Alexandre Argeris -Amplifying your XDR experience by leveraging free API services for maximum impact

We'll get Chris to do the intro for you.

Awesome. All right, welcome back everyone. Uh, next up we have Alex Arjurus. Um, yeah, should be a good talk. Is my mic on? Yeah, everyone can hear me. Well, perfect. Are we waiting for a couple of other folks? They're all going to miss my talk, I guess, anyway. Um, so hi everyone. My name is Alexander. Um, I'm one of the few cyber security technical solution architect at Cisco. But my talk is not going to be a sales pitch. Okay. Um, so we're going to talk about other stuff than usually what I talk when I'm in front of a customer. Um, so thanks to the team again. And this year, for those of you have been uh at

many other uh Bside um for the last couple of years, um Bside used to be always the same week of my wife birthday and and I was always in a rush either to arrive or to leave the Bside to be there for our birthday. Uh but this year it was over the weekend, so I was just happy. Um so we did arrive on Monday. I had uh a couple of minutes to go on Sino Hill, do my jogging run and yesterday we even had the pleasure to go around as well a couple of other site uh with one of my colleagues over there um to see the beautiful area of course. Um so today we going to talk about

something that is pretty close to my heart. Um if you remember if you have been to other of my talk I usually talk about stuff that are free cool um anyway stuff like that. Um so you can you can have fun in your own lab as well and implement those type of strategy as well within your organization if you're willing to or even apply the same strategy to commercial product like the one that I sell. Um so for today we're going to try to see how we can enrich uh your experience when you're using an XDR technology with free API services. Um I mean free because there these are not open source like we used to call

software and stuff like that. These are most of the time services that offer a free tier uh to access stuff that are lower than what uh you can get if you pay the extra uh money for it. But anyway, even if they are free, uh most of the time you can get a lot of information from those services to enrich your experience um while using a technology like an XDR technology in a sense. Make sense? Uh just a little bit about myself. I've been uh presenting at Bside for many many years. I think the first year was in 2015. Um I've been talking about many different topic SSL decryption ipots. Um I even have shared some of my story when

I was younger as well stuff that I should have not done and stuff like that. Uh um so a bit about myself. I probably had my first computer in early uh age. Um and I also one of the one that I was able to access Gopher. How many of you know Gopher? Nice. It's nice. Um, so it was a nice way for me to be introduced into the networking slash whatever other um industry able to surf the uh CLI of the gopher uh across the world and stuff like that. Um so I started to code like a namur or whatever um as I say most of time around the 90s as well by building my own web page. How many of

you have been bu building their own web page as well? Was awful. Um anyway, um and I I have more than 25 years of experience. Whatever. I've been with Cisco for the last 10 years. I have three kids. Uh thanks God they are all at high school now. Um and um and I have a wonderful wife as well. If you're looking for me during winter, I usually ski over the weekend. Um, even on holiday and all that, every time that I can, I go on the ski hill. And during summer, uh, if you want to, uh, do an activity with me, call me and ask me to go on the road bike. Okay, make sense?

Um, so a little bit of warning here. Uh first of all that presentation typically the presentation that I do over here it's make sure that you guys go away from that presentation not with content my goal is always to make you think right uh make sure that you have some sort of a experience that will leave you with something that will encourage you to go deeper into that research. Okay. Um, of course, please ask question, but I will say more add comment, right? I'm not an expert. I'm a generalist like probably most of you guys as well. So, if you think that what I'm saying in front of you does not make sense, raise your hand and say, "Alex,

you're wrong." Okay. Um, and it's going to be too boring as well if you don't ask question. I do have pigs. Remember, for the one of you who were there last year, I do have a bunch of pigs over here as well. So for each comment question as well or whatever where I want I'm going to send a pig as well. Okay. Um so first of all let's ask our friends Chad GPT what's XDR is. Are you guys ready? Um so um how many of you are familiar with the marketing whatever terminology of XDR? Yeah. Oh, that's the first hand I Well, almost. So, uh, if we if we ask Chad GPT, um, it's it's

really it's it's a good definition I would say. It said extended detection response. Okay. So it's mean um we extend the detection of what we used to to include multiple different um telemetry not only one single telemetry that usually all the other tool are providing but we extend that telemetry as well that visibility to over other tool as well. Uh the primary objective I really like having that slide over there as well. Um so the primary objective is to provide visibility and context. So here's the important word over here, context. So my talk is all about adding additional context to an investigation. Okay. Um and by analyzing data whatever with advanced analytic we're not going

to go there today. Machine learning of course we all do that. Um and at one point there's other things that uh Chad GPT are telling us it will leverage or do detection and response response and other keywords here very important. So we're going to look at some services tools or whatever that we can leverage as well to do response to a potential threat. The other thing is um automate response, right? Being in front of the computer or a tool, it doesn't make sense. No, no one wants to have a dedicated Hi Katy, how are you? Um so no one wants to u be in front of the C uh the the computer or the logs

or whatever 247, right? We want to be able to automate as well um those response and the other part as well it's threat intelligence threat intelligence. So typically there's a bunch and if you have money you can spend a lot of money on thread feed right there's a bunch a bunch of different organization across the world that will give you a lot of information like the dark web stuff as well um to be able to correlate additional context to investigation as well for but today we're going to look at free stuff so there's commercial market the big commercial market for that XDR stuff everyone has has their own flavor of what XDR could be. Uh, of course, if you

have money in your organization, go ahead and buy those solution. It's going to be a lot easier for you, of course. But if you want to play and have fun, there is some other as well. Um, so those those are open-source whatever free uh ser service or free not service but free tools that can be leveraged to accomplish something similar to an XDR technology. Of course, on the other end, there's Python, PowerShell, any other tools that do scripting and stuff like that can be leveraged as well, right? To do the response, add additional context to an investigation and so on so forth. So, if you don't have money or if you want to have fun, go on that side, right? and

and make sure to prove to your organization that adding additional context with free tool and free services as well makes sense to you to to protect your organization and then maybe you're going to get money to buy additional stuff. Um so now let's talk about API. So that's the second portion of my talk API. So how many of you remember my talk last year? Yeah, there you go. Nice. Um so what was the first challenge of API? Oh that's a that's a good oneh authentification. You guys remember we all have MFA right now applied to most of the account that all we all on right um but we don't have an MFA solution for an API right typically we have a set of

API key or we use a token and unfortunately we never refresh or change our API key right it should be a best practice to do it but we don't do it anyway so for today where where we're going to go with API it's by leveraging free services some of those one does not require authentication so we don't care and some other as well just leverage your API key from a first free services so you don't care as well if those API key are share so let's ask GPT again um it's application programmability or pro programming my French is coming back interface here um and then what's API is I will say that API is a way the best

way to communicate to have two machine communicate together Right? That's probably the best way to interpret what's API is. Um, and essentially API will leverage what we have already. It's HTTP, HTTP protocol. Most of the time, REST API use HTTP. Um, so here's a cool API example. So, this one is is pretty nice. Predict the age of a name, right? Is it useful? Not Not really, but it's cool, right? And if you look at it, it predict that my name Alexand has 46 years old. I will be 46 in three months from now. So they're pretty good, right? So you can go and Google your own or look for your own name as well. See if there

it's true or not, but whatever. Um is that could be applicable to any of your thread detection? It could be, right? Uh let's say you have a use case where you want to define um I don't know it's a fishing use case or playbook or whatever and then you want to identify if the name that or the mini name that they could be in that email could be applicable to the typical age of your employees or stuff like that. So you can you can leverage that. Of course it's it's free. Um you're not going to do it by yourself. You don't have gonna have to copy and paste the result. it's going to be built into the

solution if you go up to what's my talk is about. Um so if you look at REST API and what REST API is in general, how many of you guys are familiar with REST API? Oh, nice. Here you go. Um so I like to play with REST API. Am I an expert? No. But I like to um so there's multiple different function within REST API that is pretty important to understand. The first one is get. Please get me Mr. Service, get me something, right? Get me what you have on a pet name in that type of example. Uh it could be on anything else as well. The other one is put, right? Please update the date you have for that

person. Stuff like that. Delete, of course. Um please delete that IP. please delete that address or whatever or that record, right? And post, can you please upload the file or can you please add a record to your database and stuff like that? That's going to be pretty important for the rest of the presentation here. So let's let's look at what's going to be the framework for today's presentation. So we do have XDR on one hand um on the top and API at the bottom. So the first important thing when we're talking about API is how do we collect telemetry? Telemetry could be anything from a firewall logs to an EDR logs, NDR, cloud, any type of services,

identity services and so on so forth, right? Could be even from from an OS or whatever things that matter to you that could be used to identify a potential incident, right? Um and of course some of those technology I would say most of them right now are exchanging that type of telemetry with an XDR platform through API okay we still leverage pretty old technology like I guess sys log right uh which which could be non- enrypted but sometimes it's encrypted now as well right but sislug is still used unfortunately um and then the second part is how do we accur Do we correlate and priorize all these different incident right I don't want to give to

my security analyst all these different security incident at once right I want to make sure that they are looking at the one that matters to them and to be able to do that typically I will reach out to an API service or to a threat intelligence services right maybe within that incident there's an IP there's a domain name, there's a hash from a file, a URL, or a name or a MAC address or whatever other stuff as well. So, I'm trying to reach out to a service that will give me more insight, more information about it. So, I can correlate, priorize, add the score or whatever other stuff as well. So, I can say, you know what, mister, you should

look at this one and not those one. Then the investigation part, right? Everyone needs to go into the investigation part. Um, so from the investigation standpoint, first of all, we still going to need to query those threat intelligence, right? Can you give me the reputation of that hash? Um, is there when that hash was first seen, right? Is there any tag assessed with that ash? I I mean signature from a specific malware campaign and stuff like that. And also we're going to reach out using API to the original source. Can you give me the context? Is there a user tied to that MAC address? Is there a user tied to that public IP? Right? And

so on so forth and then the response which is the fun part, right? How do we mitigate control comp whatever isolate a potential threat, right? And here's the the the difference. From now on, we will use additional HTTP or REST API function like the update, the post, and the delete as well because we're in the response phase, right? So, we can go and add additional context to our source, right? Let's say it's the entity provider. It's Azure ID, right? I'm gonna put name here. You're you're using Azure AD. So, as a response, I'm going to just disactivate the user, right, in Azure ED. So, it's probably going to be something like a push or something like

that. Um, I'm going to go in thread intelligence as well. I'm going to show you how to contribute to the community, okay? By adding comments on on different platform um about a potential thread that you have find out, right? instead of just getting information from other you can contribute as well to the community. Um and then um there's other stuff as well external and internal source you may reach out to your CMDB or whatever other management platform and stuff like that for your host or whatever. So there's other places as well that you may want to delete asset and stuff like that to um uh isolate the problem. So there is many many different collection of free API. So that's one I

really like rapid API. Um so there's a there's a bunch of different API that you can look at it. Some of them are free, some of them are free to use, some of them are you have to pay for it as well. Um and and it's not only for security, right? Um there's API for jokes, there's API for weather, there's API for anything, right? Um, but I'm I'm making jokes here, but about those different type of API, but if you're in an investigation, it may be very cool to add some of those information, some of that context as well, right, within the information ticket or the investigation ticket? Any questions so far, comments? No. Okay. Fine. Why does

your says I'm 67, right? It said seven right now. That's a good one. Um, sorry I didn't repeat the question. Sorry. He said, "Why? Why did your API or the API say that I'm 77, right? It's because you're looking old." Um, so how many of you are familiar with Virus Total? Yeah, go ahead. Here you go. Um, which is a free service. There's a pay service as well for viral and I think virus solo is owned by I think it's it's owned by a big company now anyway um so most of you I guess most of you leverage uh virus by copy IOC and paste the IOC within the web platform right most of you are probably doing

this but there's also an API for for virus which is cool and here's the use use case that can be leveraged with with virus total let's say getting the URL file domain IP reputation for better enrichment you can submit a URL and a file to be analyzed as well okay those two functionality I would say most of the other vendor out there charge you for this including Cisco okay um so we chewed you for for this um but here's the free service if you want to test it use it and and if it's makes sense for you, go for it, right? Um the last use case over here that I really like is to contribute to the community, right? Make

sure to add additional comment, right? There's someone that is telling you that that URL is a fishing email, it's part of a fishing whatever campaign and if you see this as well and say yes, I see it as well. Right? So add additional comment. Maybe you have a screenshot from from that email and stuff like that. So on so forth. Make sense? Um how do you do this? It's it's fairly easy. Um so within your account there's a section where you can generate your API key, copy your API key, and then leverage any tool that you want to take advantage of. Right? Of course, if you do own a commercial uh version of an XDR platform, it's typically built into

it. Otherwise, there's many other way to test it and implement it into your own framework. Let's say, right? So, how many of you are familiar with Postman? Nice. So, um here's the example of Postman, which is not used typically it's not used for production environment, right? it's for testing. Um, but essentially here's what you will do. It's you test the different API through Postman and then you will replicate the what's the Postman is doing in term of requests um into your own script, right? Let's say you are building a script with Python or PowerShell or whatever other scripting tool as well. You will replicate this. Um, so here's the um here's the request. Um, give me Mr. Virus Total. um the

reports for that specific hash, right? Uh what is a hash? Anyone have know what's is a hash? Come on. Come on. What's a hash? Show 256, right? Of a file. It's a it's a fingerprint of a file. Um so um so here's the the hash. Give me Mr. Varsolo the the result for that hash. And here's the the result that come in JSON format, right? So most of you that are doing coding I guess do understand what JSON is um fairly easy um it's a result that you can parse and get the information that's mattered to you and ditch all the other rest um and use that information as you want. Okay. Um the good thing about virus total it gives

you multiple different uh result. It will give you for let's say different type of antivirus edr and stuff like that they it will give you all the different result for all these different edr edr um so the other the other function as well or use case is uh comments or um contribute to the community itself um so it's fairly easy as well so you can definitely implement this within your framework of XDR uh by saying that I want to send back when I saw that coming into my infrastructure, let's say, and stuff like that. Um, had a comment and that's about it. How many of you are familiar with malware bazar? Yeah, that's nice. Oh, am

I going to be able to go up there? Yeah, here we go. Um, so malware bazar, which I really, really like. Um, it's a little bit more underground than virus, I guess. Um I think it's u it's not owned by any big organization. Um and it's under the abuse um.ch umbrella. Let's say um someone do may know as well that that that um organization. Um so you can definitely through the web you can search for a hash for URL and other as well. Uh the code thing about it there is a signature identify if it's belong to or it's been tied to a specific campaign a family of malware and so on so forth there's tag

as well and you can even download the malware piece okay which could be bad but anyway um so is let's look at the use case itself for malware bazar again getting the file intel right is there any malware signature or tag for better enrichment threat hunting. Give me, for example, give me all the last uh file that are tied to a rat or any signature uh that we want to look that could be uh bad form organization as well and stuff like that. Submit a file as a sandbox sandbox and contribute to the community again. Um so if we look at postman uh get me the the the last 10 uh the the last 10 malware. Um you can

definitely see things that could matters to you while you're doing an investigation when the first uh the when the what's in the fir what's is the first time we have saw that file within um the community the last time as well the file type um and all the tag that are associated to it. Um we can also use this as a threat hunting tool let's say or to add in rich as well information while we're doing a threat hunting. Um so for example give me all the different file that are associated with the tag rat. All right and then it's matter it's just a matter of scanning all the infrastructure see if that file could be in your

infrastructure. So, how many of you still look at phone numbers? Typically, what type of technology the fishing or the social engineering um type of attack are using phone, right? So, um we better have a tool as well to enrich information that we can gather ultimately on phone number, right? There is phone number and signature and email. There's many other place as well we where we may want to know if a phone number is valid or not and if it's tied to a malicious activity. Okay. So there's a there's a service called name verify but there's million of other as well. Okay. Um so this one do offer a free API services um that give you the ability to

identify multiple different things about a phone number. Um, of course, the use case again, um, you look at an email, it's malicious. Um, instead of having to copy and paste the phone number in Google and see if it's valid, then you can use a service like this to add that information right away into your ticket, right? Or investigation ticket. Um, so, um, again, pretty easy to get your API key. Yeah, question here. I like question or is it a question or a comment? Oh, yeah, of course. Yeah, it just doesn't work. Yeah, of course. Or it's gonna say that the phone number is is is not valid. The service will say phone number not valid. So, you

can increase in that case you can increase the risk of your ticket. Say, oh, there's a phone number not valid within the email or the incident I'm looking at. Right? Good question. Um, so how do we do this through a po postman? Um, just a regular get um with the phone number and then we get the information about that phone number right away, right? And when and then we can parse all the information and use it as we want within our our our investigation. How many of you are familiar with N map? I guess a lot of you right? Who wants a pig? There you go. I have plenty of pigs. Don't worry about that. Um, so there's a cool service that

I have um found a couple of months ago which is nmap.online. Right. For those of you are not familiar with NMAP, it's a cool uh tool that allow you to scan um open ports right on a machine. Um so what's nmap.online offer you is to do this on behalf of you right from the web. So there is they probably have tons and tons of different uh services across the world and then through API you can ask them to scan a public IP. All right. And get the result which is nice. What's question comments? Oh okay. Um so is there any use case that we can tie to this? Of course. Um there is there is a couple of

use case. The one that I really like um is to be able to add context about a public IP that is targeting you. Okay, let's say you do have multiple insecurity incident that are related to the same public IP. Then you can use that type of service to add automatically to your incident ticket the result of the port scan of that public IP. Okay, why does that matter? Then you can identify maybe that there's some open ports that may re may be associate with a CNC let's say. Okay. Or other malicious activity as well. Yep. Are you saying that toolically end the browser? So the question is I'm going to repeat the question. So the question is um is

that tool N mapap in a browser? Yes. So you can go to nm mapap.online right now and scan any public IP to the browser and it will not be initiated from your public current public IP. It will be initiated from their service public IP. You get the difference right? So you're not going to be responsible for that scanning. Don't abuse it. Okay. And the beauty is you can automate this as well through API which is cool, right? Um so you can you can ask to scan any IP. Um of course if for those of you are familiar with end mapap it could take any time anything from a couple of second to a couple of minutes right um

to get the result. So the first request you ask, can you hear me? Well, yeah. Okay. You you ask the um the service to scan the IP. It gives you um uh I think it's a scan ID. Then you you you get the scan ID and you do another request to get the result and then you get the all the the result in a JSON format, of course. Yeah. Do you have one? Not yet. No. Okay. Yes. What was the advantage or disadvantage to? Yeah, I will give you an example. Okay. Um the company that I'm working repeat the question what is so the gentleman here was asking what's the advantage of scanning of having an external service

to scan the public IP on behalf of you right instead of scanning it from yourself I guess right okay so I'm going to give you an outside yeah I'm going to give you an an example here of course this is for to scan a public IP not an internal IP that's little bit different, right? Um, so I'm going to give you an example here, short example. I work for a company and I'm building workflow and playbook, okay? And I had the idea to create a port port scan within our own XDR platform which is O in the cloud. And to test the solution, I was port scanning 1.1.1.1 Okay. And a couple of minutes later on, I got a

call from someone from security at my organization saying, "What the hell are you doing?" Okay. Um 1.1.1 is owned by one of our competitors. So I said, "Okay, yes, mister. I'm going to stop what I'm doing and I'm going to delete that workflow. Um, and then I I did some research and then I found out in maponline, right? Make sense? Perfect. Yeah. You know who owned maponline or we just we scan our own infrastructure? I So the question is do you know who own maponline? No, I don't. Neither most of people I guess as well. Is that service? That's a good question. Is that service used uh for good or bad? I don't know. Right. It's

probably used for bad as well. It's just like you're using it. So, whatever you're typing into, you know. Oh, that's But that's a good that's a good point as well. So, the question is whatever you're tapping in or you're searching for, is it public? Yes, it is. So if you're searching for a specific IP and and scanning for a specific IP, it will be uh report on their web page. Okay. The result will be public. Um so it can be used later on by someone else with bad intention, right? Um but you can I think you can pay for an extra fee and get those scan private. Anyway, I'm just telling here. Um MAC address.

Um the last the last talk was pretty cool. Um it's it's almost like get rid of the MAC address, right? Um but MAC address is still used a lot in our in our infrastructure wherever you go. Um and there is multiple different reason why you want to look at the vendor behind that MAC address while you're doing an investigation. Remember investigation could be not only on external threat, it could be from an internal threat as well, right? And when it's from an internal threat, most of the time you do have access to a MAC address as well that is tied to a internal IP. So what are the different use case here? Um, you may want to double check,

right? Typically it's it's a it's a printer that is tied to that MAC address. Um, is it still a MAC address that is owned? Is it a MAC address that is owned by another vendor? It may be a a Mac or or whatever other type of devices as well. U it doesn't make sense. Identify ro devices as well, right? Or you may also want to maybe scan all the MAC address in your switches in AP, right? And say, I'm not supposed to have any iPhone. Why do I have a MAC address that is linked to an iPhone in my infrastructure? Right? And so on so forth. Um again, Postman. Um these are just for reference, but it's quite easy to look

at. MAC address. There's not even a authentification mechanism or a key for that. Um so the this one is pretty cool as well. IP table. How many of you are familiar with IP table? I guess some of you, right? Gentlemen of the back there. Oh, there we go. Sorry, I hit someone on the way. Um, so, um, IP table is pretty cool. For those of you are not familiar with IP table, it's kind of a host firewall for Linux BL whatever um OS. Um, so there is there is someone or group whatever that has created um a tool that allow you through API to add an IP to be block um on IP table. Okay. Um so now we are in the

response phase right while the other uh the other services were more into the investigation enrichment phase. Now we are more into the response phase here. Um is it scalable? No it's not right. Remember these are free services, free tools or whatever that you can use as a proof of concept or whatever other reason as well. If you're cheap, you don't have money or so on so forth, you can leverage that for sure, right? And on top of that, there's there's some other um uh mistake that they're doing within that script that I been looking at. They do not authenticate requests. So if you're a bad actor and you have compromised their infrastructure, you can literally add block remove any IP

within their on their server, right? You can totally isolate their their server. Um block block a server, isolate a server as well. This could be useful and when you're under attack, let's say um the way it's it's it's built uh you have to compile install a small tool uh on each individual server of course in that case and then it's just a matter of adding an IP to the IP table and that's it and that IP will be blocked after that. Make sense? I reach out the end of my presentation but I do want to talk about one more thing um that I have not created any slide for it because I want to keep this

for later on. Um but chat GPT IE in general is pretty cool. Um, one of the other use case as well that I I have imagined and I want to be able to build as well is to take any fishing email, let's say, and start a conversation with this the the bad actor, right? Using IE using um chat GPT API or whatever other um uh other intelligence artificial API as well. So I can gather more information about thread actor in general, right? That will be cool. Um but again I think my my talk is was more on let's give you some tools let's give you some idea as well of so that you can start on your own to

start your journey on adding additional free services to your XDR XDR strategy let's say think out of outside of the box any comments question.

So the comment was, "Is it is this a fishing attempt?" No, maybe. Yeah, maybe. Of course, maybe. Thank you very much and see you next year.