Threat Hunting Workshop Process Guide

Cisco Advanced Threat Solutions Team
Process Guide: Threat Hunting Workshop

Hands On with Cisco Security Products
Process Guide v. 1535542487 Cisco Advanced Threat Solutions Team
Table of Contents
Event Schedules ....................................................................................................................... 3
Executive Briefing (1 hour) ............................................................................................................... 3
Threat Hunting Lab (2 hours) ........................................................................................................... 3
Threat Hunting Workshop (all day) .................................................................................................. 3
911 – Lab Help ......................................................................................................................... 4
Lab Setup................................................................................................................................. 5
Console URLs and Credentials .......................................................................................................... 5
2-Factor Authentication ................................................................................................................... 5
Kahoot Quizzes ..................................................................................... Error! Bookmark not defined.
Lab Walkthroughs ................................................................................................................. 10
Lab 1 – Olympic Destroyer ............................................................................................................. 10
Scenario..............................................................................................................................................................10
Walkthrough ......................................................................................................................................................10
Worksheet Solution Review ...............................................................................................................................11
Lab 2 – Bifrost ................................................................................................................................ 14
Scenario..............................................................................................................................................................14
Walkthrough ......................................................................................................................................................14
Lab 3 – Poweliks ............................................................................................................................ 16
Scenario:.............................................................................................................................................................16
Walkthrough ......................................................................................................................................................16
Lab 4 – Threat Hunting ................................................................................................................... 19
Scenario..............................................................................................................................................................19
Walkthrough ......................................................................................................................................................19
Tips for Lab 4 ......................................................................................................................................................20
Appendix A: Frequently Asked Questions ............................................................................... 22

Appendix B: Positioning and Ordering Cisco Security Products .............................................. 23
Example Bill of Materials ............................................................................................................... 23
Appendix C: Registering a Workshop ..................................................................................... 24
Requesting a Workshop ................................................................................................................. 24
Requesting a Room ........................................................................................................................ 24
Appendix D: Configuring the Lab Environment ...................................................................... 25
Administrative Notes 2
Event Schedules
Executive Briefing (1 hour)

Introductions ..........................................................................9:00 – 9:05 am
Account Setup ........................................................................9:05 – 9:10 am
Cisco Advanced Threat Security Product Overview...............9:10 – 9:30 am
Lab 1 (Olympic Destroyer) .....................................................9:30 – 9:50 am
Threat Hunting Workshop Review and Q&A .........................9:50 – 10:00 am
Threat Hunting Lab (2 hours)

Introduction / Account Setup ................................................9:00 – 9:05 am
Guided Lab 1 (Olympic Destroyer) .........................................9:05 – 9:15 am
Lab 1 Competition .............................................................9:15 – 9:20 am
Lab 2 .......................................................................................9:20 – 10:05 am
Lab 2 Competition .............................................................10:05 – 10:10 am
Lab 4 .......................................................................................10:10 – 10:50 am
Lab 4 Review ......................................................................10:50 – 10:55 am
Threat Hunting Workshop Review and Q&A .........................10:55 – 11:00 am
Threat Hunting Workshop (all day)

Introductions ..........................................................................9:00 – 9:10 am
Account Setup ........................................................................9:10 – 9:15 am
Cisco Advanced Threat Security Product Overview...............9:15 – 9:45 am
Guided Lab 1 ..........................................................................9:45 – 10:45 am
Lab 1 Review ......................................................................10:45 – 11:00 am
Guided Lab 2 ..........................................................................11:00 – 12:00 pm
Lunch ......................................................................................12:00 – 1:00 pm
Guided Lab 2 (continued) ......................................................1:00 – 1:50 pm
Lab 2 Review ......................................................................1:50 – 2:00 pm
Guided Lab 3 ..........................................................................2:00 – 2:30 pm
Lab 3 Review ......................................................................2:30 – 2:45 pm
Guided Labs Competition ......................................................2:45 – 3:00 pm
Self-Guided Lab 4 ...................................................................3:00 – 3:30 pm
Lab 4 Review and Competition..........................................3:30 – 3:45 pm
Self-Guided Lab Competition .................................................3:45 – 4:00 pm
911 – Lab Help
The Threat Hunting Workshop War Room in WebEx Teams is the primary support channel for
scheduling, setting up, and running the Workshops. If anything breaks in the Threat Lab, ping
an expert in the War Room:
Issue Contact
Lab Support Join the Threat Hunting Workshop War Room in WebEx
Teams: https://eurl.io/#S1mQOXQCz
For specific requests, if you do not have access to the War Room, use the following contacts:
Issue Contact
AMP Lab Account Email amp-tier3@cisco.com
Kahoot / Authy / lab setup Email threatlab@cisco.com
Time Critical / Last Resort Contact Brandon Newport via cell, Spark, or email
Lab Setup
This lab environment uses demo data running in one AMP for Endpoints account which is linked
to Cisco Threat Response and Threat Grid. Umbrella has a separate account with the same
username and password as the AMP for Endpoints account. The account credentials will be
provided to the lab proctor in a Quick Reference Guide.
Console URLs and Credentials

Console URL Username and Password
Cisco AMP https://console.amp.cisco.com/ Check Quick Reference Guide
Cisco Threat
https://visibility.amp.cisco.com/ Log in with AMP credentials
Response
Threat Grid https://panacea.threatgrid.com/ Log in with AMP credentials
Umbrella https://investigate.umbrella.com/ Check Quick Reference Guide
2-Factor Authentication
The lab relies on 2FA to be enabled in the AMP account in order to view command line activity.
Lab proctors should add the Threat Lab 2FA account to their Authy accounts using the QR code
provided in the proctor’s Quick Reference Guide. This QR code is specific to the lab pod
assigned for the Workshop.
If technically feasible, the ideal lab setup includes a large-screen TV or projector showing a slide
show that includes a timeline and login information. This slide deck is available on Box at
https://cisco.box.com/v/threathuntingworkshopslides. The agenda slide has space available for
the Authy desktop app that can continually display the 2FA code during the lab. While most
users will check the 30-day option when logging in, some users may not, or may use a different
browser session, and will need to see the 2FA code.
To set up the desktop Authy app, you must first enable account sync within the Authy mobile
app. Go to Settings > Accounts and enable Authenticator Backups with a backups password of
your choice.
Next, set up the Authy desktop app. Go to https://authy.com/download/ and select Windows
64-bit from the Desktop Direct Download page:
Open the desktop app and enter your Backups Password to sync your accounts from your
mobile device to the desktop app:
This desktop app will now display your 2FA codes. Open the Threat Lab account and display it
on screen during the account setup process:
Kahoot Quizzes
You will need to plan on sharing your web browser on a screen that all participants can see, in
order to view the questions.
First, navigate to http://kahoot.com:
Click on Log in, found in top right corner, and use the following credentials:
Username: threatlab@cisco.com
Password: C1sco12345!
Once logged in, click on “Kahoots” in the top menu bar, and then click on “My Kahoots” on the
left. You will then be presented with a list of the available Kahoot quizzes.
There may be other quiz names in the list, however there is one quiz intended to be run after
each lab. Note the following quiz names:
 Threat Hunting Workshop – Lab 1

Click on the Play button next to the quiz you want to run. Once the next screen loads with the
Quiz title, click under “Game Options” and ensure that “Randomize order of answers” is turned
on. Leave all other options at the defaults, and then click on the green “Classic” button.
Once the quiz loads, you will need to share your web browser on the screen so that the
participants can see the questions, as well as the PIN needed to join the game.
Participants can join by going to http://kahoot.it and using the game PIN. They can use their
web browser on their laptops, or on mobile, or use the mobile Kahoot app to play. Note that
the mobile app is not required, and having the participants use the web browser on their
laptops is recommended.
Click on “Start” once all participants have joined. Please note, you will need to click on “Next”
after each question, and after the scoreboard is displayed between questions. You can also
pause for dramatic effect, or for the participants to complain about the quality of the questions.
Once the quiz is complete, the podium will be displayed with the winners. The results will be
saved automatically in the Kahoot account, in the “My results” section.
Lab Walkthroughs
Lab 1 – Olympic Destroyer
Scenario: The CIO read a front-page news article on something called “Olympic Destroyer”,
which was recently used to disrupt the Winter Olympic Games in Pyeongchang. The news
article suggests that other threat actors may be able to reuse this malware in a commodity
attack against other targets. The CIO is asking if our security products are already blocking this
threat or if we need to update to be protected.
Walkthrough
1. Research “Olympic Destroyer” on Google.

2. Pull up the Cisco Talos blog (should be one of the top entries). Direct link:
http://blog.talosintelligence.com/2018/02/olympic-destroyer.html
3. Review the information in the Talos blog:
a. How the malware was identified
b. How it functions
i. Browser credential stealer
1. IE
2. Firefox
3. Chrome
ii. System credential stealer
iii. Data destroyer
1. vssadmin
2. wbadmin
3. bcdedit
4. wevtutil
c. IOCs for the threats
4. Copy IOCs from the final section and paste into a new Threat Response investigation.
5. Observe that of the ten SHA256s, one is a Clean file (Psexec), as expected.
6. Observe that one internal host has seen a SHA256 associated with Olympic Destroyer.
a. Computer name: Demo_AMP_Intel
b. Filename: OLD.exe
c. File path: C:\Users\johndoe\Desktop\
7. Pivot into AMP from the Sightings tab of the locally seen SHA256.
8. Observe that the malware binary was quarantined by AMP.
Lab Walkthroughs 10
Worksheet Solution Review
Note – the events for the Demo_AMP_Intel host are injected with a different timestamp than
the other demo systems, typically 3-4 weeks prior to the date that demo data was enabled.
This means that any AMP Console reports or dashboards that are filtered to show the last 7
days or last 14 days of data will not include results for Demo_AMP_Intel. This primarily affects
the Vulnerable Applications section of the Worksheet. To easily find the Vulnerable
Lab Walkthroughs 11
Applications listed for this host, you can go to the Events page filtered for this endpoint by
following these steps:
1. From Threat Response, pivot on the hostname and click “Search for this hostname”
from the AMP for Endpoints section:
2. Find and click on the computer name in the AMP Console’s Search Results page:
3. Expand the Computer Management card and click “Events” in the bottom left corner:
4. Ensure “Time Range” is set to “All”:
Lab Walkthroughs 12
5. In the Event Type text box, start typing “vulnerable” to bring up the Vulnerable
Application Detected category:
6. Note the resulting vulnerabilities (Internet Explorer version 11 and Outlook 2016).
Lab Walkthroughs 13
Lab 2 – Bifrost
Scenario: One of your users was phished. The attacker was very careful, using a legitimate
email account belonging to an employee of a catering company that you’ve done business with
in the past. The email didn’t contain any active code or malicious attachments – just a link to a
website that looked very similar to a portal that is sometimes used for invoicing, but in this
case, the “invoice” was actually a powerful piece of malware. We were able to trace the name
of the file that was downloaded by querying our firewall, which intercepted the file and sent it
to the cloud sandbox for analysis. Unfortunately, the file was already on its way to the victim’s
computer when the alert came back for a malware detection.
Walkthrough
1. Start in the Threat Grid portal.

2. Search for "invoice-1563.zip"
3. Observe TG report for Bifrost sample
4. Review BIs
a. "Bifrost Default Mutex Detected" - this is a backdoor (Remote Access Trojan)
with the filename "SqGGuYXyy.exe"
i. Expand the BI
ii. Pivot to the listed process and expand
iii. Pivot to the listed artifact and expand
iv. Add hash to new casebook
b. "BITSAdmin Execution Detected" - BITS was used to download the malware
binary from a remote network
i. Pivot to the listed process
ii. Pivot to parent (usually Process 3: WScript.exe)
c. "Downloaded Packed, Encrypted, or Encoded PE" - this is the binary that was
downloaded from the malicious domain
i. Add domain "getmalware.com" to casebook
ii. Pivot to Artifact 13, observe that the source is "network" vs "disk" for
artifact 5
iii. Observe Related to: Stream 8 and pivot to Stream 8
iv. Observe HTTP traffic: HEAD (response x-empty), GET (response x-
dosexec)
v. Add URL to casebook
5. Investigate casebook in Threat Response
6. Two local sightings: Demo_AMP_Threat_Quarantined and Demo_Zbot both connected
to URL and domain
7. Pivot into AMP on malicious SHA256
8. Observe that the downloaded binary (created, renamed) was quarantined
9. Look for evidence of wscript and bitsadmin activity: clear search criteria and enter
"wscript"
10. Review three IOCs and explorer, wscript, bitsadmin events
Lab Walkthroughs 14
11. Look for the source: filter DT for "invoice-1563" and observe the zip was downloaded
from iexplore.exe
12. Investigate other PC - Demo_Zbot - and observe that it's in audit only mode
Lab Walkthroughs 15
Lab 3 – Poweliks
Scenario: It’s early in the workday and you log in to AMP and see a lot of activity in the
dashboard. In fact, if you look at your Inbox tab, you might see several systems with dozens or
even hundreds of individual malware detection events. Which system should we start with?
How do we find out what happened and protect our endpoints so that the intrusion does not
happen again?
Walkthrough
1. Start in AMP for Endpoints (Dashboard: Inbox)

2. Observe a large number of security incidents reported on Demo_AMP_Threat_Audit
3. Pivot into Device Trajectory and verify that the system is in Audit mode, not Protect
4. Filter Device Trajectory to show the malware (ekjrngjker.exe) and then its parent
process (rundll32.exe)
5. Observe IOCs that triggered on behavior detected from rundll32.exe
6. Filter Device Trajectory to show all six CMD processes and their arguments launched by
the malware binary
7. Pivot into Threat Response on the malware SHA256
8. Observe enriched information about this hash:
a. File name: ekjrngjker.exe
b. File path: C:\
9. Pivot into Threat Grid with the “Browse” option from the context menu
10. Click on a related sample to view the report
a. Observe that the first BI shows Poweliks identified
b. Observe Javascript commands from rundll32
11. Back to Threat Response: Investigate the two URLs (retdemos.com)
a. Both URLs turn orange
b. View URLs in the Observables pane
c. Pivot into Talos Intelligence to learn more
12. Back to Threat Response: observe that the URLs are hosted on an IP address,
52.148.86.91
a. Look up the IP in Umbrella IP View
b. Observe that this IP hosts two malicious domains: retdemos and legitmalware
13. Back to Threat Response: add the domains and the IP to the active investigation
14. Observe two additional internal targets (Exploit Prevention and Exploit Prevention
Audit)
15. Observe two additional clean SHA256s
a. Pivot to AMP File Trajectory to learn the filenames
b. Observe PowerShell and FireFox
16. Observe one new malicious SHA256 (beginning with fce5b678)
a. Look at the Indicators in the Observables pane (Dorkbot)
b. Pivot into Threat Grid Search to read the full report
Lab Walkthroughs 16
17. Research the two new targets (Exploit Prevention and Exploit Prevention Audit) in
AMP’s Device Trajectory
a. Pivot into Device Trajectory from NFM / AMP Event in the Sightings for the
Dorkbot malware hash
i. Observe that the malware was dropped by PowerShell
ii. Observe that the malware was quarantined by Cloud Recall
iii. Observe outbound connection to “legitmalware.xyz” URL
iv. Re-filter Device Trajectory on legitmalware.exe
v. Observe Firefox DFC event reaching out to legitmalware.exe
b. Pivot into Device Trajectory for Demo_AMP_Exploit_Prevention (the other
target) using the Connector GUID pivot menu
i. Observe vulnerable app detected (Firefox)
ii. Observe “Exploit Prevented” event for Firefox
iii. Observe the same Firefox DFC event from the other Exploit Prevention
demo system, indicating that Exploit Prevention blocked the attack
before it could drop Dorkbot on this machine.
Lab Walkthroughs 17
Lab Walkthroughs 18
Lab 4 – Threat Hunting
Scenario: John Doe from Human Resources is working on hiring additional security engineers for
your department. Unfortunately, this morning John let you know that he tried to open a
resume from an email attachment, but it did not open correctly - instead of a document, he saw
a command prompt window pop up on his desktop. John doesn't remember anything about
the email message subject, sender, or file attachment name, but he did take a screen capture of
his desktop.
Walkthrough
1. The command prompt window shows the filename and file path:
"C:\Users\johndoe\Desktop\resume.exe".
2. Search for the filename in Threat Response. Type file_name:"resume.exe"
3. Observe: malicious SHA256, file path matches from screenshot
4. Pivot into TG to discover what the malware is
a. Poison Ivy (remote command shell, keylogging, screenshot, etc)
b. Outbound HTTP GET to ret.space:80/checkin and /command URLs
c. Files uploaded to remote IP/domain ret.space
d. Cmd.exe process executed (net use, net user)
e. New user account created
5. Add ret.space to Threat Response investigation
6. Pivot to AMP for Endpoints to find out how the malware got in
a. Created by powershell
b. Quarantined by Cloud Recall
7. Refocus on powershell
a. IOCs
b. Domain connection from Powershell
c. Executed by winword
8. Refocus on winword
a. Executed by explorer
b. Command line: C:\Users\johndoe\Desktop\resume.docm
9. Refocus on resume.docm
a. Created by outlook.exe (confirmed source: email)
b. Note hash and provide to email administrator to track the message
10. Recommendation: enable dynamic file analysis with quarantine on .docm filetypes in
email security solution
Lab Walkthroughs 19
Tips for Lab 4
1. What information can we get from the screenshot? Are there any file names or file
paths we could look up in one of our tools?
2. Threat Response will automatically parse out any IP addresses, domains, file hashes
(SHA256, SHA1, or MD5), MAC addresses, and URLs. Other observables need to be
referenced using the format <type>:"<value>" where “type” could be one of the
following:
 file_path  pki-serial  md5
 file_name  user  imei
 mac_address  email  imsi
 device  ip  amp_computer_
 hostname  ipv6 guid
 domain  sha256  amp-device
 url  sha1
As an example, to look up a file named test.pdf, type the following into the New
Investigation search box:
3. When you pivot into an AMP event from a sighting in Threat Response, your Device
Trajectory view will be filtered to only show events directly related to the observable
(typically a hash, IP address, or URL). You can clear the filter criteria to see all events, or
type something else into the filter bar to focus Device Trajectory on events related to a
different SHA256 hash, file or process name, IP, or domain.
4. Command line capture data in AMP Device Trajectory can be an invaluable resource
when you are looking for the reason why a file or process was
launched. If you see an icon that looks like the picture on the left,
this tells you that a benign (green) process was executed with some
command line arguments. You may need to scroll down to see the
command line section of the event within Device Trajectory
depending on your screen resolution; it will appear at the bottom of
the event, below the parent file certificate information.
Lab Walkthroughs 20
Lab Walkthroughs 21
Appendix A: Frequently Asked Questions

Q: What is the difference between a Judgment and a Verdict?
A: A judgment is a single ruling on an observable from one threat intelligence source. A
verdict is the highest-priority judgment on that observable from that source.
Some observables such as IP addresses may have many judgments over time, even from the
same threat intel source, but only one of these several judgments will be current. Similarly,
an aggregator such as Virus Total may report dozens of judgments for an observable but
there will only be one overall verdict reported within Threat Response.
In this example, we have 40 Judgments on a SHA256, mostly from Virus Total engines:
However, we will only see two Verdicts – one from each queried module:
Q: What is the AMP Global Intel module in Threat Response?

A: AMP Global Intel is a threat intelligence collection maintained by Cisco that includes
various internal and Open Source Intelligence (OSInt) sources.
Appendix A: Frequently Asked Questions 22

Appendix B: Positioning and Ordering Cisco Security Products

The Threat Hunting Workshop uses four orderable Cisco Security products:
 Cisco Advanced Malware Protection (AMP) for Endpoints
 Cisco Threat Grid
 Cisco Umbrella Investigate API
 Cisco Umbrella Enforcement API
Cisco Threat Response, which is the core interface used to display information and pivot
between research products, is not a separate product and is available at no extra charge to any
licensed user of AMP for Endpoints or Threat Grid.
The Umbrella module within Cisco Threat Response uses two APIs: the first is the Investigate
API, which enables Threat Response to query Umbrella’s database for judgments and verdicts
on URLs, IPs, and domains. This API is sold separately from all Umbrella packages. The second
API used in Threat Response’s Umbrella module is the Umbrella Enforcement API, which allows
security administrators to blacklist domains within the Threat Response UI using the context
menu. This Enforcement API is available with the Platform bundle of Cisco Umbrella.
Example Bill of Materials
Line Service Duration

Part Number Description Qty
Number (Months)
FP-AMP-LIC= Cisco Advanced Malware Protection

1.0 Service License --- 1000
Cisco Advanced Malware Protection
1.0.1 FP-AMP-1Y-S4 1YR, 1K-4999 Nodes 12 1000
L-TG-CL-K9= Cisco TG Cloud Subscription - 3
2.0 Users, Manual Submission --- 1
Cisco TG Cloud Subscription - 3
2.0.1 L-TG-CL-1Y-K9 Users, Manual Submission, 1Y 12 1
3.0 UMBRELLA-SUB Umbrella Cloud Security Subscription --- 1

3.1 UMB-PLATFORM-K9 Umbrella Platform --- 1000
Umbrella Investigate Console and API
3.2 UMB-INV-API-T2 - Tier 2 --- 1
3.3 UMB-SUPT-G Umbrella Support - Gold --- 1
NOTE: This example Bill of Materials uses default values of 1000 endpoints
and a 12-month subscription length. SKUs are subject to change; consult your
local Advanced Threat Security team for a detailed price estimation.
Appendix B: Positioning and Ordering 23

Appendix C: Registering a Workshop

 SmartSheet registration
 Eventbrite setup
 SurveyMonkey?
 Invites
 Requesting a Room
 Requesting Catering
 Printing lab guides
Requesting a Workshop
To request a Workshop event, use the form located at

https://app.smartsheet.com/b/form/b1ca6054d01e40b68d22a323947cb8dd. The request will
be reviewed by the Advanced Threat Solutions Team. If approved, you will be assigned a lab
pod with credentials that will be supplied in a Quick Reference Guide that will be emailed to the
Workshop Sponsor and Presenter (SE).
Requesting a Room
Buildings, Conference rooms and Floorplans:

http://wwwin.cisco.com/c/cec/employee/buildings.html
Appendix C: Registering a Workshop 24

Appendix D: Configuring the Lab Environment
Note: The lab pods assigned during the Workshop Registration phase will be
fully configured. Use the instructions in this section to configure your own
internal AMP, Threat Grid, and Umbrella Investigate accounts.
This workshop relies only on Demo Data within the AMP for Endpoints console. To recreate the
lab environment on your own, you will need access to the following Cisco Security products:
 AMP for Endpoints console with 2-factor authentication enabled

 Threat Grid Cloud
 Umbrella Investigate with API
To configure the lab environment, start by linking Threat Grid with AMP for Endpoints. Take
the API key from the Threat Grid user account details page (obfuscated in this example):
Paste the API key into the Threat Grid API key field within the Edit Business page in the AMP for
Endpoints console (https://console.amp.cisco.com/business/edit):
Next, generate an API key for Threat Response within the AMP for Endpoints console by going
to Accounts > API Credentials:
Appendix D: Configuring the Lab Environment 25

Click the button to add a new API credential and name it Threat Response. Select the Read &
Write scope and enable Command Line access, then click Create:
Take note of the API Client ID and API Key, as they will not be displayed again, and add them to
the AMP for Endpoints module in Threat Response by going to
https://visibility.amp.cisco.com/#/modules and clicking the “Add New Module” button:

Note: Be sure to select the appropriate URL from the dropdown based on your
AMP cloud location. The default URL points to the North American cloud, but
there are options to select the APJC or EU clouds instead.
Next, add the Threat Grid module:
Finally, add the Umbrella Investigate module. You will need to generate a new API access token
from https://investigate.umbrella.com/tokens-view:
Copy the access token, return to the Threat Response modules page, and enter it into the API
Key field in the Umbrella module type:

Return to Umbrella and navigate to Policies > Policy Components > Integrations using the
navigation bar on the left side of the screen:

Create a new custom integration named “Cisco Threat Response”:
Once you click the blue “Create” button, the integration will be created in a disabled state.
Click on the integration name from the list of integrations to expand its settings and click the
checkbox for “Enable” to turn it on:
Copy the custom threat intelligence feed URL that begins with “https://s-
platform.api.opendns.com/1.0/events?customerKey=” and paste it into the “Custom Umbrella
Integration URL” field in the Threat Response Umbrella module:
Optionally, you can also add a VirusTotal module if you have a subscription to their Public or
Private API by following the same steps. This is not required, as we do not use VirusTotal during
this lab, but it can be useful to see the differences between judgments from various sources.

Threat Hunting Workshop Process Guide

Uploaded by

Copyright:

Available Formats

You might also like

Threat Hunting Workshop Process Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Threat Hunting Workshop Process Guide

Uploaded by

Copyright:

Available Formats

Cisco Advanced Threat Solutions Team

Process Guide: Threat Hunting Workshop

Appendix A: Frequently Asked Questions ............................................................................... 22

Executive Briefing (1 hour)

Threat Hunting Lab (2 hours)

Threat Hunting Workshop (all day)

911 – Lab Help

Console URLs and Credentials

First, navigate to http://kahoot.com:

 Threat Hunting Workshop – Lab 1

1. Research “Olympic Destroyer” on Google.

Worksheet Solution Review

4. Ensure “Time Range” is set to “All”:

1. Start in the Threat Grid portal.

Worksheet Solution Review

1. Start in AMP for Endpoints (Dashboard: Inbox)

Worksheet Solution Review

Lab 4 – Threat Hunting

Tips for Lab 4

Worksheet Solution Review

Appendix A: Frequently Asked Questions

Q: What is the AMP Global Intel module in Threat Response?

Appendix A: Frequently Asked Questions 22

Appendix B: Positioning and Ordering Cisco Security Products

Example Bill of Materials

Line Service Duration

FP-AMP-LIC= Cisco Advanced Malware Protection

3.0 UMBRELLA-SUB Umbrella Cloud Security Subscription --- 1

3.3 UMB-SUPT-G Umbrella Support - Gold --- 1

Appendix B: Positioning and Ordering 23

Appendix C: Registering a Workshop

To request a Workshop event, use the form located at

Buildings, Conference rooms and Floorplans:

Appendix C: Registering a Workshop 24

Appendix D: Configuring the Lab Environment

 AMP for Endpoints console with 2-factor authentication enabled

Appendix D: Configuring the Lab Environment 25

Appendix D: Configuring the Lab Environment 26

Next, add the Threat Grid module:

Appendix D: Configuring the Lab Environment 27

Appendix D: Configuring the Lab Environment 28

Create a new custom integration named “Cisco Threat Response”:

Appendix D: Configuring the Lab Environment 29

You might also like