When it rains it pours…ThreatQ and Cisco Umbrella integrationPOSTED BY KEVIN LIBBY
There have been many published articles that have covered the values and outcomes of leveraging the ThreatQ threat intelligence platform’s Adaptive Workbench. This capability allows our customers to define and customize operations plugins that they find beneficial in their workflows during their threat operations and management efforts. Fellow Rhino Mike Clark demonstrated quite a few operations plugins including Dig, Recorded Future, Neutrino, and Splunk in his recent article, Enriching an Indicator with Operations and Julian DeFronzo featured a Recorded Future Operations Plugin researching NoSQL Ransomware Attacks.
Because an operations plugin theoretically could be produced to interact with any tool that has an exposed and functional API, ThreatQ is able to add context to threat data stored in the ThreatQ Library from several tools produced many best of breed vendors.
Today I want to shine a light on Cisco Umbrella.
As shown in the screenshot below (Figure 1), I have many operations plugins installed to query Cisco Umbrella Investigate and retrieve some interesting context related to the threat data I’m curating within the ThreatQ Threat Library. Cisco Umbrella Investigate contains numerous data points, each of which can be applied to build insight on the reputation or security risk posed by the indicator being researched.
For example, when enriching an indicator via Cisco Umbrella, I’m able to immediately find out if the Cisco Security Research Teams have flagged a domain as malicious or not. Any Security Category association such as ‘Malware’ or ‘Botnet’ is also pulled into the ThreatQ threat intelligence platform. Content Categories are also returned (Figure 2).
Cisco Umbrella typically provides some Security Scores too (Figure 3) so analysts are able to gain perspective around an indicator’s threat type, the likeliness of a domain name to be algorithmically generated (vs human generated), and even a value indicating how many unique client IPs have visited a domain compared to others. Cisco Umbrella publishes documentation describing their score types here.
Once an analyst has determined that a domain is enough of a threat that it should be blocked, there’s another Operations Plugin that will immediately add the indicator to Cisco Umbrella’s Block list so that it can be enforced (Figure 4) .
Logging into the Cisco Umbrella Dashboard users will easily be able to find the domains sent over for enforcement by ThreatQ (Figure 5).
There are many ways to enrich the reputation or security risk associated with indicators by leveraging Operations Plugins within the ThreatQ threat intelligence platform. What it rains it pours… so bring an Umbrella.