Threat Hunting with Threat Intelligence
With more people working from home, the threat landscape continues to change. Things change daily, and cybersecurity staff needs to change with them to protect information. Threat hunting techniques for an evolving landscape need to tie risk together with log data.
How to start threat hunting by preparing information
Within your environment, there are a few things that you can do to prepare for effective threat hunting. Although none of these is a silver bullet, they can get you better prepared to investigate an alert.
Identify log sources
The first step to preparing your data is knowing what log sources best benefit from threat intelligence. Threat intelligence gives you indicators of compromise (IoCs) for attacks that have already happened in the wild or could be likely. You need to tie IoCs to the right log data.
For more information:
Planning Your Log Collection has some good information on how to identify log sources.
The Importance of Log Management and Cybersecurity discusses how centralized log management supports cybersecurity.
To compare data as part of the analysis, you need to normalize the fields for the sources. This means making sure that you can standardize the format for better correlation. Since event log sources use different formats, you want to make sure to normalize fields. This lets you compare data from different security tools to identify threats more effectively.
For more information:
VPN and Firewall Log Management includes details on how to make your logs useful by normalizing the data.
Bringing in threat intelligence
Graylog has a built-in threat intelligence plugin focusing on IPv4 addresses and domain addresses as indicators. You only need to do two things to integrate the plugin with your current log strategy:
- Enable using the system configurations plugin section
- Integrate with your log data using pipeline rules.
When you enable the plugin, you can choose some or all capabilities. Some of the capabilities available include:
- IPv4 data for Tor exit nodes
- Abuse.ch information for Spamhaus
- Ransomware trackers
- IP addresses and domain names
Setting pipeline rules
Setting the pipeline rules gives you the data you need for your unique environment. As part of doing this you:
- Select the lookups
- Look for the components you want to compare against
For more information:
Pipelines and Rules in Graylog Graylog Documentation
If you’re looking for destination addresses, you can add a threat intel lookup component to a chosen IP address. Then, you add that detail to the log message to help analyze threat intelligence and risk associated with the logs collected. You could also do that for the source address or domain address.
Using third-party threat feeds
Decisions about the integrated components happen on the backend as part of the selection process. As part of this, you can include additional information not contained in the threat intelligence plugin.
Choosing the threat feeds
The first step is knowing the types of threat feeds you want and how to integrate with Graylog.
You can also incorporate the following threat data:
- Domain and IP address reputation
- Hash values
- MD5 and SHA hashes
- Snippets of code
- Geographical IP (GeoIP) data
Graylog supports several formats, including:
- Some APIs
- DNS lookups
- HTTP JSON paths
Setting up third-party threat feeds
When setting up these feeds, you need to take two additional steps.
Add a data adapter
Under system configuration, go to lookup tables, then click on data adapters. The data adapter sets the type of file or link that the intelligence feed uses to connect to Graylog. When connecting the feed, consider:
- Whether the path is local or HTTP
- How often to update the feed
- How often to check for updates to the feed
Create the delimiter
Third-party feeds can give you visibility into a wide range of information. Setting the delimiter formats the feed, the keys you’re looking for, and the values Graylog returns. Third-party feeds also let you:
- Incorporate risk weighting as to whether a source or destination IP is suspicious
- Whether information is included on a threat intelligence list or not
Setting the keys and values is central to ensuring that the analysis and log data transformation is appropriate. You want to collect data that gives your threat hunting team the visibility needed to assess the risk appropriately.
Create a cache
Caching data on the Graylog server is faster than doing a live lookup. However, to right-size your cache to your resources, you want to make sure that you establish best practices for memory and processing.
Best practices for establishing a cache include:
- Setting it between 10,000 and 50,000 entries
- Evaluating what you’re inspecting
- Making sure that this is an effective number for your organization’s needs
Integrate pipeline rules into your processes
Like with the plugin, you want to make sure that the third-party threat intelligence is returned to the log message. Based on event attributes, you create the lookup values on the table. When you get an event that you want to search or inspect in Graylog, you have additional values associated with the potentially malicious activity o enhance your security team’s review.
Using automated notifications
Finally, you can create the same alerting and correlation notifications for threat intelligence as you do for other events. Since you’re leveraging transformed data within the events themselves, you can create alerts like IP reputation threats. You can define the streams for conditions that will generate notifications.
However, to optimize your threat intelligence information, you can correlate the data with business elements like compliance sources, devices in scope, and former employees. By leveraging threat intelligence for external threats along with business intelligence, you can use the same lookup tables in a dynamic fashion with dynamic lists for a highly valuable output.
For more information:
Detecting Security Vulnerabilities with Alerts discusses how the safest approach is to have an automated way to verify and alert when system vulnerabilities are discovered, or worse when attackers are actively targeting your systems.
Graylog: Evolving Your Threat Hunting Techniques for a Changing Landscape
It should come as no surprise that threat actors are shifting their attack methodologies. Keeping your organization safe means recognizing new cyber threats and finding ways to detect them in your environment rapidly. While never being breached would be ideal, it is not the most likely outcome today.
By connecting your centralized log management solution to threat intelligence, you can combine business risk and cybersecurity risk. By doing this, your threat hunters can set more meaningful alerts, reducing the time it takes to detect, investigate, and respond to emerging threats.
Graylog provides a threat intelligence plugin and lets you add third-party threat intelligence feeds into your investigation pipelines to enhance your alerting and notifications settings. Ultimately, the more data you can correlate, the stronger your threat hunting and incident response programs will be.