As part of Cisco Customer Experience program, we are working towards a more uniform user experience and terminology harmonization. This program runs across all Cisco security products.
We are aligning the terminology used in the system across Cisco and the network security industry. As a result, these changes have been implemented:
Activities are renamed to Anomalies
Severity of Activities is renamed to Risk Factor It varies from 1 to 9, and now it will also be categorized as low – medium – high - critical, represented in different colors: Low (blue) for 1 to 5, medium (yellow) for 6 to 7, high (amber) for 8 to 9 and critical (red) for 10.
Updated Terminology in the Incident Detail
Permanent Filter is now Ignored Networks The functionality to exclude some IP addresses or subnets from the list of incidents is improved and renamed from Permanent Filter to Ignored Networks. The alerts for hosts matching the configured subnets will also be excluded from reporting in AMP for Endpoints, Stealthwatch, and STIX/TAXII feeds.
You can enable Casebook using the icon or in the Cognitive Threat Response menu.
Better support for moving indicators from the page to Casebook will be improved in subsequent releases.
New Confirmed Threats
In August and September, we added to our growing list of machine-learning-poweredConfirmed Threat detections provided by theCognitive Intelligenceengine. We added two net-new Confirmed Threat types (see list below) and increased detection rates for previously-existing Confirmed Threats in the past six months.
List of new Confirmed Threat types in August and September:
Confirmed Threat ID
Malware - Dropper
Phorpiex infects machines to deliver follow-on malware. Phorpiex has been known to drop a wide range of payloads, from malware that sends spam emails to ransomware and cryptocurrency miners.
Malware - File Infector
The Parite virus is a polymorphic file infector that resides in memory and attempts to disable antivirus solutions. It infects executable files on the local file system and on writeable network shares. Generally classified as a high-risk threat.
Sample Finding of new Confirmed Threat CTAL0194 Phorpiex Trojan
Confirmed Threat Updates
Our semi-automatic Indicator-of-Compromise (IoC) hunt processes (seeMachine Learning Backend Improvedblog) allowed us to increase the IoC coverage of existing Confirmed Threats. In August and September, we observed the re-emergence of the Emotet trojan (see Talos blog) and accordingly identified 97 new IoCs. In total, we added more than 600 high-risk IoCs and 40 mid-risk IoCs, covering over 20 different Confirmed Threat types.