There are multiple ways to use threat intelligence to monitor networks for suspicious activity — our Falcon Host platform does it by integrating with Falcon Intelligence, and many other tools and SIEMs have capabilities to hook into threat intel feeds. One of my favorite open-source network detection tools, the Bro network security monitor, includes an Intelligence Framework that is dedicated entirely to consuming threat intel and detecting indicators in network traffic. Utilizing the framework is a quick way to turn threat intel feeds into actionable alerts. By default the framework supports detection for multiple types of indicators, including IP addresses, domains, and file hashes. This is a good start for many organizations, but we track and collect more indicators than the framework currently supports. Additionally, I’m always looking for new opportunities to use the tool to identify malicious activity, especially if the activity can be tied to our intelligence data. For those reasons, I found the need to extend the framework and build a new way to detect malicious activity while utilizing our threat intel — and I’d like to share with the Bro and open-source community.
To start, I have extended the Intelligence Framework to support detection of three new types of indicators: email subjects, SSL certificate subjects, and usernames. There a few reasons why I chose these three indicator types: first, monitoring for email subjects can allow analysts to track phishing campaigns; second, adversaries may use unique SSL certificates, and these can be used as reliable indicators of malicious activity; third, tracking usernames is useful for monitoring adversary activity related to remote system authentication and data exfiltration. Additionally, these extensions to the framework include IP address detection in UDP, ICMP, and non-established TCP connections and domain detection in DNS responses.
The extensions to the framework are available for download on the CrowdStrike GitHub page. While these extensions do not include threat intel data (look to the Falcon Intelligence portal to fill that need), they enhance the capabilities of Bro’s intelligence detection for any feed.
In addition to extending the capabilities of the Intelligence Framework, I’d like to share a detection script that can prioritize malicious activity. The script — available on the CrowdStrike GitHub page — dynamically correlates Bro indicator matches and notices per host.
The script works by monitoring hosts for indicator or notice activity and, if any combination of multiple indicators or notices are seen, a meta-notice (referred to in the script as an “alert”) is generated. The alert details what indicators and/or notices were seen and what host saw them. This can be useful for providing urgency and priority to indicator hits such as when a host performs a DNS request for a known bad domain and then connects to a known bad IP address. In addition to indicator / notice correlation, the script includes variables that can be used to customize it for specific environments including the amount of time to monitor for correlations, the number of indicators and notices to see before raising alerts, whitelisting notices for exclusion from correlation, and whitelisting of local proxy servers.
The script functionality is shown below by using an old NetTraveler sample. With an indicator file containing NetTraveler artifacts, Bro’s Intelligence framework monitors for the indicators in different places in network traffic; in this example, NetTraveler command-and-control activity is identified by a specific domain and IP address. The output below is Bro’s default behavior when loading indicators into the Intelligence framework; this data appears in the intel.log:
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc seen.indicator seen.indicator_type seen.where seen.node sources
#types time string addr port addr port string string string string enum enum string set[string]
1357443822.583158 CLkHkT1GYI5s28YFAi 172.16.253.130 53 220.127.116.11 53 – – – www.gami1.com Intel::DOMAIN DNS::IN_REQUEST bro contagiodump
1357443823.577967 CcjJwqqArdNPgvEs2 172.16.253.130 53 18.104.22.168 53 – – – www.gami1.com Intel::DOMAIN DNS::IN_REQUEST bro contagiodump
1357443823.578188 CLkHkT1GYI5s28YFAi 172.16.253.130 53 22.214.171.124 53 – – – www.gami1.com Intel::DOMAIN DNS::IN_REQUEST bro contagiodump
1357443824.085958 CLkHkT1GYI5s28YFAi 172.16.253.130 53 126.96.36.199 53 – – – 188.8.131.52 Intel::ADDR DNS::IN_RESPONSE bro contagiodump
1357443824.085985 CLkHkT1GYI5s28YFAi 172.16.253.130 53 184.108.40.206 53 – – – 220.127.116.11 Intel::ADDR DNS::IN_RESPONSE bro contagiodump
1357443824.176268 C4tG7S3a8B5nLyAmk9 172.16.253.130 1091 18.104.22.168 80 – – – 22.214.171.124 Intel::ADDR Conn::IN_RESP bro contagiodump
1357443824.176508 C4tG7S3a8B5nLyAmk9 172.16.253.130 1091 126.96.36.199 80 – – – www.gami1.com Intel::DOMAIN HTTP::IN_HOST_HEADER bro contagiodump
The correlation script monitors for these indicator hits and determines if the same internal host was involved with at least two unique indicators. The output below is generated by the script; this data appears in the notice.log:
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval boolstring string string double double
1357443946.141500 – – – – – – – – – CrowdStrike::Correlated_Alerts Host 172.16.253.130 was involved with 2 unique indicators Indicator: www.gami1.com, Indicator: 188.8.131.52 172.16.253.130 – – 2 bro Notice::ACTION_LOG 3600.000000 F – – – – –
There are two critical fields in the notice above: the msg field tells analysts which host was involved with multiple indicator hits and how many indicators were seen and the sub field tells analysts what specific indicators appeared. These two fields are dynamic depending on what combination of indicators and notices were seen. As with the extensions mentioned earlier, the usefulness of this script comes from the quality of indicators. It is most useful when paired with a threat intel feed of well-curated and up-to-date indicators. For anyone with a threat intel feed and the Bro platform, or anyone thinking about using a threat intel feed with the Bro platform, the script and framework extensions above provide more ways to find and quickly identify malicious activity in network traffic.