As a best practice, many security professionals consider SIEM as a storage for all possible logs which are collected from various endpoint, servers, network equipment and software. This allows for the ability to correlate different types of events and effectively identify security threats. However, it doesn’t magically happen and may remain an unreachable dream if enough effort is not put into data aggregation and correlation.. Every day thousands of security incidents are left uninvestigated because of lack of resources and automation. So one of the issues is how to effectively identify real threats and prioritize them. Sometimes it’s like looking for a needle in a haystack.
Infoblox is a provider of a technical threat intelligence which includes domains, FQDNs, ip-addresses and URLs. These threat intelligence indicators may be used on different platforms like NGFW, Secure Proxy, SIEM etc.
Infoblox gives you not only threat intelligence indicators to detect threats but also information on why an indicator is malicious. Using threat class and property (name) it is possible to successfully identify the type of threat as well as a mitigation procedure.
As mentioned earlier, a SIEM platform contains all kind of events from various software and network equipment, so the indicators can be used to enrich any log messages which contain relevant fields.
For example, web-server access logs contain a source (or requestor) IP address and a URL. Both properties can be used in conjunction to detect and mitigate malicious traffic and hunt new threats. The idea is simple – that known HTTP scanners scan for specific software and vulnerabilities. Based on requested URLs we can find out what kind of tools are used and which vulnerabilities malicious actors are trying to exploit. Analyzing similar requests, we can find other hosts that scan our network. Blocking access to such scanners can significantly reduce attack surface.
An another example, on the screenshot below you can see a Splunk dashboard which displays bruteforce attempts on my SSH server (BTW it is not recommended to have SSH exposed to the Internet). The dashboard is powered by Infoblox’s threat intelligence. It is worth mentioning that based on my observations, 5%-20% (depending on a day) of known scanners generate 60%-95% attacks.
To generate the report, I’m using a lookup tool I wrote, also available on GitHub (https://github.com/Homas/Splunk_AT_Lookup). The tool allows you to enrich log messages with threat intelligence (Infoblox, SURBL, Farsight, CrowdStrike etc) available via Infoblox TIDE.
The tool consists of 2 scripts:
- a script which downloads indicators and stores them in a local SQLite database. It should be executed on a schedule to periodically update DB
- a lookup tool which searchs domains/FQDNs, IPs and URLs in a local database and returns threat properties. A single indicator may be associated with one or more threat properties.
The list of indicators of compromise are continuously updated so:
- It is important to store already enriched logs to easily access this information and not lose it, in case your threat intel vendor cannot provide you access to historical data or a subscription expires. Infoblox TIDE does provide access to historical data.
- It’s also worth to validate logs (e.g. DNS response logs) from the last few days on the indicators which were recently added.
To further investigate incidents Splunk offers an easy way to drilldown to Infoblox Dossier. To access Dossier from a Splunk dashboard you will need to use the following URL in the drilldown configuration:
“$row.field$” contains an indicator in a row which was clicked (there are some other options available to configure drilldown). The column may contain any supported indicator type: domain/fqdn, ip-address, url, check sum, email. Because there is no single sign-on you may be asked to authenticate.
I hope this short article was useful and showed you how to empower your SIEM with accurate and contextual threat intelligence for faster correlation of events.