Cisco Threat Awareness Service - Quick Start Guide. Last Updated: 16/06/16

Size: px

Start display at page:

Download "Cisco Threat Awareness Service - Quick Start Guide. Last Updated: 16/06/16"

Katherine Park
6 years ago
Views:

1 Cisco Threat Awareness Service - Quick Start Guide. Last Updated: 16/06/16 Contents Introduction... 1 Intended Use... 1 Portal Navigation... 2 Registering a Network Resource... 2 Adding the Network Resource using Adding the Network Resource using DNS Cookie... 5 Threats Feeds... 6 Exposed Services... 7 Malicious Activity... 7 DNS Observations... 7 Suspicious DNS Requests... 7 For More Information... 8 Introduction The Cisco Threat Awareness Service (CTAS) is an easy-to-use, portal-based threat intelligence service. It enhances threat visibility for Smart Net Total Care (SNTC) customers, by making broad, foundation based security information accessible 24 hours a day. Timely detection of malicious activities based on Cisco s extensive network visibility and threat intelligence experience. Helps companies quickly identify compromised systems by flagging compromised networks and suspicious behaviour. Helps IT and security teams recognize threats and delivers actionable intelligence. Continuous improvement of overall security posture through analysis of network traffic as seen from outside the network. Intended Use This document is intended for users of the Smart Net Total Care (SNTC) portal, an online system provided as part of Cisco Smart Net Total Care. The instructions in this Guide assume that the user already has access to the Cisco Threat Awareness Service in the SNTC portal.

2 Portal Navigation After logging into the Smart Net Total Care portal, the left side navigation pane provides a means for accessing the different features offered via the portal. For the Cisco Threat Awareness Service, there is a new option called Security. Expanding this menu will reveal the Threat Awareness Service. The screenshot depicts the landing page for the Cisco Threat Awareness Service, as it will typically appear when it is first accessed (assuming one or more network resources are already authorized). In the right-hand pane is the Threat Awareness Service dashboard, comprised of four tabs, each displaying information on a different type of threat feed; Exposed Services, Malicious Activity, DNS Observations, and Suspicious DNS Requests. A description of each is found in the Threat Feeds section of this document. Navigating to a Threat Feed tab will cause the service to load the data for any network resources already registered with the Cisco Threat Awareness Service. NOTE: Threat information is available for authorized network resources only. Registering a Network Resource From the Threat Awareness Service dashboard, click on Settings already registered, with the corresponding status. to see a list of network resources that are Pending: A network resource with this status will not be included in the processing of the Threat Feeds. This status indicates the network resource is registered, but not yet authorized. Confirmed: A network resource with this status will it be included in the processing of Threat Feeds. This status indicates the network resource is authorized. The system requires authorization before a user can view the threat data. Information about the network resource is already available in Cisco s threat databases; this authorization is to confirm that the user has permission to view the data.

3 To register a new network resource for monitoring, click on either Add Domain or Add IP Address. Both of these options launch the Network Resource Wizard. From here you can choose to add a Domain, IP Address, IP Range, or CIDR Block. The Cisco Threat Awareness Service offers two authorization methods; DNS Authorization Cookie, or . The following section describes the required steps for each option. Adding the Network Resource using Use this method if you are not the owner of administrator and would like to request permission from the appropriate person via In the Network Resource Wizard, select the resource type you wish to add, e.g. CIDR Block. 2. Enter the domain name or IP Address, e.g / Optionally add an alias for the IP address. This is an alias within the portal only. 4. Click Next.

5. Select the Email method by clicking on Email Administrators. 6. Choose a recipient from the drop-down list, and click Send Email. 7. Click Finish. 8.

4 5. Select the method by clicking on Administrators. 6. Choose a recipient from the drop-down list, and click Send Click Finish. 8. Refresh the Settings page to see the new IP address entry, with a status of Pending. 9. Click on the IP Address to view the audit trail, including Authorization Method, the recipient, and token expiry date. NOTE: s are sent from no-reply@cisco.com to the selected recipient. The contains a one-time token that can be used only for the specified domain. The approver must click on the link in the , enter the token, and choose whether to Authorize Use or Decline Authorization. NOTE: Once the authorization request has been approved, the status of the domain is updated to Confirmed. The audit trail will provide details of the Authorization method, the date, and the approver, so all actions can be traced back.

5 NOTE: Please allow up to 24 hours for the Cisco Threat Awareness Service to perform a threat analysis. Adding the Network Resource using DNS Cookie Use this method if you have control of the DNS zone for this Domain or IP. 1. In the Network Resource Wizard, select the resource type you wish to add, e.g. Domain. 2. Enter the domain name or IP Address, e.g. cisco.com. 3. Optionally add an alias for the domain. This is an alias within the portal only. 4. Click Next. 5. Select the DNS Authorization Cookie method by clicking on DNS Instructions. 6. Create a TXT record containing the DNS Authorization Cookie, and place in the DNS zone for the specified domain. 7. Click Next and Finish.

6 8. Refresh the Settings page to see the new domain entry, with a status of Pending. 9. Click on the domain to view the audit trail, including the Authorization Method, the DNS Cookie, and token expiry date. NOTE: It may take up to 2 hours for the Cisco Threat Awareness Service to verify the DNS cookie, and update the status of the domain to Confirmed. The audit trail will provide further details so all actions can be traced back. NOTE: Please allow up to 24 hours for the Cisco Threat Awareness Service to perform a threat analysis. Threats Feeds Listed below is a brief description of each threat feed provided by the Cisco Threat Awareness Service. These are also found at the start of the feed in the portal.

7 Exposed Services Open Services: These services are available to the Internet and should be examined and removed if unnecessary. Services for Investigation: These services are available to the Internet and exhibit indicators that they are vulnerable to known attacks or contributing to denial of service attacks. Investigate and, if necessary, remediate these services. Malicious Activity IP Addresses: These IP addresses have either demonstrated malicious activity on the Internet or shown behaviors that indicate they may have malicious software installed. Hostnames and URLs: These DNS names and URLs are present within your network and have demonstrated malicious activity on the Internet. DNS Observations Unexpected DNS Names: These DNS names are not within your DNS domain names but resolve to IP addresses within your network. Investigate whether these are legitimate. Observed DNS Resolvers: These IP addresses are making DNS requests directly to the Internet. Determine if these are legitimate DNS servers and investigate remaining devices. Suspicious DNS Requests DNS Requests for Malicious Names: The following DNS requests for malicious DNS names were observed from your network. All controls are identical across the tabs. Each tab displays one or more charts with an accompanying table listing the IP addresses we are observing from within the registered address space. Selecting an entry in the table will highlight the corresponding entry in the chart, and vice versa. Expanding an entry in the table provide more details of the threat identified. The screenshot below shows the Services for Investigation feed under the Exposed Services tab. The default scope for each feed is 30 days, but this can be extended to a maximum of 90 day, or a minimum of 14 days. The feeds are updated globally (for all customers) every 24 hours. The last update time can be seen underneath the feed name, so in this example, the last update was processed on January 31 at 00:00 GMT. The table displays individual records, and when they were last observed, e.g. the first item in the table was last observed on January 29, while the second record was last observed on January 28. Looking at this record, we can see it is a TCP/433 SSL server, and the threat feeds have indicated this is vulnerable service (e.g. it may be open to some sort of Heart Bleed vulnerability). The Recommended steps may include suggestions such as patching the server, or running further vulnerability scans. The nature of the threat feed is dynamic; the category may be enriched to provide additional information. This will happen transparently as soon as more information becomes available, and in response to the continuously changing threat landscape.

The example below will display all observations of IP address 209.165.200.224, on port 443, on January 25th - 31st.

8 To sort or search the data, click on the Filter icon in the top right of each feed. This provides the option to filter on IP address, Protocol, Port, Category, and Observed Date. The example below will display all observations of IP address , on port 443, on January 25th - 31st. Data may also be exported. Click on the (with a CSV attachment). icon, and download in CSV format, or send the exported data via For More Information On the Cisco Threat Awareness Service please visit the Cisco Threat Awareness Service Support Community.

Qualys Cloud Suite 2.30

Qualys Cloud Suite 2.30 Here s what s new in Qualys Cloud Suite 2.30! AssetView ThreatPROTECT Dynamic tag support for Amazon EC2 Metadata Search Assets by Amazon EC2 Metadata Cloud Agent Download Search