Interaction of Cisco solutions in GosSOPKoy and FinCERT

Published on July 15, 2019

Interaction of Cisco solutions in GosSOPKoy and FinCERT

    Previous noteabout our Cisco Threat Response threat search platform, I got a few questions about how to integrate CTR with the state services SSSOPKA and FinCERT? And so I decided to write another small note and show how you can get the most out of the compromise indicators sent to you by the FSB and the Central Bank. In fact, there is nothing supernatural and complicated in such integration - our regulators use computer-readable and standardized formats of compromise indicators worldwide (I’m afraid to imagine what will happen if hashes for malicious samples are sent according to GOST R 34.11-2012, and not MD5 / SHA1 / SHA256), but do not yet provide an API for automating their work. In any case, they are not so difficult to use in Cisco Threat Response. In order not to take a screenshot of this procedure, but to show it in dynamics,Vulnerable RDP is how easy it is for GosSOPKA to interact with Cisco security solutions.


    Exactly the same procedure can be done with any other source of Threat Intelligence - BI.ZONE, Kaspersky Lab, Group-IB, Anomali, Cisco Talos, etc. Here's a short animated video on how to do this with US-CERT.

    image

    After conducting an investigation and identifying traces of unauthorized activity on our network, we are faced with the task of quickly blocking it, for which it is necessary to introduce appropriate rules into the protective equipment that work at nodes, at borders, in the clouds. Cisco Threat Response can do this too.

    But how beneficial is it for us to use Cisco Threat Response to investigate incidents? Isn't it easier to use the same solutions that CTR works with - AMP for Endpoints, E-mail Security Appliance, Cisco Firepower, etc., but without CTR? Why do we need another additional system? I tried to conduct an investigation procedure on each of these decisions and got interesting numbers that speak for themselves.

    For AMP for Endpoints, an investigation similar to CTR takes at least 30 seconds. During this time, I can create the policy I need and enter the indicators of compromise I need in it, after which I start their search in the results of Cisco AMP4E.

    image

    In fact, it will take even a little more time, since it depends on the number of compromise indicators that I need to set in the control console interface (or I need to pre-prepare a file with indicators that I just upload to the system).

    image

    In the case of Cisco Firepowe NGIPS, a similar procedure takes no less than 40 seconds (depending on the number of compromise indicators I'm looking for).

    image

    Finally, in the case of the recently integrated Cisco E-mail Security solution with CTR, searching for compromise indicators in email messages through the Cisco SMA (Security Management Appliance) takes at least 11 seconds if I manually set the hash values ​​of malicious or suspicious attachments

    image

    and at least 18 seconds if I indicate the source of the indicators of compromise, from where the data will be loaded automatically.

    image

    In general, there is not so much for each decision, but if I conduct a comprehensive investigation of several products and on different types of indicators at once, then I will need at least 120 seconds. If you watch the video again, you will see that in the case of using Cisco Threat Respone, the investigation takes only 10 seconds. And this time is almost independent of the number of indicators sought. Twelve times the time gain and the lack of trouble with the preparation of indicators of compromise for downloading into the system - just copy everything we need into the clipboard (or into the Casebook browser plugin) and paste it into the CTR. So if you are faced with the task of promptly investigating incidents, then the free Cisco Threat Respone allows you to solve this more than effectively.

    This is just one example of integrating Cisco solutions with Threat Intelligence government systems. In fact, there are more. For example, we can automate not only the process of investigating incidents, but also automatically blocking those artifacts that we receive from the State SOCAR or FinCERT - just use the APIs that are, for example, in Cisco AMP for Endpoints or Cisco Firepower. True, do this (automatically block) with caution.