The US CERT provided IOC’s that can be used to detect North Korean Malicious Cyber Activity referred as HIDDEN COBRA.

For more information about HIDDEN COBRA, please visit https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity

ArcSight converted the official IOC’s to CSV’s that can be imported to Activate Threat Intelligence Active Lists.

Files (Attached to this page, see bottom):
  • TA17-318A_suspicious_addresses_list.csv
  • TA17-318A_suspicious_entities_list.csv
  • TA17-318B_suspicious_addresses_list.csv
  • TA17-318B_suspicious_entities.csv
  • TA17-164A_suspicious_addresses.csv
  • TA17-164A_suspicious_entities.csv
Follow these steps to manually add the provided IOC’s to the Activate Threat Intelligence Active Lists.

* Navigate to Active Lists/Shared/ArcSight Activate/Solutions/Threat Intelligence/Indicators and Warnings.

* Right click on Suspicious Addresses List and click on Import CSV File…

* Select the correct CSV file, for the Suspicious Addresses list select the suspicious_addresses_list.csv file and click on Open

* Verify the data with the Import Preview and click on Import

* Verify if the data is imported into the Suspicious Addresses List, right click on Suspicious Addresses List and click on Show Entries.

* After importing the suspicious_addresses_list.csv files, the Suspicious Addresses List should be filled with the HIDDEN COBRA IOC’s

* Repeat the above steps for the other suspicious_addresses_list.csv files.
* The suspicious_entities_list.csv files needs to be imported into the Suspicious Entities List.

After importing suspicious_entities_list.csv files, the Suspicious Entities List should be filled with the HIDDEN COBRA IOC’s

Topic attachments
I Attachment Action Size Date Who Comment
TA17-164A_suspicious_addresses.csvcsv TA17-164A_suspicious_addresses.csv manage 135.9 K 22 Nov 2017 - 18:34 BartOtten HIDDEN COBRA
TA17-164A_suspicious_entities.csvcsv TA17-164A_suspicious_entities.csv manage 2.5 K 22 Nov 2017 - 18:34 BartOtten HIDDEN COBRA
TA17-318A_suspicious_addresses_list.csvcsv TA17-318A_suspicious_addresses_list.csv manage 33.9 K 22 Nov 2017 - 18:31 BartOtten HIDDEN COBRA
TA17-318A_suspicious_entities_list.csvcsv TA17-318A_suspicious_entities_list.csv manage 4.0 K 22 Nov 2017 - 18:33 BartOtten HIDDEN COBRA
TA17-318B_suspicious_addresses_list.csvcsv TA17-318B_suspicious_addresses_list.csv manage 34.7 K 22 Nov 2017 - 18:34 BartOtten HIDDEN COBRA
TA17-318B_suspicious_entities.csvcsv TA17-318B_suspicious_entities.csv manage 12.1 K 22 Nov 2017 - 18:34 BartOtten HIDDEN COBRA
Topic revision: r4 - 22 Nov 2017, AlexandraLomotan


 


Activate Wiki 2.1.0.0

This site is powered by FoswikiCopyright &© by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback