IT and cybersecurity groups are collected large informations and data that could be used for threat intelligence. By this, group cybersecurity professionals made an association called Cisco Talos, that aims to provide protections, indicators, and visibility against the threats that are gathered within the data. The solution is accessible as Talos Intelligence.
IOC plays a critical role in Cisco Talos, since it is the key elements for identifying potential threats and security incidents. Cybersecurity analysts collect IOCs from a variety of sources, including network logs, endpoint security tools, threat intelligence feeds, and publicly available data.
Talos Dashboard
The Cisco Talos dashboard displays a large representation of a world map that denotes email traffic, whether the email is genuine or fake, and other malicious threats. When you click on the highlighted indicators, information about them, such as their IP address, volume for the day, and type, will be displayed.
Task
Use the .eml file you’ve downloaded in the previous task, PhishTool, to answer the following questions.
Answer the questions below
What is the listed domain of the IP address from the previous task?
scnet.net
Steps:
a. Copy the IP address “204.93.183.11”, then the information within the IP address will show.
- scnet.net
What is the customer name of the IP address?
Steps:
a. Go to “WHOIS” and scroll down.
- Complete Web Reviews
Scenario 1
Scenario: You are a SOC Analyst. Several suspicious emails have been forwarded to you from other coworkers. You must obtain details from each email to triage the incidents reported.
Task: Use the tools discussed throughout this room (or use your resources) to help you analyze Email2.eml and use the information to answer the questions.
Answer the questions below:
According to Email2.eml, what is the recipient’s email address?
From Talos Intelligence, the attached file can also be identified by the Detection Alias that starts with an H…
Steps:
a. Type “sha256sum Email2.eml”, this will show the extracted sha256 within the eml file.
b. Copy the hash then paste to Talos. 97028b1b198af6da1043b78e40e1efe519fe3def754cd9d1f29380ca11e5c361
- HIDDENEXT/Worm.Gen
Scenario 2
Scenario: You are a SOC Analyst. Several suspicious emails have been forwarded to you from other coworkers. You must obtain details from each email to triage the incidents reported.
Task: Use the tools discussed throughout this room (or use your resources) to help you analyze Email3.eml and use the information to answer the questions.
Answer the questions below:
What is the name of the attachment on Email3.eml?
Steps:
- Sales_Receipt 5606.xls
What malware family is associated with the attachment on Email3.eml?
a. Type “sha256sum Email3.eml”, then copy the hash and paste it to Cisco Talos.
- Dridex
