Security Validation with Cisco SecureX

About this idea

It's one thing buying security controls for your endpoint, email etc., but what are you doing to confirm that they are alerting and reacting as you expect? In addition, is it a manual process that typically requires someone within the security team to proactively perform this testing to then highlight what success looks like?

With Cisco SecureX you can automate this process and deliver relevant information back to your team and management on how your investment in security is ensuring that your organisation is defended as intended and informed of any compromise attempt. It's an example of how through simple automation via SecureX you can change the way you perform the everyday tasks of securing your environment.

There are currently 3 type of events that can be generated by the scripts under "Modules" folder.

DNS events against Cisco Umbrella
Endpoint events against Cisco Secure Endpoint (f.k.a. AMP4E)
IPS events against Cisco NGFW

More to come for other products such as ESA, WSA, Stealthwatch, etc.

How it works

There are multiple components required to automate the process. Here are the high level steps for each use case:

SecureX Remote Connector generate attack activity, e.g. malicious DNS lookup against Umbrella VA
Check expected result, e.g. DNS sinkhole address
Check SxTR Sighting
(Optional) Check SIEM logs, e.g. Splunk API query
Update test result for Dashboard tile
(Optional) Send notification, e.g. Webex message

Prerequisite and Note

The scripts are based on SecureX - APJC instance. Please update the URL for other regions.
SXO Remote VM already deployed with ssh root access. Check SecureX document for details.
The script creates a SecureX casebook with title "SecurityValidation_Results" to save the last test results in the notes section, which is used for dashboard tiles from relay module. DO NOT modify this casebook.
SIEM integration with Cisco products. The workflows use Splunk with Cisco products TA configured. Please validate the Splunk query syntax against your environment.
If this is not required, please skip and disable Splunk activities from SXO workflow.
Webex bot and credentials for sending message. Check Webex and SecureX document for details.
If this is not required, please skip and disable Webex activities from SXO workflow.

Installation

SXO VM Preparation

Login to SXO Remote VM and install python
sudo apt-get update
sudo apt-get install python3.8 python3-pip python3.8-venv
mkdir /home/ubuntu/SecValidation && python3 -m venv /home/ubuntu/SecValidation/venv
Download repo to /home/ubuntu/SecValidation/ and test /home/ubuntu/runMyAPI.sh. Install missing dependencies from requirements.txt
Update root crontab to automatically start the python script
crontab -e
#Add this to the end of the crontab:
@reboot su -c '/home/ubuntu/runMyAPI.sh' -s /usr/bin/bash ubuntu 2>&1
Reboot SXO VM and confirm the scripts are running.

SecureX Workflow - Umbrella DNS Validation

This workflow will query your local DNS server (Cisco Umbrella VA) with a malicious DNS request. It expects a sink-hole address response and checks logs from CTR/Splunk.

Import Umbrella_DNS_Validation.json workflow.
Confirm the target is using the Remote connector as IP "172.17.0.1", which is the local IP on docker NIC. Do NOT change this IP.
Update workflow variables:
"DNS_Server" - this is your internal Umbrella VA to resolve DNS requests
"Remote_SXO_IP" - this is your Remote SXO IP address, which will be used for CTR and Splunk log search
If Splunk is in use, update Splunk Target with Credentials. Update Splunk query syntax against your deployment if necessary.
If Webex is in use, update Webex Target and Credentials.
Add scheduler trigger for the workflows if required.
Here is the screenshot of a webex message showing the workflow result.

SecureX Workflow - Secure_Endpoint_Malware_Validation

This workflow will drop an EICAR test file to your Windows PC, (with Cisco Secure Endpoint already installed), via remote PowerShell. It will check logs from Secure Endpoint API and Splunk to confirm successful detection.
Make sure PowerShell Remote service and firewalls permit traffic from your SXO Remote connector to the PC

Import Secure_Endpoint_Malware_Validation.json workflow
Update workflow variables:
"Query_IP" - this is your PC IP address
"username" - username that powershell will use to execute
"password" - password that powershell will use to execute
If Splunk is in use, update Splunk Target with Credentials. Update Splunk query syntax against your deployment if necessary.
Add scheduler trigger for the workflows if required.
Here is the screenshot of a webex message showing the workflow result.

SecureX Workflow - IPS_Validation

This workflow will launch a dummy Log4j attempt to one of your internal web server. Make sure NGFW are deployed to detect such traffic. FMC should be integrated with SecureX to send those events to SSE, which should be promoted to incidents. The workflow will validate the private intelligence sources and Splunk to confirm successful detection.

Import IPS_Validation.json workflow
Update the internal web server target IP in "Lab_Apache_SXO"
Update workflow variable:
"Remote_SXO_IP" - this is your Remote SXO IP address, which will be used for CTR and Splunk log search
If Splunk is in use, update Splunk Target with Credentials. Update Splunk query syntax against your deployment if necessary.
Add scheduler trigger for the workflows if required.
Here is the screenshot of a webex message showing the workflow result.

Dashboard Tiles

Download and deploy "Dashboard_Relay" to your server.
Rename "config.py.example" to "config.py" with your JWT keys
Update "SECUREX_CLIENT" with your SecureX API client credential, with permission to casebook in order to retrieve test results.
Update SecureX URL in utils.py and dashboard.py, if not in SecureX APJC region.
Add a new "Generic Serverless Relay" module and enable the tile to the dashboard.