Week #7: Observing the Path from Threat Intelligence to Network Protection
Day 1: Introduction to MS-ISAC IOC Reports
Today, I spent time learning how cybersecurity teams use MS-ISAC IOC (Indicators of Compromise) Reports to stay ahead of emerging threats. These reports provide updated lists of suspicious IP addresses, domains, and file hashes that could be tied to malicious activity.
Key things I learned:
- Purpose of IOC Reports: They act like early warning systems, giving security teams a heads-up on new phishing sites, botnet servers, and malware domains.
- Types of Threats: I reviewed examples showing how IOCs can be linked to ransomware, data breaches, or credential theft.
- The Importance of Accuracy: Before taking any action, analysts verify the IOCs to avoid accidentally blocking legitimate traffic.
This helped me understand how threat intelligence becomes actionable information that protects a network.
Day 2: Observing IP and Domain Blocking with IP MAN
On Tuesday, I shadowed security analysts as they walked me through how IP addresses and domains from IOC reports are blocked using IP MAN, the City’s web security platform.
Key things I learned:
- Accessing IP MAN: Analysts log into the system through a secure ITSD page and use admin credentials to manage settings.
- Updating Block Lists: I learned about the process of inserting new IPs and URLs into categories like “Blocked Sites from MS-ISAC” within the Web Content Filtering area.
- Publishing Updates: After updates are made, analysts commit and publish changes to push new security rules across the entire network.
Even though I didn’t apply the changes myself, watching the process made me realize how careful analysts must be when handling live security systems.
Day 3: Learning About Bulk IP Lookups and Threat Context
Wednesday was all about learning how analysts deepen their understanding of threats by researching IP addresses and domains before taking any action.
Key things I learned:
- Bulk IP Lookups: I was shown how tools like “ShowMyIP” allow analysts to run multiple IP addresses at once to get information about their country, ISP, and organization ownership.
- Threat Pattern Analysis: Analysts use this data to spot larger patterns — like noticing many suspicious IPs coming from the same country or network.
- Prioritization: Not every flagged IP is an immediate danger. Analysts prioritize which threats need immediate blocking based on what they learn from the lookups.
It was exciting to see how contextual information makes threat reports much more useful for decision-making.
Day 4: Understanding Cisco AMP and Endpoint Protection
On Thursday, I learned how Cisco AMP (Advanced Malware Protection) is used to extend threat blocking down to individual computers and devices.
Key things I learned:
- Blocking IPs and URLs: Analysts add flagged IP addresses into AMP’s block list to prevent infected devices from communicating with bad servers.
- SHA Hash Uploads: When IOC reports include hashes of malware files, analysts upload these into AMP’s Execution Blacklist to block them from running on any endpoint.
- Documentation: Every change made — like new blocks or hash uploads — is documented carefully to maintain records for compliance and future audits.
Although I didn’t interact directly with AMP today, seeing how the system is used to protect endpoints in real-time gave me a strong sense of how multi-layered cybersecurity defense works.
Comments:
All viewpoints are welcome but profane, threatening, disrespectful, or harassing comments will not be tolerated and are subject to moderation up to, and including, full deletion.