Harvesting Threat Intelligence with the SecureX Threat Response API

It is widely known that there are never enough resources to staff every Security Operation Center (SOC). Organizations are struggling to cope with the massive number of new attacks, which makes it ever more important to stay up to date with the vast number of threats that could be just around the corner. Enter Cisco Talos, Cisco’s threat intelligence research group and a well-respected source for threat intelligence information.

What is Threat Intelligence?

According to Wikipedia, “cyber threat intelligence is information about threats and threat actors that helps mitigate harmful events in cyberspace”. Wikipedia also points out that the “sources include open source intelligence, social media intelligence, human intelligence, technical intelligence, or intelligence from the deep and dark web”.

There are different forms of threat intelligence:

◉ Tactical: this type of intelligence can be used to identify the threat actor of a specific attack. Examples can be Indicators of Compromise (IoCs) like IP addresses, domains and file hashes.

◉ Operational: this type of intelligence focuses more on the Tools, Techniques and Procedures (TTPs) of the attacker.

◉ Strategic: this type of intelligence focuses more on high-level cyber risks and can be used to create a strategy for a company.

What is the SecureX Threat Response API?

The SecureX Threat Response platform is a tool that aggregates and correlates the capabilities of many Cisco and third-party security products (called “modules”). This tool can be leveraged for “threat hunting” in a customer’s environment to help keep their environments secure. It does this by connecting to the API’s of the various products, and by doing so is able to retrieve information. This process is called “enrichment.” Enrichment focuses both on internal sightings and external threat intelligence. At the same time, Threat Response can take actions in a subset of the connected products. This process is called “response”.

Some products can only provide enrichment, while others can do both enrichment and response. Cisco Security customers can use Threat Response to quickly identify a root cause of a cyber-attack, by using any text (containing IoCs) as an input. This text can then be enriched both from internal monitoring modules (“Do I have any infected hosts?”), and from threat intelligence modules (“Are these IoCs bad?”). And it enables customers to quickly take response actions to remediate the threat.

The SecureX Threat Response relation graph graphically shows how the observables in an investigation are connected.

If you’re a Cisco Security customer, guess what … You have access to Threat Response at no extra cost. The Threat Response APIs can be leveraged to automate a big chunk of the threat hunting process, and mainly the enrichment process.

How to harvest threat intelligence, and hunt the threats?

The internet contains many free sources of threat intelligence that can be used in addition to the Cisco Talos feeds. Using the SecureX Threat Response API, it is possible to harvest this and discover internal security events. This process is what was earlier described as “enrichment”, where both internal and external modules are checked for hits. There is a big community out there that shares new IoCs related to new cyber-attacks and malware campaigns.

So how can I harvest my threats?

Below are two examples that take a free source from the internet (blogs and Twitter) and parse them for IoCs. Both scripts then check for “target sightings” and automatically adds IoCs to SecureX Casebook. If there are any hits on internal targets, it will add a “HIGH PRIORITY” tag to the Case. The scripts will also send a Webex Teams alert to a configured Space (e.g. the Space used by a SOC). Check out the links below to find out more!

1. Searching threat intelligence blogs

The Cisco Talos blog is a perfect example of one of those free sources of threat intelligence that can be found on the internet. Their blog highlights threats and other information they find on a regular basis. However, who has the time to read all these blog posts, search through all their security tools for hits, and take action on them? Using the Threat Intelligence API, I was able to search the Talos blog (and others!) and pull out the exact information I needed to remediate my threat. Find out how on my DevNet Automation Exchange post:

2. Scouring Twitter Hashtags (e.g. #OPENDIR)

You can do a similar things with Twitter. The #opendir Twitter hashtag is used by many threat intelligence researchers to post their findings on new threats. This is a perfect example of one of those free sources of threat intelligence that can be found on the internet. Matching this information source with the connected Threat Response modules, gives you relevant hits to help protect your organization for unwanted threats.

Some example Tweets from the #opendir hashtag.

These are just two examples of what you can do with these awesome API’s.

Continue reading

Unpacking IoT, a series: The complexity challenge and what you can do about it

In this post, I cover the final of the top three challenges: complexity. For an IoT initiative to be successful, the deployment and management of connected devices must be made simplified.

The typical solution to address scalability is automation. Automation certainly helps expedite and scale out an IoT deployment, but it’s not enough. If you cut and paste, and deploy text-based device configurations, that will help speed up configuration, but it won’t simplify deployments. A network administrator still has to come up with an appropriate network configuration to meet the business needs, perform extensive testing and validation of these configurations on a platform-by-platform and software-image by software-image basis, and finally templatize these configurations to support device-specific variables (like device names, discrete interface IP addresses, location details, etc.). So, how do we make this entire process easier beyond just automation?

To simplify IoT deployments, Cisco has made a paradigm shift in terms of how we empower network operators to program network devices. This new approach is called intent-based networking. To realize the impact of this new way of thinking, you need to understand that there are essentially two main ways to “program”— that is, to provide a set of instructions. One way is called the imperative model and the other is called the declarative model. Any programmable thing — whether it’s a computer or a person being given instructions — can be programmed using one of these models. The best way to explain the difference between the two models is to use a simple analogy.

Imagine you’re taking a taxicab to the airport. One way you can ensure you get to your destination is by providing the driver explicit turn-by-turn directions: turn left at the first signal, go down three blocks, turn right on Main Street, etc. You break everything down into discrete, very easy to follow directions, but they’re very complex. This approach illustrates the imperative model of programming, where every instruction needs to be provided in detail. Additionally, it should be noted that the imperative approach may even be sub-optimal and inflexible. For example, what if a particular street was closed for repairs and you didn’t know how to detour around the affected area?

An alternative approach, the declarative model, is to leverage the knowledge of the taxi driver and simply declare your intent: take me to the airport. You don’t need to explain how to get there or which route to take. You just express your intent — the business result that you want to achieve — and then rely on the driver to deliver on that intent. This is the paradigm shift we made at Cisco and what intent-based networking is all about.

Intent-based networking for IoT

Cisco DNA Center is the equivalent of that cab driver who knows how to get you from point A to point B without detailed instructions. We’ve embedded 30 years of networking knowledge into our solutions, enabling network operators to express their intent at the business level. For example, in the case of network security policies, a network operator can indicate these devices can talk to those devices. These people can access thoseapplications. That’s business-level intent. There’s no need to specify all the rules of how that intent is delivered, which technology is utilized, what kind of access policy is applied, where it’s deployed, etc. The network operator allows the machine to translate that and then to scale that configuration using automation to the programmable physical and virtual network infrastructures.

But that’s not all. We close the loop by soliciting telemetry data from the infrastructure to confirm that indeed the stated intent was delivered. The system compares the data from the network with what was declared by the operator to make sure that the business intent is being delivered. Either it is, and you have confirmation and data to that effect. Or, it’s not and that’s very important to know because then you can launch a troubleshooting workflow to investigate the root cause and take remedial action.

Intent-based networking is not new. We’ve been doing it within our data center with our application-centric infrastructure for quite a few years now, and more recently in the past five years we’ve been doing it in our enterprise networking. The expression of that is Cisco DNA Center.

What’s important now is that we’ve extended intent-based networking capabilities to the IoT edge. All IoT switches, routers, and wireless access points that run Cisco IOS XE can be managed by the same pane of glass you use to manage the rest of your network via DNA Center. Furthermore, you can extend the enterprise network to your IoT edge — wherever that happens to be: your parking lots, warehouses, distribution centers, manufacturing facilities, airports, seaports, utilities, power grids, etc. All of these places can be extended to using the same toolset.

The result: one intent-based network architecture for a consistent end-to-end experience and one set of security policies. IoT deployment is simplified, but it’s also scalable and secure.

Continue reading

Cisco Ranked #1 in Market Share for Industrial Networking

When people think of networking, they think of Cisco. But in the industrial networking space, sometimes that isn’t the case. In the past, organizations connecting areas such as manufacturing floors, oil rigs, traffic intersections relied on specialized vendors for their industrial IoT networking needs. Not anymore. I am proud to announce that for the second year in row, Cisco is #1 in industrial networking market share. This includes layer 2 and layer 3 switching, wireless and routing. In fact, according to IHS, Cisco is the only major vendor growing across all categories.

No Longer Will Any Networking Solution Do

Data from IoT projects is critical to helping organizations stay competitive.  But problems with scale, IoT security and complexity block progress. More and more, operations are bringing in IT specialists to overcome these issues and lay a solid network foundation to help ensure project success. And this is where Cisco is uniquely equipped to help.

Cisco Enterprise Networking and Security

Other networking solutions are more complex. To connect an IoT deployment, IT often must add another domain. This creates added burden, forcing IT to manage one more network. And with the large number of devices connected, manual setup and operations isn’t an option. Only Cisco offers an integrated multi-domain networking architecture. It extends the powerful capabilities of the enterprise network, including intent-based networking, to the IoT edge. With Cisco intent-based networking (IBN), you can automate key IT functions and provide centralized visibility and control across your entire network – from your campus to your branch, data center and to your IoT deployments.

And because most IoT projects bring more risk, security must be part of the equation. We are uniquely positioned to deliver a fully integrated Cisco security architecture without gaps in coverage. Our multi-layered, built-in approach is across every layer of our IoT stack. Coupled with our multi-domain architecture and intent-based networking, you can enforce unified security policies throughout your enterprise.

These networking and security capabilities provide scale and security unlike anyone else in the market so that you can deploy with confidence.

Industrial Protocol Interoperability

The second part of the equation adds interoperability and compliance. To get data, a large number of IoT sensors and machines must connect to the Internet. But the protocols they use are not common in traditional IT networks. Our industrial networking products support a wide variety of industrial protocols such as Modbus, Profinet, CIP, and IEC 61850 GOOSE. You get interoperability and compliance with the network scale and security you need.

The Right Form Factor and Design

The third part of the equation ensures that you can scale and deploy IoT wherever you need it. Key business operations are not always in the headquarters or the branch office. The data you need can be on the front lines of your operations like in remote oil pipelines, dirty/dusty manufacturing floors, or service vehicles. None of these are conducive to rack-mounted, ambient temperature network products. To help you connect, Cisco IoT offers ruggedized and heavy-duty routers, switches and wireless access points in small and modularized form factors. We have built them to withstand extreme temperatures, dust and moisture, and vibration. They come in sizes that are small enough to deploy in cars or on light poles or wherever you need it – not just in a 19-inch rack. And unlike many other vendors, no extra enclosures required!

Cisco Industrial Networking: The Foundation for IoT Success

When added together, these are the core networking capabilities that you need as a foundation for a successful IoT project. IT gets the network that they know and trust without added burden. Operations gets a solid network foundation that is reliable, scalable and secure and that works in their environment allowing them to capture the data the need to move the business forward.

Continue reading

Critical Network Infrastructure in IoT Industries

The Internet of Things and the way in which different industries are transforming their business is having a direct impact on the type of networking infrastructure they now require. Digitization, Artificial Intelligence, Machine Learning and Automation are now the main drivers for many companies across multiple verticals to look into new ways of offering their services, running their day to day operations, dealing with their customers and suppliers and become more efficient.

But let’s look first into what we mean by Critical Network Infrastructure. Generally speaking, we refer to the information technologies and cybersecurity systems required to run mission critical applications that support the continuity of normal business and government operations. These systems provide the resiliency to avoid vital network interruptions and non-recoverable failures. They are also characterized by providing High Availability, Optimal Performance and Increased Security.

In the past, before IoT and Digital Transformation became ubiquitous, almost the only companies that required this type of Network Infrastructure were what we refer to as Service Providers or Telecommunications Carriers. These are the organizations that provide telephony, cellular services, internet broadband access and nowadays even cable and video streaming services. Networks are a Critical Infrastructure for this type of companies because their business model has always been based on providing connectivity in one way or another. Up until very recently we have referred to Critical Network Infrastructure simply as SP networking or Carrier infrastructure.

All these has changed as more and more industries require to provide an improved Customer Experience, and while the networking infrastructure was used in the past to provide mainly back-office operations and internal communications services, nowadays whole business operations have to run over this infrastructure and the interaction with the end users relies solely on the low latency,  uptime. and security of these networks.

Critical Information and as a result the data traffic carrying it, is moving closer and closer to the end user, across multiple regions and over very long distances. By the year 2021 up to 41% of all the data traffic will be delivered across multiple countries.

The demand for reliable real-time data is more critical than ever, with the arrival of Smart Homes, Autonomous Vehicles and Smart Cities the expectation is to have Secure, Fast, Simple and Reliable data. This can only be achieved by having High-Performance Networking, Automation & Analytics, Always-On and Secured Trusted Infrastructure to interconnect all of these systems.

Some of the most immediate IoT Use Cases that require Critical Network Infrastructure, and hence where some of the greatest opportunities are for Cisco and our Partners are in the Industrial Verticals and Public Sector. Let me give you a few examples here:

◈ Smart Cities

As more and more cities provide multiple services to their inhabitants, reliability and data privacy becomes critical. Some of the main challenges cities are facing include the effects of urbanization, it is estimated that by 2050 68% of the worldwide population will be living in cities. Shifting economics, sustainability and public safety are also some of the main trends impacting today’s cities. Technology can help solve some of these problems, including Lighting, Parking, Environmental control, Urban Mobility, Water Supply, Safety & Security and Waste Management. A Multi-Services Network including a Connected Communities Infrastructure Layer is required to provide all of these services! And guess what? This is an actual Network Critical Infrastructure, the one we have been talking so much about so far.

◈ Utilities

Power Utilities are also facing a new set of challenges that are transforming the way in which they Generate Energy, operate the Power Grid and interact with their Customers. In the past Customers were only seen as simple Rate-payers, but IoT is turning them into real Clients with high Customer Experience expectations. Electrical Vehicles, Distributed Energy Resources, Renewable Energy and Smart Homes are all shaking-up an industry that has been mainly focused on providing stable electricity supply for over a century. However, Power Supply is and has always been a matter of national security for every country. The electrical power grid is now changing as it has to adapt to all of these new challenges and expectations. The grid is a critical infrastructure that is becoming interconnected and that has to be run over a Critical Network Infrastructure. 

◈ Manufacturing

Over the past few decades globalization has turned the supply chain of almost every product into a multi-national affair. Different parts are manufactured across the globe and assembled in faraway locations. At the same time Digital Automation is turning Discrete and Process Manufacturing into one of the most accelerated verticals for IoT and Digital Transformation. Industry 4.0 is the concept of smart factories where robots and machines are interconnected to a system that can visualize the entire production chain and make decisions on its own.  If we add-up these trends the result is that manufacturing companies need to be able to provide High-Performance, Scalable, Resilient connectivity with very low latency (due to the precision required for many manufacturing processes), while at the same time having a high degree of flexibility across long distances with strong security and policy control. Sounds familiar?

These are just a few industries where the Critical Network Infrastructure that was required mainly by Service Providers in the past is now a “must” for many Industries. I could go on and on, but the idea is just to give you a glimpse into what is possible. Other industries close to my heart such as Transportation, Mining, Oil & Gas and many more are having very similar needs with their own specific requirements and industry trends all being driven and fostered by IoT technologies. And all of them represent a great opportunity for Cisco and all of our Partners.

Continue reading

Security in Utilities: an architectural approach for partners.

When we talk about Utilities, we usually refer mainly to the companies that supply electricity to business and residential consumers. However, there are several other types of Utilities including Water, Gas and Waste Management companies just to name a few. All of them face the same types of security threats, in the past few years there have been a number of incidents, for example public warning systems have been hacked and turned on in the middle of the night. There have also been attacks on the systems that control gas pipelines shutting down the gas flow for several hours.

Many of these attacks have happened not because of the actual lack of IT security measures or precautions, but in my cases due to organizational failures, whereby security data has been released to a third-party contractor without taking the necessary data protection procedures to avoid these incidents from happening.

In order to prevent security incidents from happening companies have to evolve their security approach to a phased security architecture:

◈ First Phase: modernize the connectivity of the transmission and distribution systems, including zone segmentation, controlled conduits and following standards such as ISA -95,99 / IEC 62443 / NERC /NIST.

◈ Second Phase: providing visibility of the data that is going through the equipment and systems all the way to the control area. This requires Application Control and Threat Control.

◈ Third Phase: convergence of security policies across all the different layers, including policy driven responses and deeper vision and control.

This phased security architectural approach can be used by partners across different types of Utilities. The most important thing to highlight is that partners should provide their customers with a consistent risk assessment followed by an architecture that addresses the potential gaps discovered through this assessment.

There are some use case themes that partners can discuss with their customers to address the different types of potential vulnerabilities their industrial infrastructure might have, including:

◈ Secure Connectivity: what devices can connect to what control systems; what type of communications can happen between different systems.

◈ Secure Remote Access: what are the access control measures, how can secure access be provided.

◈ Threat Control: what devices are vulnerable; how can you protect any vulnerable assets.

◈ Safe Environment: what type of protection is being provided in the networking infrastructure and what type of protection is being provided on the devices themselves.

In order to address the security requirements of all different types of Utilities we now have Cisco IoT Threat Defense which converges a security architecture and services to help industrial companies defend their IoT devices and keep their business running.

The main idea is to look at the individual environments that need some form of Cybersecurity, then mapping them to the products that Cisco partners can deliver by using the Cisco Validated Designs to define how to bring a particular solution forward.

There are four different areas that we focus on: Segmented Access Control for both IT and OT environments; Visibility and Analysis of potentially dangerous behavior to/from IoT devices; Secure Access into the OT network; and finally, Professional Security Services to assess the baseline risk, manage OT environments and perform incident response.

Continue reading