![\"Retail](\"https:\/\/dmsretail.com\/RetailNews\/wp-content\/uploads\/2022\/05\/RETAIL-ONLINE-TRAINING-728-X-90.png\")
<\/a><\/p>\n<\/p>\n
Long overlooked as a threat surface,\u00a0many organizations have become increasingly concerned about their network infrastructure and attackers using these devices in combination with living off the land\u00a0(LOTL)\u00a0techniques to accomplish their various nefarious objectives:\u00a0One of those actors, dubbed Salt Typhoon, made headlines earlier this year\u00a0and\u00a0brought this often neglected threat surface to the forefront in many peoples\u2019 minds.<\/p>\n
The Cisco Talos\u00a0analysis\u00a0of Salt Typhoon\u00a0observed that the threat actors, often using valid stolen credentials,\u00a0accessed\u00a0core networking infrastructure in several instances and then used\u00a0that infrastructure to collect a variety of information, leveraging\u00a0LOTL\u00a0techniques. Some of the recommendations to detect and\/or protect your environments include:<\/p>\n
- \n
- Monitor your environment for unusual changes in behavior or configuration.<\/li>\n
- Profile (fingerprint via NetFlow and port scanning) network devices for a shift in surface view, including new ports opening\/closing and traffic to\/from (not traversing).<\/li>\n
- Where possible, develop NetFlow visibility to\u00a0identify\u00a0unusual volumetric changes.<\/li>\n
- Encrypt all monitoring and configuration traffic (SNMPv3, HTTPS, SSH, NETCONF, RESTCONF).<\/li>\n
- Prevent and\u00a0monitor\u00a0for exposure of administrative or unusual interfaces (e.g., SNMP, SSH, HTTP(s)).<\/li>\n<\/ul>\n
Below,\u00a0we will examine how some of these monitoring and detection actions can be\u00a0accomplished\u00a0with\u00a0Cisco Secure Network Analytics\u00a0(SNA).<\/p>\n
Network Threat Detection with Cisco Secure Network Analytics<\/h2>\n
Through the collection of network metadata, predominately\u00a0NetFlow\/IPFIX,\u00a0Cisco\u00a0SNA\u00a0provides enterprise-wide network visibility and behavioral analytics to detect anomalies indicative of threat actor activity, such as the\u00a0LOTL\u00a0techniques used by some of these sophisticated threat actors. With a little tuning and some\u00a0customization,\u00a0the analytics and threat detections can be made to reliably\u00a0identify\u00a0threat actors misusing network equipment.<\/p>\n
In tuning SNA for these types of detections,\u00a0we\u2019re\u00a0going to do three major tasks:<\/p>\n
- \n
- Configure Host Groups for Infrastructure<\/li>\n
- Create Custom Security Events and Role\u00a0Policies<\/li>\n
- Create a Network Diagram for Monitoring<\/li>\n<\/ol>\n
1. Configure Host Groups for Infrastructure<\/h3>\n
- \n
- Define\u00a0Host Groups<\/strong>\u00a0in SNA to categorize your network infrastructure devices such as routers, switches, and jump hosts.\u00a0This grouping allows focused monitoring and easier identification of suspicious communications involving critical infrastructure.<\/li>\n<\/ul>\n\n
![\"Host](\"https:\/\/blogs.cisco.com\/gcs\/ciscoblogs\/1\/2025\/11\/01-host_groups.webp\")
![\"02-Custom_Security_Events\"](\"https:\/\/blogs.cisco.com\/gcs\/ciscoblogs\/1\/2025\/11\/02-Custom_Security_Events.webp\")
![\"03-Role_policies\"](\"https:\/\/blogs.cisco.com\/gcs\/ciscoblogs\/1\/2025\/11\/03-Role_policies.webp\")
![\"04-Network-diagram\"](\"https:\/\/blogs.cisco.com\/gcs\/ciscoblogs\/1\/2025\/11\/04-Network-diagram.webp\")
![\"05-Host-snapshot\"](\"https:\/\/blogs.cisco.com\/gcs\/ciscoblogs\/1\/2025\/11\/05-Host-snapshot.webp\")
![\"06-flow-serach\"](\"https:\/\/blogs.cisco.com\/gcs\/ciscoblogs\/1\/2025\/11\/06-flow-serach.webp\")
- Define\u00a0Host Groups<\/strong>\u00a0in SNA to categorize your network infrastructure devices such as routers, switches, and jump hosts.\u00a0This grouping allows focused monitoring and easier identification of suspicious communications involving critical infrastructure.<\/li>\n<\/ul>\n