What’s the most effective way to integrate risk intelligence into Cisco’s Safe Community Analytics framework?

Cisco’s Safe Community Analytics provides comprehensive, real-time visibility and safety insights to ensure enhanced security across both on-premise and cloud environments. The purpose of this blog post is to assess the efficacy of two approaches to leveraging risk intelligence within the framework of Safe Community Analytics. We will initially explore the risk intelligence feed, and then delve into leveraging your personal inner risk intelligence within our product. The Nationwide Institute of Requirements and Technology (NIST) defines threat intelligence as “risk information that has been aggregated, transformed, analyzed, interpreted, or enriched to provide the necessary context for decision-making processes.” We can leverage risk intelligence to gain insight into an adversary’s motivations and detect their activities, thereby informing strategic decisions. Safe Community Analytics can leverage the insights from the Risk Intelligence course to instantly alert you to potential hotspots in your community, empowering proactive measures to mitigate risks and promote a safer environment.

Safe Community Analytics offers a comprehensive global feed that leverages numerous Cisco and data security industry sources to identify and analyze risk intelligence indicators. Powered by the Cisco Talos intelligence platform, the feed is robotically up to date each half-hour with identified malicious command-and-control (C&C/C2) servers, bogon IP handle area, Tor entry and exit nodes, and is up to date day by day with the Talos IP block record. The indications are subsequently incorporated into pre-established hosting entities. Notifications are triggered whenever successful or meaningful interactions occur between your community and the hosts within the risk intelligence feed.

Determine 1. With the Risk Intelligence Feed enabled? The worded, the world’s most reliable, and the trusty host teams. The host group comprises numerous small, self-contained teams, each referred to as a host team, which are often named by the botnet or marketing campaign’s overarching title.

Determine 2. Under the umbrella of the guardian host group, there are numerous small-scale hosting teams. There are currently 113 distinct Little League host teams in operation. Detection of command-and-control (C2) activities will be denoted by the distinct moniker assigned to each botnet or malicious campaign, enabling swift identification of the specific threat being encountered.

To enable the Risk Intelligence Feed, follow these steps: Within the Supervisor’s online assistance, you can find detailed guidance and resources by searching for “risk feeds.”

1. From the principle menu, choose Configure > International > Central Administration.
2. Click the three dots (…) next to the Supervisor’s name in the Stock tab to access additional options.
3. Choose Edit Equipment Configuration.
4. Within the Normal tab, locate and navigate to the Exterior Providers section.
5. What are the key performance indicators for the Allow Risk Feed examine field?
6. To adjust the Feed Confidence Degree, click the dropdown menu.

The Risk Intelligence Feed enables 13 preconfigured safety events by default. Occasions where networks are seeking to evade detection include instances of botnet activity, Tor network exploration, and the presence of bogon addresses.

• A bot is a type of malicious software (malware) that performs specific tasks when instructed by commands received from a command-and-control (C2) server, thereby allowing the attacker to remotely control and manipulate the infected system or device. A network of compromised computers, typically controlled by a single malicious actor, is commonly referred to as a botnet.
• The original Tor network, formerly known as The Onion Router, utilizes a community-driven approach to anonymize web connections by routing them through a series of relays before exiting the Tor system. The primary server in a Tor connection that clients initially interact with, facilitating data transmission before routing it through at least one additional relay node and ultimately exiting the network via an exit node.
• A handle that is unassigned by the Internet Assigned Numbers Authority (IANA) or a Regional Internet Registry (RIR), and therefore should not be allocated, utilized, or considered in any context. The occurrence of a bogon IP address is typically indicative of either spoofed website visitors or a configuration error within the network.

Thirteen distinct safety occurrences, defined by detailed primary descriptions, are fueled by a Risk Intelligence feed.

• – Tried C&C Exercise – A bunch in your community has tried to speak to a identified command and management (C&C) server, however was not profitable in doing so.
• – A bunch in your community has communicated with a identified command and management (C&C) server.
• – Signifies {that a} host in your atmosphere is getting used to help within the compromise of different hosts past your atmosphere by appearing as a command and management (C&C) server.
• Identifies attempted access attempts to hosts within your network originating from Tor exit nodes.
• Identifies lucrative relationships with hosts within your network originating from Tor exit nodes.
• Discovers attempted connections from hosts within your network to Tor entry guard nodes.
• Detects lucrative connections from hosts within your community to Tor entry guard nodes.
• Within your community, a group is promoting itself as a Tor entry guard node for marketing purposes.
• Several individuals within your community are secretly operating a Tor exit node without your knowledge or consent.
• Detects attempted connections to hosts within your network from a Bogon IP address.
• Detects and identifies lucrative connections to hosts within your network originating from a bogon IP address.
• Detects attempted connections from hosts within your community to bogon IP addresses.
• Identifies lucrative relationships between hosts within your network and a bogus Internet Protocol (IP) address, facilitating the detection of potentially malicious activity.

Discover additional details on these and other safety events within the comprehensive Safety Events and Alarm Classes documentation. The latest release of the Safe Community Analytics model, version 7.5.0, is now available. You’ll need to review the settings for these events under your default and insurance policies on the relevant tab. When considering notification settings, I suggest enabling notifications for all situations where you want to stay informed. Sometimes settings are initially configured to “blank” by default.

Determine 3. Configured to “” as a precautionary measure for standard default and insurance policy settings.

During a routine experiment, I scrutinized and analyzed one instance among numerous potential risk intelligence feed-based safety occurrences that arose in my laboratory. A virtual machine running Ubuntu Linux provides an excellent environment for testing and experimentation. After downloading the Tor Browser, I connected with the Tor community and accessed a popular dark web search engine via its .onion domain. The fire alarm sounded within minutes of the incident.

Determine 4. Tor Browser navigates to a trusted and popular darknet search engine. Access the .onion website by typing the handle into your Tor browser’s URL bar.

Determine 5. The safety occasion fired as intended. Two distinct connections to Tor exit nodes are visible, resulting from establishing two separate network links. The Word list clearly indicates the primary target server as ___________, which was successfully paired with its corresponding country through a precise geolocation matching process. We’re utilizing Tor entry nodes for this particular case.

Talos consistently excels at keeping pace with the evolving risk landscape and adapting to emerging threat actors. If your team possesses inherent risk intelligence capabilities, utilize individual indicator data within Safe Community Analytics in conjunction with the risk intelligence feed. As a retail group, we’ve discovered an insidious internal threat: a rogue point-of-sale (POS) memory scraper compromising sensitive bank card information. The team successfully decompiled the scraper’s code and identified three publicly accessible control and management IP addresses. To effectively utilize Safe Community Analytics, vigilantly monitor phone-related activities tied to memory scraping exercises, ensuring timely warnings are issued in response to any potential threats.

1. CREATE a new HOST GROUP within your existing host group structure? As a result, we will likely be using public IP addresses. The newly formed host group will serve as a guardianship entity, supporting the establishment of smaller, specialized host teams focused on specific purposes under its umbrella. To establish a Guardian Host Group effectively:

• • Navigate to (Configure -> Host Group Administration)
  • Broadening… click on the subsequent ellipsis.
  • Right-click to select from the context menu.
  • Set the **Host Group** title to:
  • Add an outline
  • Click on on
  • No new IP addresses shall be added to this Guardian Host Group. As you grow your organization’s resilience, you will incrementally build upon the guardian host group by integrating additional inner risk intelligence from newly formed child host teams over time.

Determine 6. Establishing a pioneering Guardian Host Group.

Determine 7. A brand new guardian host group materializes suddenly beneath.

2. Toddler Host Group: Little Explorers

   Join us every Thursday from 9:30 am to 10:15 am as our enthusiastic hosts welcome you and your little one to an hour of play-based learning and socialization. Our cozy and stimulating environment is designed specifically for toddlers, with engaging activities and games that foster friendship, creativity, and cognitive development.

   For children aged 1-3 years, accompanied by a grown-up. Are you looking to leverage small hosting teams to quickly set up any visitor spotted in your neighborhood? When any of our point-of-sale applications connects with a command-and-control server, we will accurately identify and label it according to the corresponding host group. Forming a dynamic collective of youthful entertainers.

• • Clicking on the ellipsis subsequent to the host group allows you to access a menu of options.
  • Right-click to open a context menu.
  • Set the **host group title**: “IT Operations Team”?
  • Add an outline
  • SKIP
  • Click on on
  • On this instance, we added three random North Korea IP addresses for demonstration purposes.

Determine 8. Establishing a fresh and innovative host community for newborns.

Determine 9. The brand-new hosting group for tiny ones is meticulously arranged under.

3. Can we conduct a customized safety briefing for this specific event, tailored to the unique needs of our host group? To develop a bespoke safety occasion:

• • Navigate to (Configure -> Coverage Administration)
  • Cannot improve text in this style.
  • Right-click on the object and select “Copy” from the context menu.
  • Set the title to
  • Add an outline
  • The industry’s most stringent regulations require companies to adhere to rigorous standards.

    (SKIP)

  • Toggle the to
  • Click on on

Determine 10. What can we do to safeguard our teams and protect lives during high-risk events?

To address this pressing concern, I propose we establish a customized safety occasion tailored to the unique needs of each event. This initiative will not only ensure compliance with regulatory requirements but also foster a culture of proactive risk management.

By identifying potential hazards, assessing vulnerabilities, and implementing effective mitigation strategies, we can create a safe environment that allows participants to focus on their goals without worrying about unforeseen risks.

I envision this customized safety occasion as a holistic approach that incorporates cutting-edge technology, expert knowledge, and rigorous planning.

4. It’s essential to keep the customized safety occasion standards straightforward? We must immediately notify our team of any interactions with command-and-control servers, regardless of nature or scope. Words are circulating that it’s feasible to amplify rigor by incorporating supplementary data points. While monitoring your online community for suspicious activity, you’re particularly interested in being alerted whenever a comprehensive conversation with an identified adversary is detected. To adhere to the Customized Safety Occurrence standards, the setup restricts transmission of data packets exceeding 1,000 bytes upon receiving a single ping request, thereby preventing potential misfires; instead, it triggers an alert only when accurate information is successfully transmitted. Settle the value in harmony with your surroundings. Standards may vary depending on the context, such as industry, region, or market, requiring consideration of factors like ISO, ASME, ASTM, API, and others.

Determine 11. The customized safety occasion will not trigger until 1,000 bytes have been transmitted in their entirety.

5. To verify your configurations, consider running a diagnostic test on the kid host group by adding a check IP address and engaging in a conversation with that host to confirm your settings are accurate. When hosting a public cloud instance, you can integrate it into your infrastructure by adding its public IP address to the relevant host group and subsequently connecting with the cloud host via this IP address. The customized safety occasion will then initiate its firing sequence. Once validation confirms all parts are operational, remove the check IP from the host group simply. Here is the rewritten text:

   Following my verification process, I assigned the IP address 198.51.100.100, a resource allocated within the community described in RFC 5737 and designated by the Internet Assigned Numbers Authority (IANA).

Determine 12. Notifying the system of the newly assigned IP address within the designated host group.

Determine 13. Customized safety occasions are triggered primarily based on precise pings. The Discover column clearly outlines the host group title, effortlessly conveying its connection without requiring additional interpretation. Additionally, the column indicates the exact title used to establish the Customized Safety Occurrence.

Cisco’s Safe Community Analytics provides unparalleled visibility and insights across your entire community. By integrating the built-in risk intelligence feed, your organization is safeguarded with enhanced default threat scenarios that stay current through regular content updates. Embedding your unique risk acumen within Host Teams and tailored safety scenarios enables real-time notification of your Security Operations Center (SOC) to specific, emerging threats. Carefully consider compliance with regulatory requirements when crafting your follow-up blog post on third-party risk intelligence within the context of Safe Community Analytics.

The following definitions are used in this glossary entry:

Risk Intelligence refers to the process of identifying, assessing, and mitigating risks associated with an organization’s information systems. 

Risk Intelligence License At-a-glance – 

System Configuration Information – 

Safety Occurrences and Alarm Classification Systems:

---

Share: