Cisco Blogs

What your MDR does when threats like Nyetya hit

July 11, 2017 - 1 Comment

When your Security Operations team is finishing the day, and you get the following urgent alert, what do you do?

Cisco ATA SOC Communications

Does your SOC have the staff to cover basic threat detection needs, and pivot on a moment’s notice to hunt for the latest threat? Do you leverage the power of analytics to increase efficiencies and multiply your team’s capabilities? Whether you build it or buy it, your C-Suite and Board care about your SOC performing at 100%. What’s more, they want it within the same budget, but expect innovation. Cisco designed Active Threat Analytics (ATA) to partner with you for that outcome.

Let’s look inside a managed SOC when a major threat hits.

In June 2017, the Nyetya malware spread quickly through Windows systems across the world, but severely hit the Ukraine and Europe. Security savvy companies had already patched Windows systems before the WannaCry ransomware outbreak in May, but quite a few were hit in this resurgence. Another example: the Gmail worm that hit thousands and was very well crafted. These are just a few examples of threats that disrupt your plans. Security professionals have come to know that these threats hit every day, and are multiple in force. I direct the Cisco ATA Delivery Team, where we leverage global talent to provide continuous threat and health monitoring for our global customer networks. ATA augments our clients’ Security Operations teams to perform threat hunting, and leverage analytics to find threats that slip past security controls and detections. We execute thousands of security plays daily, each of which correlates security alerts, threat intelligence, and known context within our customer environments. This machine consumes hundreds of thousands of security events every day. When Nyetya and WannaCry erupted, we prioritized our highest fidelity intelligence and detection among the avalanche of alerts.

SOC analysts begin their investigation by reviewing play results, which drop into a case for triage and investigation. In the Nyetya outbreak, Talos delivered specific threat indicators to the Cisco ATA managed SOC, and analysts matched the indicators within client environments to detect compromise. Since the team is working 24/7, these continuous updates from threat intelligence enable threat hunters to deliver rapid detection, helping our customers avoid the disruption of a ransomware breach.

When these global outbreaks are first erupting, authoritative information is sparse, and the ATA SOC can’t yet search for specific threat indicators. Instead, the ATA SOC focuses detection on specific plays that detect the broad properties of the outbreak, such as high SMB scanning activity. ATA monitors to ensure that all plays are running efficiently, and monitors Talos notifications for new intelligence on the threat.

As time passes during the investigation, threat indicators are derived and shared by Talos, coverage for Cisco endpoints and IPSs are verified, and clients are updated. Talos collaborates closely with Cisco Incident Response Services and once the connection to M.E.Doc was discovered, incident response specialists and Talos resources were able to investigate and remediate the threat, and share these IOCs throughout the world.

Back home, looking after ATA clients, ATA investigative and development teams work together to tweak analytic plays to ensure coverage of new threat indicators, and test plays for efficacy. Applying several types of analytics (Deterministic Rules-Based (DRB), Statistical Rules-Based (SRB) and Data Science-Centric (DSC) Analytics) helps expedite the hunt. Analytics adds a fulcrum to this process, enabling correlation to trace the difference between successful compromise, mitigated attacks, and attacks resulting in no impact (in other words, the target of the attack was not vulnerable). Once proven, the ATA SOC provides mitigation and remediation instructions to the client to prevent threat propagation. ATA can also help clients leverage the Cisco Security Incident Response Services (CSIRS) team to quickly build a plan to identify the attacker, scope and contain the situation.

This routine occurs thousands of times per day, with a team of analysts and investigators in the United States, Poland and Japan. Our SOCs are an extension of your team, enabling co-operative threat hunting, and developing a mutual understanding of their network, staff, and applications.

Layering analytic measures allows for effectual coverage of your network. A typical two-week slice of one of our average-sized clients proved 269,808 unique security events. In that particular week, ATA analysts and investigators narrowed 269,808 events down to 71 post-investigation cases that were actionable to our customer. We are proud to reliably collect our customers’ data and filter it to actionable results. This partnership saves our customer time, money and network compromise. In high-stress situations, like the Nyetya or WannaCry outbreaks, the ATA SOC takes the pressure for customers, guiding them toward using their own controls to block hot threats. The 2016 Gartner Market Guide to Managed Detection and Response advises, “Don’t go it alone when implementing an SOC capability. Look to an MDR service provider as a partner who can augment your SOC. This allows you to quickly implement mature threat detection and response capabilities rather than having to build from scratch. This can mean a SOC is operating at a greater maturity level in several months rather than several years.” We agree.

Cisco ATA SOC Tour


In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. Excellent blog post. I can appreciate the effort required to narrow down a plethora of security events to a smaller set of actionable items. As a forensics manager that also supports incident response, I typically utilize skills learned via Sans penetration tester and reverse engineering malware certifications to investigate security events and provide actionable intel to management and InfoSec.