This repository is deprecated; please follow the main search page or use the ‘Related code repos’ widget on the right side of the current page.

Talos Weekly Threat Roundup Blog Investigation Workflow

This workflow will automate inside the SecureX Orchestrator the investigation based on the IOCs published weekly by Talos Threat Roundup blog to understand whether there has been an impact of one of those threats in your environment.

Use Cases

  • Simplify threat hunting: Give the ability to security analyst to investigate most prevalent threats that Talos has observed over the current week and converts it into a SecureX casebook

  • SOC task automation: This workflow can be scheduled to periodically run at Talos Blog publish date so that investigation could be carried out immediatly upon blog availability

Description

Every Friday evening, US time, Talos is publishing a glimpse into the most prevalent threats they have observed over the current week.

For each threat described in the weekly roundup blog, an accompanying JSON file can be retrieved making an https request to Talos Roundup hosted IOCs that includes the complete list of file hashes, as well as all other IOCs from the post. The https request will be directed to the following resource:

https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/<URL_ID>/original/YYYYMMDD-tru.json.txt

where DD stands for the calendar day of the publication (remember, always on Fridays!). For instance, the JSON file containing all the IOCs related to the most prevalent threats they have observed between Jul. 16th and Nov. 23rd will have the following link:

https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/597/original/20210723-tru.json.txt

where the <URL_ID> assigned by TALOS to this pubblication is 597.

The <URL_ID> will increment each week. The workflow will automatically increase the <URL_ID> and check if the URL is valid. Once the valid <URL_ID> is found out, this is recorded in the SecureX Orchestrator global variable Talos_URL_ID, so that it will remembered the week after for the next run starting from the stored Talos_URL_ID value.

Installation Steps

  1. Go to your instance of SecureX Orchestration and click on IMPORT

image

  1. We have two options here, through a GitHub repository or browse/copy-paste the JSON of the workflow

Option through GitHub repository (please configure the Git Repository with the Cisco Code Exchange -> Explore -> Repository where the workflow is published)

image

Option Paste JSON or upload the workflow to import

image

  1. When starting the import the following warning will be displayed. This is due to the fact that the workflow needs configuration updates. Please click UPDATE

image

  1. Provide SecureX Threat Response API Credentials

image

  1. Provide email credentials for the SMTP Endpoint

image

  1. Provide the Webex Teams Bot Token

image

  1. Provide again the Webex Teams Bot Token when asked

image

  1. The workflow at this point should be succefully imported

image

  1. Update the SMTP settings accordingly with the smtp server and port information in the SMTP Endpoint

image

  1. Verify that the following Endpoints have been created under Targets

image

  1. Verify the following credentials have been created under Account Keys

image

  1. Open the workflow, the following message will be displayed. Click OK

image

  1. In the Canvas, click on warnings

image

  1. Select SxTR Check Deliberate Verdict

image

  1. Go to Properties of the SxTR Check Deliberate Verdict and select Override Workflow Target, from the list menu select ADD NEW

image

  1. Create now a new HTTP Target Endpoint with the following configuration (leave the other fields empty, and select the right SecureX Cloud visibility.amp.cisco.com for NAM, visibility.eu.amp.cisco.com for EU):

image

image

  1. After saving, you should see the following, with the warning counter down to 2. Now select SxTR Create Casebook

image

  1. Select ADD NEW

image

  1. Create now a new HTTP Target Endpoint with the following configuration (leave the other fields empty, and select the right SecureX Cloud private.intel.amp.cisco.com for NAM, private.intel.eu.amp.cisco.com for EU):

image

image

  1. After saving, you should see the following, with the counter down to 1. Now select Webex Teams - Post Message to Room

image

  1. Select Webex Teams from Override Workflow Target

image

  1. Now should looks like this, with no warnings active (counter down to 0). Validate the workflow.

image

  1. Verify that that teh Global Variable Talos_URL_ID been created. Please see the Description section of this README file to understand the role of the Talos_URL_ID global variable.

image

  1. Now it is time for testing the workflow. Enter the workflow and click on RUN, the following screen for input variable pops up

image

Please note that these values have (required) defaults in the variables defined in the workflow properties. You can change the defaults there.

  • max_number_retry_iterations is the max number of retries the workflow does in case the IOCs have not been published for the week. Between each retry, the workflow will sleep for retry_interval. When the max_number_retry_iterations is reached, the workflow send a notification and quits. The workflow will then be activated at the next schedule trigger.

  • retry_interval is the sleep time between each retry (in seconds)

  • webex_bot_token, you can specify a different Webex Teams Bot token in case you would not like to use the configured one

  • email_recipients, comma separated, in order to send notifications

  • talos_blog_uri, please insert manually here the URI of the IOCs of a specific Talos Roundup

  • webex_room_name, to specify the name of the Webex Teams room. Please note that if a room does not exists with the provided name, then it will be created.

  1. Let's do first a manual run by providing manullay the URI of the IOCs published in a roundup. For instance, we go to the Talos Roundup of June 17th 2021 at https://blog.talosintelligence.com/2021/06/threat-roundup-0611-0617.html, then click on here where the IOCs are published and copy the URL https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/584/original/20210617-tru.json.txt?1623962447, and paste in the workflow input variable talos_blog_uri just the Relative URL, in this case /talos-intelligence-site/production/document_files/files/000/095/584/original/20210617-tru.json.txt?1623962447

image

image

image

Then click RUN.

  1. In case of automatic or scheduled run, the workflow will automatically determine the URI for the latest Talos Roundup.

Talos_URL_ID

if you wish to run again the workflow against a past Talos Roundup blog, first modify the global variable Talos_URL_ID and detract 50 to the current value. For instance, if the current value for the Global Variable Talos_URL_ID is 550, then change it and 500:

image

Then change it to 500

image

Playbook Steps

image

  1. Through a Schedule trigger, we program the workflow to start every Friday evening (schedule trigger description is outside of this README file, just follow the Schudule capability that SecureX Orchestrator offers in order to do so). The option also exists to enter manually a Blog URI in case we wish to run the workflow against a past published blog.

  2. Once the workflow starts, first step will be to build the URI of the blog for the current week, then do an https request to retrieve the JSON file describing the threats and IOCs.

  3. In case the URI resource (JSON file) is not published yet, a retry mechanism is implemented in the workflow to check every certain period of time (configurable) whether the Json file has become available.

  4. Once the JSON file becomes available, an https request is carried out to retrieve the IOCs, some clean up is done and the threats and their associated description and IOCs are stored in a table.

  5. A Communication is sent via email and webex team message to inform that the automatic investigation has started, together with a summary of the threats identified and their respective description.

  6. Then for each Threat, IOCs are extracted from the JSON file and parsed.

  7. The verdict of the IOCs is checked and those with Clean Verdict are omitted from the Investigation in order to reduce False positives.

  8. Then the actual investigation is launched through the enrichment process based on the final list of IOCs - denoting the current analyzed threat, against the customer integrated Security solutions and Intelligence Sources (Public and Private)

  9. For each Security module that has answered (and contributed) during the enrichment process the returned information is checked to determine whether the customer environment has been impacted - For this we run a loop through each Security module that replied back during the enrichment process, and for each target reported, we post on webex teams and send an email providing preliminary information such as Target information, Security Module that provided the information, sightings.

  10. Once we have processed all Security modules and if we do have targets in the customer environment related to the current investigated threat, a new casebook is then created with all the IOCs related to the threat, and the Casebook link and ID is shared through posting in webex teams and via email.

  11. In case targets have not been found, an information message is sent out in any case.

Required Targets

  1. CTR_For_Access_Token (default)
  2. CTR_API (default)
  3. Private_CTIA
  4. SMTP
  5. Webex Teams

Required Account Keys

  1. CTR_Credentials
  2. Webex Teams Token
  3. Email Credentials

Required Atomic Workflows

  1. CTRGenerateAccessToken
  2. Webex Teams - Post Message to Room
  3. Webex Teams - Create Room
  4. Webex Teams - Search for Room
  5. CTR Inspect Observables
  6. CTR CheckDeliberateVerdict
  7. CTR Enrich Observable
  8. CTR Create Casebook

Video

https://www.youtube.com/watch?v=5ZchL_qsRPc

Commnents and Suggestions

Please send your comments and suggestions to Nicola (pfiano@cisco.com)

Use Case

Talos Weekly Roundup Blog Automated Investigation

Problem Statement

Security teams are often too focused on dealing with daily incident response fires to dedicate time to proactive and scheduled threat hunting operations to catch emerging threats in their environments. Even when they have enough time to execute threat hunting exercises, correlating intelligence from multiple threat feeds unfortunately is a manual, repetitive exercise that does not leave enough time for decision-making.

Solution

As we all know, Every Friday evening, US time, Talos is publishing a glimpse into the most prevalent threats they have observed over the current week.

As a SOC analyst following religiously those blogs, you would first want to understand whether there has been an impact of one of those threats in your environment. Questions immediately arise: Have we seen these observables? Are these observables suspicious or malicious? Which endpoints have the malicious files or have connected to a domain or URL? What can I do about it right now?

Can we automate all of this? The answer is yes!

Traditionally, Security analysts would have a “swivel chair” approach to such investigation, employing a sequence of manual actions and carrying out the manual correlation of the information gathered throughout the investigation. Thanks to the Orchestration capabilities provided by SecureX and the TALOS Weekly Roundup Blog Investigation workflow, Security teams can now schedule this workflow to execute.

Key Customer Outcomes

Accelerated Incident Response:

By replacing low-level manual tasks with corresponding automations, this workflow can shave off large chunks from incident response times while also improving accuracy and Security analyst satisfaction

Increase Analyst Productivity:

Since low-level tasks are automated and processes are standardized with this workflow when investigation the most prevalent threats that Talos has reported during the current week, analysts can spend their time in more important decision-making and charting future security improvements rather than getting mired in grunt work.

Leverage Existing Investments:

By automating repeatable actions and minimizing console-switching, security orchestration enables customer security teams to coordinate among multiple products easily and extract more value out of existing security investments.

Standardize and Scale Processes:

Through step-wise, replicable workflows, like this one, security orchestration can help standardize incident enrichment and response processes that increases the baseline quality of response and is primed for scale.

Improve Overall Security Posture:

The sum of all aforementioned benefits is an overall improvement of the customer security posture and a corresponding reduction in security and business risk.

Learning Lab

https://developer.cisco.com/learning/modules/SecureX-orchestration

View code on GitHub
  • Owner

  • Contributors

    +1Github contributor
  • Categories

  • Programming Languages

  • License

    Other

Code Exchange Community

Get help, share code, and collaborate with other developers in the Code Exchange community.View Community
Disclaimer:
Cisco provides Code Exchange for convenience and informational purposes only, with no support of any kind. This page contains information and links from third-party websites that are governed by their own separate terms. Reference to a project or contributor on this page does not imply any affiliation with or endorsement by Cisco.