorp Thermostat) bringing the total target count to 10.

38
Scenarios
Step 25 In the Modules Summary Bar,point out that at least 8 modules have returned data to the relations graph now. Notice
the Web Security Appliance has also returned a sighting.

39
Scenarios
To get a better view of the relationships, it might be necessary to clean up the relations graph.
Step 26 At the top of the relations graph, click the downward arrow next to Filters, and then select Types.
Step 27 Be sure the highlighted options below are all un-checked/not selected.
We can see this yields a much cleaner Relations Graph.

40
Scenarios
Value Proposition: An alternative way of viewing the WSA sighting is by using the Observables pane to see the data
returned by the WSA web tracking API.
Step 28 Go to the Observables panel and select the SHA-256 observable. You should see all the sightings of that observable,
including one from the Web Security Appliance.

41
Scenarios
Value Proposition: WSA offers unmatched, granular, visibility into web traffic. Using WCCP redirection from ASA,
even remote users’ web traffic is decrypted. WSA offers complete visibility into the payloads of encrypted file downloads
and the full URLs of HTTP get requests from the user’s browser. Without WSA, HTTPS file transfers would bypass
a firewall. We also would not have seen how specific URL users are using share files.
Step 29 Using the pivot menu next to the 0d5a1c01c2706….cb8067 SHA256-Hash observable, select Add SHA256 to the
custom detections list. This will block the file on all endpoints and through AMP unity the file will also be blocked
on the Email and Web Security appliances.

42
Scenarios
[Optional Steps]
Step 30 Explain the various response actions that can be taken from the pivot menus, such as blocking a domain on Umbrella
or blocking an IP address on Firepower.
What to do next
This ends the mandatory section of this demonstration. To explore further, continue with the optional steps
that follow.
[Optional Steps]
You have finished the mandatory sections of this demonstration. To explore further, continue with the optional
steps that follow.

43
Scenarios
[Optional Steps]
Step 1 Add googleusercontent.com in the investigation as an observable, and then click Investigate. This will yield additional
Web Security Appliance sightings of malicious file downloads from google drive. .

44
Scenarios
[Optional Steps]
The following steps demonstrate that Incident Manager is a central place from which you can view and respond to
incidents from various products. The steps bellow detail a tour of the incident manager and a pivot to the Stealthwatch
Enterprise console. To skip directly to the Stealthwatch pivot, go to step 6.
Note We will take two separate, practical approaches to pivoting from the SecureX Threat Response to Stealthwatch.
First, we’ll look at how to do this from the Incident Manager. Second, we’ll find an alternative way to pivot
to Stealthwatch directly from the Relations Graph.
Step 2 In SecureX Threat Response, click Incidents to display the Incident Manager.

45
Scenarios
[Optional Steps]
Step 3 Find the event titled “Data_Exfiltration,” and click this event to bring up the incident. Explain the Incident view
including the various tabs of information (Summary, Targets, Observables, Timeline, Sightings, Indicators) and the
options available. Change the status of the incident to open and assign
u o y

46
Scenarios
[Optional Steps]
About Incident Manager

Incident manager is a valuable tool that decreases triage time by funneling the highest priority incidents into an easily
investigated queue.
Incidents in the incident manager are events detected by their on-premise devices and cloud services that Cisco and the
user have determined to be of highest importance. As of SecureX threat response release version 1.39 notable events
from both Firepower and Stealthwatch Enterprise are published to the incident manager. SWE alarms can be sent to
the incident manager starting with version 7.12. Firepower software 6.5 and above can send malware, security intelligence,
and intrusion events to the incident manager.
Step 4 In the Incident, select Link Case, and then Link your Casebook to the incident.
From the Stealthwatch pivot, you can launch the SMC interface directly from within SecureX threat response, provided
the on-prem SMC appliance is reachable from your location (for example, you are on-prem or connected via VPN).
This section will have the most value to SWE customers or potential customers. Due to the variable length of the demo,
your Stealthwatch session may have timed out.
Tip To guarantee an optimal demo flow and smooth pivot to Stealthwatch, you should re-authenticate. From your
demo session landing page, click the Cisco Stealthwatch tile. If you do not do this, Stealthwatch may prompt
you for user login credentials instead of taking you directly to the host report.

47
Scenarios
[Optional Steps]
Step 5 Click Observables. Then, from the pivot menu on the 192.168.249.166 IP address, select Host Report under the
Stealthwatch Enterprise subheading.
Tip If Stealthwatch does not automatically load—that is, if you get a Stealthwatch login screen—go back to the
demo landing page, scroll to find Cisco Stealthwatch at the bottom of the screen, and click View.Then, wait
a few seconds to automatically log in. Then, close the tab and repeat step 50 (above).
Step 6 We see that this opens a new tab that displays all information available in the SWE (Stealthwatch Enterprise) Interface.

48
Scenarios
[Optional Steps]
Step 7 Focus on the Alarms by Type section and observe that this IP has generated multiple events including Data_Exfiltration
and Data_Hoarding.
Step 8 At the bottom of the chart, click the Data_Hoarding section.

49
Scenarios
[Optional Steps]
Step 9 In the Data_Hoarding Alarm table that loads, notice the alarms are occurring on hosts 192.168.249.166 and on
192.168.242.101 which is not an IP address we were previously investigating. Explain that 192.168.242.101 is a sensitive
server containing PII and it has communication with a known bad actor in my network. Remind the audience that
192.168.249.166 was communicating with the 108 IP we were previously investigating.
Step 10 Under Actions, click the three dots (…) for one of the alarms, and then choose View Flows to show the Flows table
which shows FTP being used between 192.168.249.166 and 192.168.242.101.

50
Scenarios
[Optional Steps]
Step 11 Discuss some of the granular information, such as the number of bytes transferred, the length of the connection,
TCP port numbers, and more.
Step 12 Beside IP 192.168.249.166, click the 3 dots (…), and then load the SecureX Threat Response widget.
Step 13 Click Investigate this IP Address.

51
Scenarios
[Optional Steps]
This will load an investigation focused on the .166 IP, where we can see that it has been busy with a lot of activitiy.
Click Indicators, either in the top metrics bar or in the Observables panel at the bottom.
Note the Data Hoarding Indicator from Stealthwatch, as well as the LODA-RATT indicator from Firepower.
Value Proposition:The Stealthwatch Enterprise (SWE) pivot offers advanced network analytics and anomaly
detection based on applying machine learning models to observed NetFlow data. Pivoting into the on-prem interface
offers immediate deep-dive capabilities at the click of a button. The pivots in the SWE interface offer the SWE user
immediate enrichment via all the combined abilities of the SecureX threat response toolset.
Now that we’ve seen how to pivot to Stealthwatch by using Incident manager, let’s look at an alternative way we can
do this directly from the Relations graph.
Step 14 Go back to the Investigate console in SecureX threat response, and then find the IP 192.168.249.166.
Step 15 Click the drop-down arrow next to 192.168.249.166 to get into the pivot menu.

52
Scenarios
[Optional Steps]
Step 16 From the pivot menu, select Host Report under Stealthwatch Enterprise. From here, you could follow the same steps
as before from a Stealthwatch perspective (starting from step 30).
Step 17 [Optional] Continue to explore the Graph: Highlight the additional details around the file name, notice additional
malicious IPs that the file connected to, explore the timeline, and answer any questions the audience may have.

53
Scenarios
Summary
Summary
Wrap up by sharing some key takeaways from the demo. With SecureX Threat Response and the integrated
Cisco Security portfolio, investigators can rapidly:
• Answer questions faster about observables.
• Block and unblock domains and file executions from Cisco SecureX threat response.
• Hunt for an observable associated with a known actor and immediately see organizational impact.
• Save a point in time snapshot of our investigations for further analysis.
• Document our analysis in a cloud casebook from all integrated or web-accessible tools, via an API.
• Integrate Cisco SecureX threat response easily into existing processes and custom tools.
Value Proposition: Make sure to remind the audience that while this exercise started in a TALOS blog, the
browser contents could have been anything, included even the browser-accessible User Interfaces of unintegrated
or competing SIEM, SOAR, or security products.
Tip Rehearse and tailor the demo to your style of presentation. For feedback or questions, reach out to our internal
mailer (for sales) threat-response-pm@cisco.com or external mailer (for partners)
threat-response-early@cisco.com.

54
CHAPTER 3
What's Next?
• Check out the Cisco SecureX Instant Demo on dCloud.
• Check out the related information on cisco.com.
• Talk about it on the dCloud Community.

55
What's Next?

56

B Secure X Threat Response V 1 Bookmap

Uploaded by

Copyright:

Available Formats

You might also like

B Secure X Threat Response V 1 Bookmap

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

B Secure X Threat Response V 1 Bookmap

Uploaded by

Copyright:

Available Formats

SecureX Threat Response v1

First Published: 2020-07-17

SecureX Threat Response v1

• Cisco Threat Grid

SecureX Threat Response v1

SecureX Threat Response v1

Attack Story and Timeline

Timeline Attack Attempts & Activity

SecureX Threat Response v1

PREPARATION IS KEY TO A SUCCESSFUL PRESENTATION.

SecureX Threat Response v1

Set up your SecureX Threat Response Plugin

SecureX Threat Response v1

Get API keys

SecureX Threat Response v1

SecureX Threat Response v1

SecureX Threat Response v1

SecureX Threat Response v1

SecureX Threat Response v1

Install Browser Extension / Plugin

SecureX Threat Response v1

Abstract of Loda RAT

SecureX Threat Response v1

Launch Investigations from the Browser Plugin

Before you begin

SecureX Threat Response v1

SecureX Threat Response v1

SecureX Threat Response v1

SecureX Threat Response v1

Step 7 Click Investigate.

SecureX Threat Response v1

SecureX Threat Response v1

SecureX Threat Response v1

SecureX Threat Response v1

SecureX Threat Response v1

SecureX Threat Response v1

SecureX Threat Response v1

Explore Targets & Modules, Create a Casebook, and Start Isolation

This target sighting was provided by the Firepower module.

SecureX Threat Response v1

SecureX Threat Response v1

Step 7 Click the Collapse icon to minimize the SecureX ribbon.

SecureX Threat Response v1

SecureX Threat Response v1

SecureX Threat Response v1

SecureX Threat Response v1

SecureX Threat Response v1

SecureX Threat Response v1

Step 17 Use the pivot menu to Add to active case.

SecureX Threat Response v1

SecureX Threat Response v1

SecureX Threat Response v1

SecureX Threat Response v1

SecureX Threat Response v1

SecureX Threat Response v1

SecureX Threat Response v1

We can see this yields a much cleaner Relations Graph.

SecureX Threat Response v1