I’ve always been a proponent of XREFing organizational context with cyber threat intelligence to produce actionable insights, i.e., matching indicators in logs produced by various entities in an organization with observables obtained from a Threat Intelligence Platform.
The process most organization follows involves both TTP-based as well as indicator-based Threat Hunting, and from my own personal experience, the former is way more interesting than the latter. Now access to an EDR which supports structured IOC file ingestion can make this process a lot easier, but due to duty segregation & other internal policies I didn’t have access to this; and to make matters worse, we don’t have a SOAR. But most organization’s doing Threat Hunting do have a SIEM and a TIP platform that aggregates intelligence from various Cyber Threat Intelligence sources. This is why I created an automation tool that would make my life a LOT easier. So I’m not going to talk about the basics of Cyber Threat Hunting or Cyber Threat Intelligence; instead, I will be focusing on how to drive the automation of indicator-based Threat Hunting with the help of a Cyber Threat Intelligence platform.
I’m lucky enough to have access to a great TIP like Anomali ThreatStream, so the script I wrote utilizes the ThreatStream API to check if a rule has produced any matching events. Anomali ThreatSteam has a Rules engine to match observables, sandbox reports, threat advisories/bulletins, vulnerabilities, and signatures. Once you configure the rule trigger condition, you can define the actions. Specifically, I’ve created a rule on Anomali ThreatStream, which would add any new threat bulletins with specific keywords into an Investigation. A sample rule creation is shown below.
The automation tool checks if this investigation has any new threat bulletins. If so, it proceeds to extract the relevant indicators viz. hash, domain names, IP addresses etc., from that threat bulletin. Once done, it generates a search query, an SPL query in this instance and performs a search for the past x no. of days. If this search yields a result, it will alert the Threat Intelligence Analysts on MS Teams with the relevant hunt stats via. an MS Teams webhook. The script would also assign the Investigation on Anomali ThreatStream to a workgroup and add the hunt results to the same.
This has significantly reduced the amount of time we have had to spend ‘hunting’ for indicators and can now focus more on the apex levels of David Bianco’s Pyramid of Pain. In a few days, I will be releasing the tool on my GitHub page. Follow me on GitHub if you are interested in this.
Want to watch a SANS talk regarding automating threat hunting workflows using a SOAR platform? Check out this talk by Christopher van der Made from SANS 2021 Threat Hunting Summit.
