“Are we affected?” – A simple question, but quite hard to answer

Who doesn’t remember the simple questions you had as a kid, or you now get as an adult from your children:

“Why is the banana crooked?”
“Why is the sky blue”
“Why do people get sick?”

That last question is especially relevant today with the current situation – we deal daily with the question “Am I affected?”

I won’t give any answers to these questions in this article, but as a Cybersecurity Consultant, I regularly hear many versions of this simple question in my daily conversations with customers:

“Are we affected?”
….by this Vulnerability / Threat / Malware / …

Problem statement

Why it’s so difficult in the year 2020 (only a couple of days to go until 2021), with 30+ security tools in place, to answer that question? Due to the volume of threats that are out there, it’s not possible to find an easy answer. You have to check vulnerability databases (which only cover the publicly available vulnerabilities out there, not the unpublished ones), keep the systems patched, finetune the IPS ruleset, keep endpoint agent up-to-date to ensure the latest and greatest, enable all available engines, and many, many more. The security stack gets bigger and bigger, whether it is on premise or shifted to the cloud as a service. When things don’t work together, skilled people and solid processes must make up the gap. This has been the situation in cybersecurity for far too long.Even today, Security Operations teams have many questions every day, but those answers are locked up in various threat intelligence sources and technologies. If answers are available, they almost always take too long to answer and require highly skilled people to find them. Time is more critical than ever. That’s why security must work together, but too often it doesn’t. This lack of integration poses a massive security risk to any organization. And juggling multiple consoles just makes the already-complex security challenges even harder. At Cisco, we’re changing all of that – so you can maximize your protection with an integrated platform approach.

Let’s walk through an example of a security vulnerability that the On the 17th of September they issued a press release to inform the managing directors of German companies that still operated an affected VPN gateway. After the letter was sent, half of the companies took action and patched their systems. However, more than 80 companies remained vulnerable including many large IT service providers.

Just compare this with traffic regulations in Germany­ that mandate a recurring technical inspection of the vehicle every 2 years. If you do not comply with this safety standard, the license to drive this vehicle expires – just think how many partly ancient systems participate in the world largest traffic network (the Internet).

How are we trying to solve our challenge?

Let’s get back to the main question: “Are we affected?” As we see there are a couple of challenges with where to start, what to combine/correlate, where to focus and dig deeper, how to “glue” events together to create a causality chain, how and where to escalate to an IR Team, etc. We quickly dig into frameworks like MITREATT&CK, NIST, or tools like SIEM / SIRP / SOAR and this would be absolute fine, but we run the risk of ending up like this:

Please let me explain how we can proceed with a straightforward conversation about how you can start easily and expand into enterprise solutions which you may already have in place. The Cisco Secure journey began a decade ago , when we started to build a security portfolio built around three foundational capabilities:

The result was SecureX-SecureX is a cloud-native, built-in platform experience within our portfolio that is integrated and open for simplicity, unified in one location for visibility, and maximizes operational efficiency.

If you want more information about the architecture and what’s under the hood, I highly recommend attending the upcoming Cisco Live! EMEAR (there is a dedicated SecureX track!) or check out the OnDemand sessions.

How we should solve our challenge!

So how does this help to answer, “Are we affected?”.

Wouldn’t it be great to be able to execute a simple search query across your Cisco Secure and integrated 3rd party products simultaneously? The good news is that it is possible, and not only that, you can even take immediate action with this truly integrated platform.

Here’s a very short manually executed search query:

20 Second Threat Hunting of a malicious Domain

In 20 seconds, we learned that we are affected by a malicious domain on an endpoint (contacting that domain), in an email (containing links to that domain), and in the network (probably the actual traffic destined to that domain’s host). We are empowered to take immediate action on the endpoint by creating a forensic snapshot and isolating the host from the network.

Time is one of the scarcest resources for most organizations. You don’t want to spend more time and talent integrating your investments. You want an integrated and open platform that simplifies your existing ecosystem and is interoperable with thirdparty solutions. To counter attacks and stay compliant, you need answers in one unified view, not isolated alerts. Gaining contextual awareness across your security ecosystem helps your teams share and coordinate response faster. Evolving from manual to automated workflows with a few clicks results in faster remediation with better precision. And by eliminating the friction and repetition in your processes, you can save time and lower your ongoing costs.

Another time-consuming and often error-prone activity is the recording and tracking of indicators. In nearly every customer conversation, I hear something like, “We use a text editor to copy/paste all the indicators we find on different sources for a specific threat into a file, or even type it manually.” With SecureX casebooks you have the capability to collect and store key information related to the investigation and also manage and document your progress and findings. We’ve even created a browser plugin for Chrome and Firefox to extract observables from any webpage! By using this plugin, security professionals are able to organize and track the observables in cases and get instant access to threat intelligence and response capabilities

Use Casebook Browser PlugIn to search for observables and sync them with Casebook and TheHive

Another key objective of SecureX is to offer turnkey interoperability into 3rd party solutions. And it’s really turnkey, for example it took me just a few hours to create an integration into the leading open source security incident response platform ‑TheHive. This scalable and free SIRP is designed to make life easier for SOCs, CSIRTSs, CERTs and any information security practitioner dealing with security incidents. Especially distinctive for this platform is a tight integration into MISP (Malware Information Sharing Platform) and the flexibility to add powerful observable analysis as well as active response.

With the combination of Cisco SecureX and TheHive we can

  • easily speed up the collection of observables and information in cases
  • guarantee an error-free handover of observables and cases beyond product borders
  • automate the analysis of observable and many, many more…

In other words, to rapidly drive down The Time to React!

SecureX orchestration

Workflow Action Example to create Task and ConditionHow did I create this integration in a couple of hours, without studying each and every API endpoint, and without advanced programming skills?

The secret sauce is in the workflow-based SecureX orchestration canvas that enables your to build efficient workflows across teams and technologies requiring almost low/no code . With predefined atomic actions you simply drag and drop the tasks/conditions into a flow. We have already seen this in action during the 20sec investigation to take the forensic snapshot and isolate the host. We continuously develop new workflows and integrate them into the cloud platform, but you can also easily create them on your own.

The idea behind this particular integration was to handover observables from SecureX to TheHive via the SecureX orchestration workflows in order to speed up your incident response. The process starts in SecureX as a response action. Next we are creating a case in  casebook via your Private Intel Store (CTIA). For each response action you get the observable type (IP, SHA256, URL, domain,) and observable value (i.e. internetbadguys.com) as input variable. After we added this observables to the case we start to create TheHive case with the same content and attributes. As the last task we add both Case ID’s to a “Global variable”, as result we get a 1:1 reference. With this assignment, we can now compare further added observables.

Process Documentation to synchronize the Case and Observables

Here is a short example, how you can take action and start the workflow:

start the Threat Hunting process with SecureX and TheHive with observables and automation

By using the Browser plugin, it is now also possible to add observables quickly and easily into TheHive.

Please feel free to check out the workflows in detail and find the installation manual in my

GitHub Repo:

https://github.com/P0nt05/dragonfly

and on Cisco DevNet CodeExchange:

https://developer.cisco.com/codeexchange/explore/#search=securex

Conclusion

To conclude, sometimes, there is no simple answer, but we should never stop asking. With the right tools, we can start to ask better questions and as a result we will get better answers. Where possible, burdensome manual activities should be automated, fragmented solutions should be integrated, complexity should be erradicated. Open source solutions offer a flexible and extensible way to make our job as security professionals more efficient and effective, especially when used alongside commercial tools. The integration I created is just one example of the work we do to collaborate and make life easier. Of course, there are many of other colleagues here at Cisco, Partners and Customers participating in the DevNet community and releasing daily new content! My special thanks goes out to Christopher Van Der Made, who supported me in building this integration – Thanks Chris

To confidently tackle your challenges, you need a platform approach to security. And that’s why every Cisco Secure customer is entitled to a simpler experience with SecureX.Cisco SecureX is built-in with most Cisco security products such as Umbrella , AMP for Endpoints, Firepower devices, next-generation intrusion prevention system (NGIPS), Email Security, and Stealthwatch.

Learn more about SecureX at cisco.com/go/securex, watch the demo video, or get started at security.cisco.com.