Maximizing Network Threat Intel with Bro

Blue

There are multiple ways to use threat intelligence to monitor networks for suspicious activity — our Falcon Host platform does it by integrating with Falcon Intelligence, and many other tools and SIEMs have capabilities to hook into threat intel feeds. One of my favorite open-source network detection tools, the Bro network security monitor, includes an Intelligence Framework that is dedicated entirely to consuming threat intel and detecting indicators in network traffic. Utilizing the framework is a quick way to turn threat intel feeds into actionable alerts. By default the framework supports detection for multiple types of indicators, including IP addresses, domains, and file hashes. This is a good start for many organizations, but we track and collect more indicators than the framework currently supports. Additionally, I’m always looking for new opportunities to use the tool to identify malicious activity, especially if the activity can be tied to our intelligence data. For those reasons, I found the need to extend the framework and build a new way to detect malicious activity while utilizing our threat intel — and I’d like to share with the Bro and open-source community.

To start, I have extended the Intelligence Framework to support detection of three new types of indicators: email subjects, SSL certificate subjects, and usernames. There a few reasons why I chose these three indicator types: first, monitoring for email subjects can allow analysts to track phishing campaigns; second, adversaries may use unique SSL certificates, and these can be used as reliable indicators of malicious activity; third, tracking usernames is useful for monitoring adversary activity related to remote system authentication and data exfiltration. Additionally, these extensions to the framework include IP address detection in UDP, ICMP, and non-established TCP connections and domain detection in DNS responses.

The extensions to the framework are available for download on the CrowdStrike GitHub page. While these extensions do not include threat intel data (look to the Falcon Intelligence portal to fill that need), they enhance the capabilities of Bro’s intelligence detection for any feed.

In addition to extending the capabilities of the Intelligence Framework, I’d like to share a detection script that can prioritize malicious activity. The script — available on the CrowdStrike GitHub page — dynamically correlates Bro indicator matches and notices per host.

The script works by monitoring hosts for indicator or notice activity and, if any combination of multiple indicators or notices are seen, a meta-notice (referred to in the script as an “alert”) is generated. The alert details what indicators and/or notices were seen and what host saw them. This can be useful for providing urgency and priority to indicator hits such as when a host performs a DNS request for a known bad domain and then connects to a known bad IP address. In addition to indicator / notice correlation, the script includes variables that can be used to customize it for specific environments including the amount of time to monitor for correlations, the number of indicators and notices to see before raising alerts, whitelisting notices for exclusion from correlation, and whitelisting of local proxy servers.

The script functionality is shown below by using an old NetTraveler sample. With an indicator file containing NetTraveler artifacts, Bro’s Intelligence framework monitors for the indicators in different places in network traffic; in this example, NetTraveler command-and-control activity is identified by a specific domain and IP address. The output below is Bro’s default behavior when loading indicators into the Intelligence framework; this data appears in the intel.log:

#fields  ts   uid  id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc seen.indicator     seen.indicator_type  seen.where seen.node sources

#types    time string    addr port addr port string    string    string    string    enum enum string     set[string]

1357443822.583158    CLkHkT1GYI5s28YFAi   172.16.253.130 53   4.2.2.2   53   –    –    –    www.gami1.com     Intel::DOMAIN  DNS::IN_REQUEST bro  contagiodump

1357443823.577967    CcjJwqqArdNPgvEs2    172.16.253.130 53   8.8.8.8   53   –    –    –    www.gami1.com     Intel::DOMAIN  DNS::IN_REQUEST bro  contagiodump

1357443823.578188    CLkHkT1GYI5s28YFAi   172.16.253.130 53   4.2.2.2   53   –    –    –    www.gami1.com     Intel::DOMAIN  DNS::IN_REQUEST bro  contagiodump

1357443824.085958    CLkHkT1GYI5s28YFAi   172.16.253.130 53   4.2.2.2   53   –    –    –    110.34.193.13     Intel::ADDR    DNS::IN_RESPONSE     bro  contagiodump

1357443824.085985    CLkHkT1GYI5s28YFAi   172.16.253.130 53   4.2.2.2   53   –    –    –    110.34.193.13     Intel::ADDR    DNS::IN_RESPONSE     bro  contagiodump

1357443824.176268    C4tG7S3a8B5nLyAmk9   172.16.253.130 1091 110.34.193.13  80   –    –    –     110.34.193.13  Intel::ADDR    Conn::IN_RESP  bro  contagiodump

1357443824.176508    C4tG7S3a8B5nLyAmk9   172.16.253.130 1091 110.34.193.13  80   –    –    –     www.gami1.com  Intel::DOMAIN  HTTP::IN_HOST_HEADER bro  contagiodump

The correlation script monitors for these indicator hits and determines if the same internal host was involved with at least two unique indicators. The output below is generated by the script; this data appears in the notice.log:

#fields   ts   uid  id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto     note     msg  sub  src  dst  p    n    peer_descr actions   suppress_for   dropped     remote_location.country_code   remote_location.region    remote_location.city remote_location.latitude     remote_location.longitude

#types    time string    addr port addr port string    string    string    enum enum string    string     addr addr port count     string    set[enum] interval  boolstring string    string    double     double

1357443946.141500    –    –    –    –    –    –    –    –    –    CrowdStrike::Correlated_Alerts Host 172.16.253.130 was involved with 2 unique indicators     Indicator: www.gami1.com, Indicator: 110.34.193.13     172.16.253.130 –    –    2    bro  Notice::ACTION_LOG   3600.000000    F    –    –    –    –    –

There are two critical fields in the notice above: the msg field tells analysts which host was involved with multiple indicator hits and how many indicators were seen and the sub field tells analysts what specific indicators appeared. These two fields are dynamic depending on what combination of indicators and notices were seen. As with the extensions mentioned earlier, the usefulness of this script comes from the quality of indicators. It is most useful when paired with a threat intel feed of well-curated and up-to-date indicators. For anyone with a threat intel feed and the Bro platform, or anyone thinking about using a threat intel feed with the Bro platform, the script and framework extensions above provide more ways to find and quickly identify malicious activity in network traffic.

 

Stop Breaches with CrowdStrike Falcon request a live demo