It. Welcome to this session where I'll talk as mentioned about threats hunting and how basically you can automate that. And I'm saying stay ahead of the game, just as sort of a fun title, but obviously it has a meaning. You somehow need to stay ahead of hackers. It's obviously not a game, but they're getting smarter and smarter every day. And they have basically they can do a million attempts to hack you, but they only need one to succeed. You need to stop all of them or you'll have a compromise. So I'm going to teach you in this session a little bit more how to proactively hunt for threats. So as mentioned, my name Christopher van der made. I'm based out of the Netherlands and I'm a developer advocate security. If you have any questions, please drop them in. I'll also pause here and there during the session to make sure that all of them are answered. So before I start, I would like to make a statement, and that is that there's simply too much information out there. And that is obviously quite a broad statement. But I'm meaning specifically threats intelligence. So information about new threats that might be going on, new malware campaigns, and specifically as audience, I mean, security operations center analysts. So there's literally too much information to consciously process. So therefore we need to automate as much of this analysis and enrichment so that your analysts, human beings, only have to look at the things that actually matter. So hopefully at the end of this session, this statement will make more sense and probably you'll already agree with me. All right, so the agenda for today? Yeah, first of all, I'll do a quick introduction into threats hunting. I'll then do an introduction into Securex and threats response, which will be basically main topics that I'll talk about today. I'll then talk about two use cases, one using Twitter, the other one using Talos blogs, but also more as source of Fred intel. And it will make a little bit more sense as we go along. And obviously we'll finish off with a conclusion and I'll save some time if there are any questions for at the end there. So the introduction to fret hunting, probably if you ask five different people what fret hunting is, they'll all say something different. But I think everyone will agree that fret hunting usually involves proactively hunting for something. So that means you're not reacting, but you're proactively going out and looking for threats instead of waiting until an alert pops up. So there is actually a very smart person that wrote basically an article about fret hunting. I would definitely recommend checking it out. And I'm just using this as an example because he had a pretty good threats hunting loop, which I thought was quite interesting. And this is basically a continuous process which you will should at least be doing at all times if you have a good security operations center. And I have to say, I'm a developer advocate right now. Before I was five years in the field as a consulting systems engineer, and I did not get in contact with a lot of customers that really had a very good security operations center because people are scarce, they are expensive because they are scarce. And some people do have the money but just can't find them. So basically what you should be doing is you should create hypotheses. For example, a hypotheses could be, I have the feeling we are attacked by a certain type of new malware campaign. Well, next up, you go and investigate this malware campaign. So you're going to see what tools and techniques did they use? What kind of patterns can you uncover? Finally, you'll start enriching and do analysts. So basically, your investigation so far, you're going to test against your own data and global data to see if you can find any correlations. And with that information, you can then either confirm or deny your hypotheses. Now, especially that part, this part, the analytics part, and the enrichment part specifically, you can do a lot of automated methods here. And during this session today, I'm going to tell you a couple of them, but obviously there are way more that we can cover. So this is also quite interesting. In that same article about fret hunting, the writer or the author talks about different levels that you might have in maturity of threats hunting. And basically, if you look at level zero, relies primarily on automated alerting, little or no data connections. So basically this means you install firewall and you just wait until an alert pops up. Level four, if you see that, level four actually says that a majority of the successful data analysis procedures are automated. And I really like that word of automation of the data analysis. And actually doing data analysts in an automated way with tools like Securex is actually not that hard. So getting from level zero to four obviously takes quite some governance and right procedures and the right people, but you can actually take some stuff from level four quite easily. Now just finally, last couple of slides on fret hunting here. I mentioned this in the beginning already. I see like two types of threat hunting. You have on demand hunting, which is basically more reactive. So something has happened, something was triggered, and you go and do more research. The other one is more automated, continuous hunting. And that's what I'll show you two demos of today. And that more resides around taking in data and automatically cross correlating this or cross referencing this against your own data and see if youve might have compromises in your organization. Now this is also interesting. This is the pyramid of pain. If you google the pyramid of pain, well, maybe add cybersecurity. I'm not sure what else you'll find if you google the pyramid of pain, but you'll find this pyramid. And basically they talk about this is how you can hurt a hacker. So if you look at the bottom, you see hash values and IP addresses. For a hacker, it is like the most trivial thing ever. If their malware file is found by security systems, and that file hash is basically added to a block list somewhere, for example, talos also does this with our amp infrastructure. It literally takes maybe one click of a button in their comments, in their code, of their malware, and the file hash will be different. So people, if you understand how hashing algorithms work, if you make minor changes, the file hash will change. So if you find their file hash, they're like, okay, fine, I'll just generate a new one. That's what we call polymorphic malware, basically malware that can keep changing so that it's difficult to detect. Now, IP addresses, similar and domain names, if you find these from a hacker, they can generate new domain names, host their stuff on a different IP address. So still quite simple and easy. If you really find out their network and host artifacts, this starts to get annoying, finding out their tools, their techniques, et center and procedures. The last one, if you find out what they're actually doing, how they operate. Yeah, that's killing for hackers, if you ask me. These first four layers, you can probably automate a lot of this stuff around here, finding these, blocking them, et cetera, up in the chain. This probably requires human interaction. So here you probably need to get your analysts and let them analysts what is going on? So we'll be talking mainly about the first four layers first. And what we want to do is create bite size chunks for your analysts so that they can do the top two layers. So, yeah, let's find out what we can do. Now in this session, we will use two tools, basically. Well, probably more, but two main tools. One is Python, my favorite programming language right now, which I switched to a couple of years ago. Well, actually probably seven or eight years ago, I switched to python from other languages. And yeah, I prefer it a lot, and within Cisco we use it a lot, so it makes sense to talk about it today. The other one is Securex. Securex was launched, well, specifically threats response was launched a couple of years ago. Securex is basically now the platform within our Cisco security portfolio. And threats response is one of the applications or features of Securex. But mind you, fret response was there actually earlier. Now that we talked about threats hunting, I want to dive a little bit more into Securex and fret response. Just quick summary, fret hunting. In my opinion, what we'll be talking about today is more the continuous automate fret hunting. And that means that you're proactively looking for threats in your environment. And yeah, the enrichment of data and the cross referencing of data, we can very well automate. And obviously we're going to use Curex and threats response for it. So if you look at Securex, I prefer not to use marketing slides. So I usually dive into this slide. Securex is an architecture. It's not really a product. We actually offer it for free to customers. So if you buy one Cisco security product, you get Securex included. And it's basically an architecture or a platform that contains multiple features. First of all, you need to log in into the dashboard. We do that with duo. You then have features like threat response, Securex threat response, and Securex orchestration. These are two big applications within the Securex architecture. For those that know, the orchestrator is actually based on action orchestrator, which has now been sort of internally acquired by the security business group and it's now fully integrated into Securex. And this is basically a low to no code orchestrator. Threats response we'll talk about a little bit in more detail later. But basically it allows youve to investigate threats and respond to threats as well. So this is also that response. You can also trigger orchestration workflows from threat response. Now, on the right here we see our Cisco products and we see important arrows going back and forth. On the one hand we see local threat intelligence, for example, this can be firewall logs that we query from Securex. It can also be global threat intelligence that we query for example from Talos or AMP, advanced malware protection. But we can also back and forth send response actions and triggers. So basically we can do read operations but also write operations if you make it very simple. On the same hand, we can do that on the left as well, with third party products as well. So we don't just do it with Cisco, we do it with third party as well. And yeah, we have a ribbon framework, which is sort of a pop up window that you have in Securex and now in the whole of Cisco's secure portfolio. And it's basically you can cross launch into other applications with the ribbon. You can also cross launch into threats response et center. So it's quite a cool framework, and I'll show you it in a demo later. What Securex basically does, and specifically also threats response, is API aggregation. So Securex pulls data and pushes data through APIs. If I were to do anything in Securex, and I click the close tab button, then the tab will be closed and the data will be gone. Or maybe it will be temporarily stored somewhere in cache. Well, actually, I don't think we do that. So we are not a sim. So it's security intelligence and event management system. We don't gather data. We pull data when we need it, and we push data when we need it. And that is actually quite powerful platform. You cloud call Securex a soar, a security orchestration, automation and response platform. There are discussions you can have whether we are soar, but we're definitely not a sim. And in a lot of organizations, we can actually replace SIM, or there is no need for a sim because we only pull the data when we have to directly from the products. So we leave the data at where it's being generated. Now, an important piece, without going too much into detail, unnecessary detail, is CTIM. And CTIM is probably one of the most important things that is foundation of Securex. And this is basically a data model. It stands for Cisco threat intelligence model. And this allows us to describe threat intelligence. Now, don't look at all the details here, but you'll probably hear me say observable ones. An observable can be a domain name, IP address, et cetera. And all of these objects, data objects that you see here, they can have a relationship with observables, or observables can be a part of those objects and a verdict and judgments. So a judgment is, hey, this IP address is bad. So a judgment can be about an observable. A verdict can be like, hey, we have five judgments, but this is our final verdict. Exciting means, hey, this was seen in my organization. Someone reached out to that observable. We have a couple of others, we'll talk about that later. But just know that this data model is very important because you have dozens, hundreds of security products that all use their own data model. And if you want to be a platform, you need to have a standardized, reliable model where you can translate everything into and in the end that's what we do with Securex. We translate back and forth in CTIM, which allows us to do that cross referencing because everyone speaks the same language within air quotes. So you can also recognize CTIM in securex threat response, for example, you can see the judgment verdicts and sightings. Sightings or target sightings actually show up as a target. And this basically means it's a sighting which actually has a host device of youve organization, for example an iPhone or a MacBook or a server which has actually reached out to a domain or something similar like that. So targets and signings are very important because if we have them, it means we need to probably do some more investigation. Now we can also interact with CDEM from the API, obviously. So everything in Securex is built on top of APIs. It's built with open API spec and it uses Oauth two as authentication, so standardized API method. And you can also interact with the Swagger UI or I think it's called the open API Explorer. Now you can also interact with it. And here you'll see some raw CTIm JsOn. And this is how you describe observables in JSOn. You give it a value and the type. Now obviously you can also interact with CTIM from Vidy API in Python or in any language that can do an API call. So here you see a couple of examples of that. So yeah, that is all quite interesting ways of interacting with CTM. I see the arrows stayed behind, but this is just to show youve a workflow that you could use in fret response is you can use intel resources, casebook or incidents as basically source of your investigation. From there, Securex will pull information from all kinds of threat intelligence sources, but also from local threats intelligence. So has it been seen in your environments? And finally, you can actually take actions like blocking something all from threats response and all of this because it's API first built, we can also do from Python. And yeah, that is quite interesting. Yeah. So now let's talk more about integrating with Securex. So I talked about the APIs. I just also wanted to mention two other ways that you can integrate with Securex. In the end, everything works based on the API. So number one is the real one. But you can use Securex orchestration as a cloud to no code orchestrator which is now inside of Securex to interact with these APIs in a low to no code way. So you don't need to actually write any syntax. You still need to know sort of how programmability works, of course, but that is also a great way to get started. And finally, we also have Securex relay modules, and this is the most native way of integrating with Securex. It is built on top of the Securex APIs, and it allows you to add an extra module which is being queried. And basically all our third party integrations, they work with these Securex relay modules and all of our products in the end as well. Probably they just built in a relay module into the amp cloud, for example, but they all work in a similar way. The relay modules is all open source, so you can find it on GitHub. There is a Cisco security GitHub which we can share in the chat. And actually, if you're interested into looking into that, and maybe you are here from Engineering and you're like, hey, let's see if we can integrate our product into it. I would definitely check that out. And on developer Cisco.com curex, we actually have a learning lab that teaches you to work with the APIs, the orchestrator, or with the relay modules. So all of these methods. All right, so now we talked about threats hunting. We talked about Securex and threats response. Now let's more dive into an actual use case where we're going to combine threats hunting with Securex. And the first one is going to be Twitter. And probably you all know Twitter or use Twitter, and we're going to ingest Twitter to look for threats intelligence. Then we're coping to do automated enrichment, and we're going to take some actions, and I'm coping to also attempt to do a live demo. But everything will be around open deer. I'm not sure if you guys know the hashtag open deer, but it's quite an interesting hashtag because it's used by basically, how do you call it, white hat hackers or ethical hackers or cybersecurity analysts to basically make a new research about fresh malware available to the public. Here's an example of the timeline. This was a while ago, but as you can see, I'm searching for the hashtag open there. And you can find people posting like, hey, this domain I found is actually malicious. Or here, hey, these IP addresses, they're trying to exploit from this. So that's actually quite interesting. As a demo, I actually did this tweet, was this like an hour and a half ago, and we're going to try in my demo to also find this. And specifically, we're going to look for this observable, which can be a malicious observable. And actually it is a malicious observable. So I did this tweet. Let me quickly jump over actually to show you it live. Here's that tweet. I also tagged Stuart into it. I see he might have quoted it as well. So we're going to see what this demo looks like with this live tweet. There are actually many tweets out there, as you can see. So they're not necessarily, I think a couple of them per day, but still too much information to check every day, right? Or every hour. So you want to automate stuff like this. So we're going to try and find that. So I built a script that does exactly this. So the first time the script runs, it's going to retrieve all the tweets possible from that hashtag. You can also add more hashtags. Obviously it's then going to parse and clean the tweets. If it wasn't the first time the script runs, it will actually check if there's new tweets available. I'll talk to you a little bit about the Twitter API, but youve can sort of say, oh, give me only the tweets that have been tweeted since this time. Probably you want to run it every day or every couple of hours. If there are no new tweets, we're going to sleep and we're going to wait until the scheduled interval hits again. Now we're going to then actually retrieve observables with the Securex Inspect API. And this is an API that you can give a blob of text and it will give you back domains, IP addresses, file hashes that it finds into it, email addresses. It's a very powerful regex API, basically, which Securex threats response uses a lot. It will then check are there any observables? If so, we're going to enrich these observables. If not, we're going to skip the tweet and we're going to give some user feedback. Now this is important. When we actually find observables in the tweet, we enrich the data and we find that we actually have target sightings in our environment. This is interesting because this means an ethical hacker tweeted about a new domain name, for example, like I just did, and someone in your organization actually made a connection to that domain. What we then do is we create a case in casebook in Securex and we send a Webex teams alert with a high priority tag. If not, we'll still create a case. You can actually turn this off and we'll send a Webex teams alert, but it probably requires less work or no work because you don't have anyone in your organization who reached out to it. Now if there are any more tweets in the queue, we're going to go like this. If not, it's going to sleep. So this is sort of what the script looks like. This is the result which you'll get. So you'll get a high priority tweet. You'll see that my tweet is actually here. If you click on this link, it will jump to the actual tweet and it will do the research. You can actually investigate this and it will find if someone reached out to that observable. If someone did, you'll get this and I'll actually post a tweet in Webex teams and then say like, hey, you have from the amp module free targets, three different targets. So you probably want to check this out quickly. Now let's go over to the demo. So on the basis of this, we have the Twitter search API and it just allows you to basically query hashtags. Et center if you want to get access to this, it's definitely cool. You do need to get a developer account on Twitter. You can just request this and say, hey, I'm doing research or whatever and I'm not going to use it for commercial purposes and they will give access to it. And let me jump to the actual script. Here is the python script. I'm not going to walk with you through every line. I just want to mention to you that all of it is on my GitHub here, so you can check it out. I think we can also drop a link in the chat and basically I explain youve everything, how to install it. Et center, it's not that hard if you understand python, but basically I have a config file with three different parts, one for fret response, webex and Twitter. And this synth id is definitely important. Per default it's set to zero, but the first time you run it will be set to, I think it's using the epoch time or whatever epoch time, however you pronounce that and it will use that to see if you need to find new tweets. So now let's actually run it right, because we want to find more tweets. So I do need to do one thing, and luckily we're internal. I just ran this earlier and I want to set it to zero again. And we're going to run the file. So you see that the config file was loaded. You see a new tweet was detected. And what it's going to do now is it's going to clean the tweet, find observables, find sightings, if there are any. And if there are, it will then create a case in casebook and send a Webex team's message. So you see here that actually, since I tweeted, you see now that I was retweeted as well, and probably the tweet after this will be my tweet that I did just before the session. And you see here that Stuart Clark, that his tweet was parsed. So what you can see here is that they are actually being created. And you see here, this is my tweet by Cisco Devnet. And not all of them are high priority. So this one is not high priority. This one is because there are actual target sightings. This one doesn't have that. What we can actually do is from here, I could start immediately an investigation. I can also, for the sake of the environment, let's not burn more cycles than needed. You've seen how it goes. What we can also do is we can find them here, of course. So here we are in Securex and we have Facebook. And here you see actually all of them being added. Now you see my and Stewart tweet being high priority because that tweet contains internetbackeys.com. And Internetbackeys.com is actually something that I've triggered an alert on earlier in my demo environment. So this is quite interesting. You see obviously also a couple of other tweets. So you can check them out here. If they are interesting, you can still investigate them. So you can click on investigate. But probably we're not going to find any targets because we already did this investigation with the API. So we actually saved a lot of work here for our security operations center workers because they don't need to manually grab data from that tweet and then put it in fret response and see if we have targets. All they need to do is they need to monitor this space. And whenever something with high priority code in, they need to click the link and it will automatically start that investigation, as you can see here. So, yeah, I hope this was a cool demo. I always really like it because you can do a live tweet and it will actually find it if you add that hashtag. I don't want to convolute this. So I do always add something that is actually malicious. I don't want to be adding google.com or whatever here in case some other person is doing something with this API. So again, everything is on my GitHub, which is over here. And you can definitely check it out if you're interested into it. Basically, there's a lot of connections which you can just take from me and reuse as you see fit. And you can just use different sources than tweets, right? In the end, this is where that magic happens, where I'm doing, checking if we have returned sightings or not. If there are zero, which is usually the case, hopefully we'll just send a normal message and otherwise we'll send the high priority message. As you can see here, it actually took me quite a while to make all of this markdown, which was quite fun to work with to make sure that you get that line and et cetera. All right, so this brings me to the second use case, which will be a bit shorter because I'm not going to do as extensive of a demo on this one, but I do wanted to share this one. So Talos intelligence probably is known to everyone, but is Cisco's threat intelligence organization. They have a pretty epic blog where they post blog posts about new malware campaigns. They sometimes are like referenced in New York Times et Center when there's a new outbreak. So they're really cool. Now you could say, why would I care about that blog? Because everything that's in that block is already blocked by Cisco, right? Well, it could be if something is a zero day and there is being blocked about and someone reached out to that domain or an IP address or file hash 29 days ago or whatever the time limit is on that product, you might get a hit from a while back, which still is very important. So what we're going to do is we're going to use this as a resources as well. This is a little bit of an older screenshot. As you can see, this is the first iteration of my script. They post a couple of blog posts per week. Often they contain insights and they contain many interesting observables, as you can see here at the bottom, also called indicators of compromise. And now there's many more blogs out there like talos. So yeah, here you see those observables. So how can anyone keep track of and following certain hashtags and certain blog posts? How can you do that and also respond to alerts? Well, the answer youve can't unless you maybe can hire 100 people. So I did a very similar script. I'm going to go a little bit more quick through it, but basically the tweet is now a blog and we can go through multiple blog posts, actually. So I've also added 40 guard from 40. Net and unit 42 from Palo Alto as well, which are obviously our competitors. But I mean, they might also have interesting information that we should look at. So yeah, here you just see some code snippets when we're creating a case in casebook. How simple that is. All you need to give it is some JSON and we're basically doing a post with that JSON message or JSON payload. I mean, and this is basically how to extract observables. So this is that inspect API endpoint that I talked about earlier. We can give that broad text, as you can see here, and even defanged IP address as it's sometimes called. We are able to parse out as observables. So all you need to do is send that blob of text as data payload and it will return you observables in the exact CTM data format that we need. All right, so I'm not going to show you the entire demo of this, but I do wanted to share with you that this is also on GitHub. There is a demo which you can watch, but we're nearing the end also of that presentation. I think the demo is, what is it, 15 minutes or something? Yes, so let's not check that 15 minutes right now. But I just wanted to mention I have a similar config file like I did with the Twitter script. But what I do here is I loop through RSS feeds and what I then do is I grab the body of a block and send that as raw text to the inspect API just to show you how powerful that is. And I do that for all of these. And similarly, like with the Twitter API, there is an RSS feed or an RSS, I forgot the name of it. It's called feed parser. This is basically a python library or Python module which you can import and it will actually be able to look at some metadata of an RSS feed so that you only import the latest blog post. And that is again a measure I took against noise. You don't want to import the same one twice. And just to show you how that works, as soon as the script runs, it will actually write this here. This is for Twitter, but I'm doing the exact same thing for the Dallas blog poster as well, as you can see here, which I actually renamed to RSS feed since we can do new. So I'm actually writing the config back all the way at the end, as you can see here. So let me just show you here. I'm writing the config all the way at the end to make sure that the last etech and last modified is checked. And that is also something that I'm checking at the beginning. Has there been a new blog posted? Yes or no? All right, so I promised this was a little bit of a shorter demo, but I hope that you believe me that I can do the exact same thing. And actually, by the way, to prove that, I think I saw some in my casebook, actually. So here you see, for example, the 40 guard RSS feed. And if I scroll further down, you'll probably see the Talos one as well. So without further ado, I'll move to some conclusions, which I hope you agree with. So we're nearing the end of the presentation, but I still have some stuff I wanted to show. Is this easier than manually searching Twitter? I'm very curious if you agree. If so, I really hope that we can get our customers to start working with this as well. And asking Cisco and our partners to either build stuff for this or to do it themselves, that would just be awesome. Some other summaries. Threat hunting is all about gathering data from internal monitoring and intelligence, or global and local threat intelligence, as it sometimes is called, and then cross referencing it. Threat hunting is not something you just do on demand. It should be something that you continuously do in the back end. Skierx and Skierx threats response can help with this, and the Securex API definitely can help automate a lot of this. So with that, we have also covered the conclusion, and I hope that this statement now makes a little bit more sense than in the beginning. With that, I would like to thank everyone for watching and listening. I hope you enjoyed the session and learned something new. If you do have any further questions, please feel free to reach out. Thank you very much and have a great rest of your day.