Documente Academic
Documente Profesional
Documente Cultură
Introduction
The Cisco Threat Awareness Service (CTAS) is an easy-to-use, portal-based threat intelligence service. It
enhances threat visibility for Smart Net Total Care (SNTC) customers, by making broad, foundation based
security information accessible 24 hours a day.
Timely detection of malicious activities based on Ciscos extensive network visibility and threat intelligence
experience.
Helps companies quickly identify compromised systems by flagging compromised networks and
suspicious behaviour.
Helps IT and security teams recognize threats and delivers actionable intelligence.
Continuous improvement of overall security posture through analysis of network traffic as seen from
outside the network.
Intended Use
This document is intended for users of the Smart Net Total Care (SNTC) portal, an online system provided as
part of Cisco Smart Net Total Care. The instructions in this Guide assume that the user already has access to
the Cisco Threat Awareness Service in the SNTC portal.
Portal Navigation
After logging into the Smart Net Total Care portal, the left side navigation pane provides a means for accessing
the different features offered via the portal. For the Cisco Threat Awareness Service, there is a new option called
Security. Expanding this menu will reveal the Threat Awareness Service. The screenshot depicts the landing
page for the Cisco Threat Awareness Service, as it will typically appear when it is first accessed (assuming one
or more network resources are already authorized).
In the right-hand pane is the Threat Awareness Service dashboard, comprised of four tabs, each displaying
information on a different type of threat feed; Exposed Services, Malicious Activity, DNS Observations, and
Suspicious DNS Requests. A description of each is found in the Threat Feeds section of this document.
Navigating to a Threat Feed tab will cause the service to load the data for any network resources already
registered with the Cisco Threat Awareness Service.
Pending: A network resource with this status will not be included in the processing of the Threat Feeds.
This status indicates the network resource is registered, but not yet authorized.
Confirmed: A network resource with this status will it be included in the processing of Threat Feeds. This
status indicates the network resource is authorized.
The system requires authorization before a user can view the threat data. Information about the network resource
is already available in Ciscos threat databases; this authorization is to confirm that the user has permission to
view the data.
To register a new network resource for monitoring, click on either Add Domain or Add IP Address. Both of these
options launch the Network Resource Wizard. From here you can choose to add a Domain, IP Address, IP
Range, or CIDR Block.
The Cisco Threat Awareness Service offers two authorization methods; DNS Authorization Cookie, or Email. The
following section describes the required steps for each option.
1. In the Network Resource Wizard, select the resource type you wish to add, e.g. CIDR Block.
2. Enter the domain name or IP Address, e.g. 209.165.200.224/27.
3. Optionally add an alias for the IP address. This is an alias within the portal only.
4. Click Next.
5. Select the Email method by clicking on Email Administrators.
6. Choose a recipient from the drop-down list, and click Send Email.
7. Click Finish.
8. Refresh the Settings page to see the new IP address entry, with a status of Pending.
9. Click on the IP Address to view the audit trail, including Authorization Method, the Email recipient, and
token expiry date.
NOTE: Emails are sent from no-reply@cisco.com to the selected recipient. The email contains a one-time token
that can be used only for the specified domain. The approver must click on the link in the email, enter the token,
and choose whether to Authorize Use or Decline Authorization.
NOTE: Once the authorization request has been approved, the status of the domain is updated to Confirmed.
The audit trail will provide details of the Authorization method, the date, and the approver, so all actions can
be traced back.
NOTE: Please allow up to 24 hours for the Cisco Threat Awareness Service to perform a threat analysis.
1. In the Network Resource Wizard, select the resource type you wish to add, e.g. Domain.
2. Enter the domain name or IP Address, e.g. cisco.com.
3. Optionally add an alias for the domain. This is an alias within the portal only.
4. Click Next.
5. Select the DNS Authorization Cookie method by clicking on DNS Instructions.
6. Create a TXT record containing the DNS Authorization Cookie, and place in the DNS zone for the specified
domain.
7. Click Next and Finish.
8. Refresh the Settings page to see the new domain entry, with a status of Pending.
9. Click on the domain to view the audit trail, including the Authorization Method, the DNS Cookie, and token
expiry date.
NOTE: It may take up to 2 hours for the Cisco Threat Awareness Service to verify the DNS cookie, and update
the status of the domain to Confirmed. The audit trail will provide further details so all actions can be traced back.
NOTE: Please allow up to 24 hours for the Cisco Threat Awareness Service to perform a threat analysis.
Threats Feeds
Listed below is a brief description of each threat feed provided by the Cisco Threat Awareness Service. These
are also found at the start of the feed in the portal.
Exposed Services
Open Services: These services are available to the Internet and should be examined and removed if
unnecessary.
Services for Investigation: These services are available to the Internet and exhibit indicators that they are
vulnerable to known attacks or contributing to denial of service attacks. Investigate and, if necessary,
remediate these services.
Malicious Activity
IP Addresses: These IP addresses have either demonstrated malicious activity on the Internet or shown
behaviors that indicate they may have malicious software installed.
Hostnames and URLs: These DNS names and URLs are present within your network and have
demonstrated malicious activity on the Internet.
DNS Observations
Unexpected DNS Names: These DNS names are not within your DNS domain names but resolve to IP
addresses within your network. Investigate whether these are legitimate.
Observed DNS Resolvers: These IP addresses are making DNS requests directly to the Internet.
Determine if these are legitimate DNS servers and investigate remaining devices.
All controls are identical across the tabs. Each tab displays one or more charts with an accompanying table listing
the IP addresses we are observing from within the registered address space. Selecting an entry in the table will
highlight the corresponding entry in the chart, and vice versa. Expanding an entry in the table provide more
details of the threat identified.
The screenshot below shows the Services for Investigation feed under the Exposed Services tab. The default
scope for each feed is 30 days, but this can be extended to a maximum of 90 day, or a minimum of 14 days. The
feeds are updated globally (for all customers) every 24 hours. The last update time can be seen underneath the
feed name, so in this example, the last update was processed on January 31 at 00:00 GMT.
The table displays individual records, and when they were last observed, e.g. the first item in the table was last
observed on January 29, while the second record was last observed on January 28. Looking at this record, we
can see it is a TCP/433 SSL server, and the threat feeds have indicated this is vulnerable service (e.g. it may be
open to some sort of Heart Bleed vulnerability). The Recommended steps may include suggestions such as
patching the server, or running further vulnerability scans.
The nature of the threat feed is dynamic; the category may be enriched to provide additional information. This will
happen transparently as soon as more information becomes available, and in response to the continuously
changing threat landscape.
To sort or search the data, click on the Filter icon in the top right of each feed. This provides the option to
filter on IP address, Protocol, Port, Category, and Observed Date. The example below will display all
observations of IP address 209.165.200.224, on port 443, on January 25th - 31st.
Data may also be exported. Click on the icon, and download in CSV format, or send the exported data via
email (with a CSV attachment).