Category Archives: Cisco Threat Response

Cisco Threat Response Plugin: Defeat Threats With Just a Few Clicks

One of the best tools in your SOC’s arsenal is something you might already have access to and didn’t even have to pay for. If you already deploy Cisco Umbrella, AMP for Endpoints, Firepower devices, next-generation intrusion prevention system (NGIPS), Email Security, or Threat Grid, then you can immediately access Cisco Threat Response for FREE. As in no charge. Zero extra dollars. No strings attached.

With Cisco Threat Response, customers receive a powerful solution that can streamline and simplify detection, investigation, and remediation of threats. In addition, Threat Response offers a very easy, powerful tool in the new browser plugin (for Chrome and Firefox). By adding the plugin, security professionals now have instant access to threat intelligence and response capabilities directly from their browser. To prove the simplicity of this, let’s use a straightforward example.

For information on configuring the plugin, watch the tutorial here.

For the threat, we will use the Karkoff malware, used in the DNSpionage campaign. For background on the malware, let’s see what Talos has to say about it.

Karkoff Malware

Ah, it seems that Talos has a full spotlight of Karkoff. Towards the bottom of the blog, Talos gives a full report on Indicators of Compromise for Karkoff.

Karkoff Indicators of Compromise

Traditionally, you’d have to manually copy and paste  each file, IP address, etc. from the blog, editing them to remove the defanging “safety brackets”, searching for each one in turn, in each of your telemetry sources – a laborious, manual activity. Cisco Threat Response simplifies this entire process by bringing all of these capabilities to one central source. So, let’s open the Cisco Threat Response browser plugin.


Cisco Threat Response Casebook

Immediately, Cisco Threat Response identifies 16 observables from this threat intelligence blog. 1 clean. 9 malicious. 6 unknown.

Identify Malicious Domains

By clicking the malicious and unknown observables, we can tailor our investigation. We will not worry at all about, because we know Snorty is never up to anything bad!

Select a specific Domain

As an example of how quickly we can take response actions, even before pivoting into Threat Response to do a more complete investigation, let’s look at It is listed as “unknown.” By clicking the dropdown menu next to it, and pivoting out to other trusted intelligence sources like the Talos database or Threat Grid, we could quickly gather more information to determine a course of action.

Block The Domain With Umbrella

For the purposes of simply showing the ease of the plugin, let’s assume we investigated this domain and there is no legitimate business need for our organization to be contacting it. In order to prevent potential malware activity, we will proactively block it now as a first level stopgap while we continue our investigation. Threat Response directly integrates with Umbrella, so we can immediately block the domain across our entire network with one click within the plugin.

Umbrella Blocked Domain Notification in Cisco Threat Response

Within a few seconds, Threat Response will flash a green banner confirming the blocking of the domain with Umbrella.

Investigate With Cisco Threat Response Browser Plugin

Now, after blocking a few domains quickly, our network is certainly better protected from Karkoff, but there is more investigation to be done. A quick click of the “Investigate” button will launch Cisco Threat Response’s cloud-based dashboard.

Cisco Threat Response - Karkoff Malware

Cisco Threat Response will automatically load the list of the observables and provide insights with relation graphs, file hashes, and others.

Previously, Security Operations Centers (SOCs) would hear about trending threats and wonder, “Is my network affected by this threat?” To answer that question, it would require a series of manual processes that required investigating observables hundreds of times across the network, and then, writing sufficient policy to defend against these threats. To make life even more difficult, these solutions were often from different vendors and require manual processes to implement across different parts of the next work.

With Cisco Threat Response, within minutes, your SOC can:

  1. Identify a trending threat from your SIEM, Talos, other threat intel sources, or virtually any third party product that has a web based interface
  2. Identify a list of observables with one click
  3. Quickly block domains across the network
  4. Launch Cisco Threat Response for further investigation

It is important to note that Cisco Threat Response is a FREE add-on to existing Cisco Security solutions. In the example above, the user has Threat Response integrated with their AMP For Endpoints, Cisco Threat Grid, and Umbrella solutions. In addition, every user of Threat Response automatically gets access to the Talos Intelligence and AMP File Reputation databases for use in Threat Response. While Cisco Threat Response provides significant value when integrated with only one product, it becomes even more useful with each additional Cisco Security solution integration. It offers unparalleled central-management for detection, investigation, and remediation – and the browser plugins bring all those capabilities into any type of web content. Whether it is a blog entry like in this example, any other intelligence source, or the browser-based management console of any Cisco or third-party security or networking product.

For more information on Cisco Threat Response, visit our webpage or create an account in the U.S.or EMEAR to get started right away. You can also download plugins for Chrome and Firefox to make investigations easier today.


BONUS: Make sure to catch our upcoming #CiscoChat LIVE, featuring Cisco Threat Response, on Tuesday, July 16 at 10am PT/1pm ET.

To participate in this #CiscoChat LIVE:

  • Join our #CiscoChat Live on Tuesday, July 16th, at 10am PT for a live demo from Cisco Technical Engineer, and Threat Response expert, Ben Greenbaum. Ben will answer questions about Threat Response and do a quick demo of our browser plugin and our latest integration with Firepower devices. He’ll also take your question live on air.
  • Join on YouTube, Facebook, Twitter, or and use the comments or the #CiscoChat hashtag on Twitter to submit your questions!

Get a Security System, not a Security Smorgasbord

If you’re still juggling a lot of cyber security tools, you’re not alone. Even as businesses make headway on trimming point-solutions, the recently released Cisco CISO Benchmark Report found that 14% of security leaders are managing more than 20 vendors. And 3% are dealing with over 50.

It’s easy for this to get out of hand. Customers tell us they acquired product A to solve problem A, product B to solve problem B, and so on. Before long, they’re overloaded with point-products that work independently and create tons of siloed data points. The products don’t draw connections between the data to help network administrators understand event context.

It’s almost like having alarm sensors from different security companies on every door to your home. It’s not better, simpler, or easier to manage.

Cisco is helping customers simplify their security ecosystems with powerful tools that work together to automatically thwart cyber attacks. The Cisco Integrated Security Portfolio includes Cisco Next-Generation Firewalls (NGFW) and Cisco Advanced Malware Protection (AMP) for Endpoints. These two tools automatically work together to provide comprehensive threat protection from the network edge to the endpoint. And using the Cisco Threat Response management console, you can take corrective action directly from a single interface.

The power of coordination

This powerful partnership starts with breach prevention. Stopping cyberattacks before they can embed themselves in your extended network is crucial. The Cisco NGFW and AMP for Endpoints both draw threat intelligence from the Cisco Talos Security Intelligence and Research Group to actively block threats in real time. Cisco NGFW monitors and blocks malicious traffic and files at the network perimeter, while Cisco AMP for Endpoints blocks malicious files at the endpoint point-of-inspection.

But what if an attacker or extremely sophisticated malware manages to creep inside? It can happen—cybercriminals are persistent, and malware gets smarter every day. This is where the coordination of Cisco NGFW and AMP can really make a difference. If NGFW sees a threat on the network, it’s contained there and blocked access to the endpoint. If AMP for Endpoints sees trouble on the endpoint, it is automatically quarantined there and blocked from traversing the network. Threat information and event data is shared amongst all Cisco security tools. The system works together so that if a threat is seen once, it is stopped everywhere. This provides continuous visibility across multiple attack vectors for rapid, automatic detection and response.

And the best part? This network and endpoint information is all aggregated in one place – the Cisco Threat Response management console. You can see all of this information in intuitive, configurable graphs for better situational awareness and quick conclusions. You can take corrective action and make decisions across your entire network from one management plane. You can block suspicious files, domains, and more—without having to log in to another product first. Want to see even more network or endpoint detail? One click and you’re inside Cisco AMP for Endpoints or the Cisco NGFW native console.

One proven, efficient system

We work with businesses every day to help them defend their networks and keep security management simple so their teams can be as efficient as possible. Cisco Next-Generation Firewalls and Cisco AMP for Endpoints, along with the Cisco Threat Response management console, offer breach prevention, continuous visibility, rapid detection, automated response, and efficient management from one console.

To learn more about Cisco NGFW and Cisco AMP for Endpoints, click here.