Cisco Threat Awareness Service - Quick Start Guide. Last Updated: 16/06/16

Similar documents
Qualys Cloud Suite 2.30

ClientNet Admin Guide. Boundary Defense for

On the Surface. Security Datasheet. Security Datasheet

IBM Security SiteProtector System User Guide for Security Analysts

ForeScout CounterACT. Configuration Guide. Version 2.2

ThreatConnect Learning Exercises

Connection Logging. Introduction to Connection Logging

Sentinel 4 IDS User Interface Guide

Enhanced Threat Detection, Investigation, and Response

Connection Logging. About Connection Logging

Chapter 5: Vulnerability Analysis

Outline NET 412 NETWORK SECURITY PROTOCOLS. Reference: Lecture 7: DNS Security 3/28/2016

Detector Service Delivery System (SDS) Version 3.0

Integrate Viper business antivirus EventTracker Enterprise

Integrate Fortinet Firewall. EventTracker v8.x and above

CounterACT IOC Scanner Plugin

Tenable.io User Guide. Last Revised: November 03, 2017

User Identity Sources

GFI MailSecurity 2011 for Exchange/SMTP. Administration & Configuration Manual

Skybox Firewall Assurance

Sophos Central Admin. help

Integrate Microsoft Office 365. EventTracker v8.x and above

HarePoint Analytics. For SharePoint. User Manual

Gigamon Metadata Application for IBM QRadar Deployment Guide

Integrate Microsoft ATP. EventTracker v8.x and above

Qualys Cloud Suite 2.28

Cisco Service Control Service Security: Outgoing Spam Mitigation Solution Guide, Release 4.1.x

Performing Administrative Tasks

WHITE PAPER HIGH-FIDELITY THREAT INTELLIGENCE: UNDERSTANDING FALSE POSITIVES IN A MULTI-LAYER SECURITY STRATEGY

Windows Intune Trial Guide Getting the most from your Windows Intune trial. Simplify PC management. Amplify productivity.

Reports Overview. Inventory and Reporting User Guide SNTC

Sophos Enterprise Console Help. Product version: 5.3

Checkbox Quick Start Guide

Comodo Dome Shield - Admin Guide

USM Anywhere AlienApps Guide

IBM CLOUD DISCOVERY APP FOR QRADAR

Kaspersky Security for Windows Server


ForeScout CounterACT. Configuration Guide. Version 1.2


Comodo IT and Security Manager Software Version 6.9

Integrating Okta and Preempt Detecting and Preventing Threats With Greater Visibility and Proactive Enforcement

McAfee MVISION Mobile epo Extension Product Guide

Trend Micro Business Support Portal

Unifier Project Controls User Guide

User Guide. Version R92. English

IPS Event Analysis R Administration Guide

Notices. Third Party Project Usage. Sample Code in Documentation

The Privileged Appliance and Modules (TPAM) 1.0. Diagnostics and Troubleshooting Guide

Resolving Actions and Completion Policy Status About Non-Workflow BPs Creating a BP Record... 40

ForeScout CounterACT. Configuration Guide. Version 5.0

Tracking Messages

ForeScout Extended Module for Tenable Vulnerability Management

Comodo cwatch Network Software Version 2.23

Comodo IT and Security Manager Software Version 5.4

The following topics describe how to manage various policies on the Firepower Management Center:

Carbon Black PCI Compliance Mapping Checklist

How To Embed EventTracker Widget to an External Site

Introduction E-mark Mail

Transaction Approval Process

Dashboard Instructions

Managing GSS Devices from the GUI

The following topics describe how to configure correlation policies and rules.

Portal 2.0. Overview. Overview, on page 1 Dashboard, on page 2 Quick Analysis Reports, on page 2 Detailed Analysis Reports, on page 4

Customer Inquiry, Dispute & Information (CIDI) User Guide

Setting up Microsoft Office 365

User Guide. Version R94. English

Prevent Network Attacks

ReadyTalk for Marketo User Guide

Managing WCS User Accounts

The following topics describe how to use dashboards in the Firepower System:

Comodo cwatch Web Security Software Version 2.10

Comodo Dome Shield - Admin Guide

Smart Call Home Web Application

BQS User Guide For Digital Skills Test Centres

FireMon Security manager

ORACLE MANAGED CLOUD SECURITY SERVICES - SERVICE DESCRIPTIONS. December 1, 2017

POA Bridge. Security Assessment. Cris Neckar SECUREWARE.IO

EFFECTIVE VULNERABILITY MANAGEMENT USING QUALYSGUARD 1

HTTP Errors User Guide

Contents. Common Site Operations. Home actions. Using SharePoint

How to configure the UTM Web Application Firewall for Microsoft Lync Web Services connectivity

Integrate Trend Micro Control Manager. EventTracker v8.x and above

Creating and Editing Budgets

Creating Dashboard. Version: 7.3

Firepower Management Center High Availability

Integrate Palo Alto Traps. EventTracker v8.x and above

Flowmon Application for QRadar User Guide

Malwarebytes AdwCleaner User Guide

Managing WCS User Accounts

IC L19 - Consolidate Information from across your Infrastructure to create a custom report for PCI DSS Hands-On Lab

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

SonicWall Capture Client 1.0. Operations

Veeam Universal Application Item Recovery

Forescout. Engine. Configuration Guide. Version 1.3

BLOOMBERG VAULT FOR FILES. Administrator s Guide

Generate Reports to Monitor End-user Activity

Cisco Service Control Usage Analysis and Reporting Solution Guide,

Kaspersky Security for Windows Server

Live Connect. Live Connect

Transcription:

Cisco Threat Awareness Service - Quick Start Guide. Last Updated: 16/06/16 Contents Introduction... 1 Intended Use... 1 Portal Navigation... 2 Registering a Network Resource... 2 Adding the Network Resource using Email... 3 Adding the Network Resource using DNS Cookie... 5 Threats Feeds... 6 Exposed Services... 7 Malicious Activity... 7 DNS Observations... 7 Suspicious DNS Requests... 7 For More Information... 8 Introduction The Cisco Threat Awareness Service (CTAS) is an easy-to-use, portal-based threat intelligence service. It enhances threat visibility for Smart Net Total Care (SNTC) customers, by making broad, foundation based security information accessible 24 hours a day. Timely detection of malicious activities based on Cisco s extensive network visibility and threat intelligence experience. Helps companies quickly identify compromised systems by flagging compromised networks and suspicious behaviour. Helps IT and security teams recognize threats and delivers actionable intelligence. Continuous improvement of overall security posture through analysis of network traffic as seen from outside the network. Intended Use This document is intended for users of the Smart Net Total Care (SNTC) portal, an online system provided as part of Cisco Smart Net Total Care. The instructions in this Guide assume that the user already has access to the Cisco Threat Awareness Service in the SNTC portal.

Portal Navigation After logging into the Smart Net Total Care portal, the left side navigation pane provides a means for accessing the different features offered via the portal. For the Cisco Threat Awareness Service, there is a new option called Security. Expanding this menu will reveal the Threat Awareness Service. The screenshot depicts the landing page for the Cisco Threat Awareness Service, as it will typically appear when it is first accessed (assuming one or more network resources are already authorized). In the right-hand pane is the Threat Awareness Service dashboard, comprised of four tabs, each displaying information on a different type of threat feed; Exposed Services, Malicious Activity, DNS Observations, and Suspicious DNS Requests. A description of each is found in the Threat Feeds section of this document. Navigating to a Threat Feed tab will cause the service to load the data for any network resources already registered with the Cisco Threat Awareness Service. NOTE: Threat information is available for authorized network resources only. Registering a Network Resource From the Threat Awareness Service dashboard, click on Settings already registered, with the corresponding status. to see a list of network resources that are Pending: A network resource with this status will not be included in the processing of the Threat Feeds. This status indicates the network resource is registered, but not yet authorized. Confirmed: A network resource with this status will it be included in the processing of Threat Feeds. This status indicates the network resource is authorized. The system requires authorization before a user can view the threat data. Information about the network resource is already available in Cisco s threat databases; this authorization is to confirm that the user has permission to view the data.

To register a new network resource for monitoring, click on either Add Domain or Add IP Address. Both of these options launch the Network Resource Wizard. From here you can choose to add a Domain, IP Address, IP Range, or CIDR Block. The Cisco Threat Awareness Service offers two authorization methods; DNS Authorization Cookie, or Email. The following section describes the required steps for each option. Adding the Network Resource using Email Use this method if you are not the owner of administrator and would like to request permission from the appropriate person via email. 1. In the Network Resource Wizard, select the resource type you wish to add, e.g. CIDR Block. 2. Enter the domain name or IP Address, e.g. 209.165.200.224/27. 3. Optionally add an alias for the IP address. This is an alias within the portal only. 4. Click Next.

5. Select the Email method by clicking on Email Administrators. 6. Choose a recipient from the drop-down list, and click Send Email. 7. Click Finish. 8. Refresh the Settings page to see the new IP address entry, with a status of Pending. 9. Click on the IP Address to view the audit trail, including Authorization Method, the Email recipient, and token expiry date. NOTE: Emails are sent from no-reply@cisco.com to the selected recipient. The email contains a one-time token that can be used only for the specified domain. The approver must click on the link in the email, enter the token, and choose whether to Authorize Use or Decline Authorization. NOTE: Once the authorization request has been approved, the status of the domain is updated to Confirmed. The audit trail will provide details of the Authorization method, the date, and the approver, so all actions can be traced back.

NOTE: Please allow up to 24 hours for the Cisco Threat Awareness Service to perform a threat analysis. Adding the Network Resource using DNS Cookie Use this method if you have control of the DNS zone for this Domain or IP. 1. In the Network Resource Wizard, select the resource type you wish to add, e.g. Domain. 2. Enter the domain name or IP Address, e.g. cisco.com. 3. Optionally add an alias for the domain. This is an alias within the portal only. 4. Click Next. 5. Select the DNS Authorization Cookie method by clicking on DNS Instructions. 6. Create a TXT record containing the DNS Authorization Cookie, and place in the DNS zone for the specified domain. 7. Click Next and Finish.

8. Refresh the Settings page to see the new domain entry, with a status of Pending. 9. Click on the domain to view the audit trail, including the Authorization Method, the DNS Cookie, and token expiry date. NOTE: It may take up to 2 hours for the Cisco Threat Awareness Service to verify the DNS cookie, and update the status of the domain to Confirmed. The audit trail will provide further details so all actions can be traced back. NOTE: Please allow up to 24 hours for the Cisco Threat Awareness Service to perform a threat analysis. Threats Feeds Listed below is a brief description of each threat feed provided by the Cisco Threat Awareness Service. These are also found at the start of the feed in the portal.

Exposed Services Open Services: These services are available to the Internet and should be examined and removed if unnecessary. Services for Investigation: These services are available to the Internet and exhibit indicators that they are vulnerable to known attacks or contributing to denial of service attacks. Investigate and, if necessary, remediate these services. Malicious Activity IP Addresses: These IP addresses have either demonstrated malicious activity on the Internet or shown behaviors that indicate they may have malicious software installed. Hostnames and URLs: These DNS names and URLs are present within your network and have demonstrated malicious activity on the Internet. DNS Observations Unexpected DNS Names: These DNS names are not within your DNS domain names but resolve to IP addresses within your network. Investigate whether these are legitimate. Observed DNS Resolvers: These IP addresses are making DNS requests directly to the Internet. Determine if these are legitimate DNS servers and investigate remaining devices. Suspicious DNS Requests DNS Requests for Malicious Names: The following DNS requests for malicious DNS names were observed from your network. All controls are identical across the tabs. Each tab displays one or more charts with an accompanying table listing the IP addresses we are observing from within the registered address space. Selecting an entry in the table will highlight the corresponding entry in the chart, and vice versa. Expanding an entry in the table provide more details of the threat identified. The screenshot below shows the Services for Investigation feed under the Exposed Services tab. The default scope for each feed is 30 days, but this can be extended to a maximum of 90 day, or a minimum of 14 days. The feeds are updated globally (for all customers) every 24 hours. The last update time can be seen underneath the feed name, so in this example, the last update was processed on January 31 at 00:00 GMT. The table displays individual records, and when they were last observed, e.g. the first item in the table was last observed on January 29, while the second record was last observed on January 28. Looking at this record, we can see it is a TCP/433 SSL server, and the threat feeds have indicated this is vulnerable service (e.g. it may be open to some sort of Heart Bleed vulnerability). The Recommended steps may include suggestions such as patching the server, or running further vulnerability scans. The nature of the threat feed is dynamic; the category may be enriched to provide additional information. This will happen transparently as soon as more information becomes available, and in response to the continuously changing threat landscape.

To sort or search the data, click on the Filter icon in the top right of each feed. This provides the option to filter on IP address, Protocol, Port, Category, and Observed Date. The example below will display all observations of IP address 209.165.200.224, on port 443, on January 25th - 31st. Data may also be exported. Click on the email (with a CSV attachment). icon, and download in CSV format, or send the exported data via For More Information On the Cisco Threat Awareness Service please visit the Cisco Threat Awareness Service Support Community.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback