Unlocking the Power of SIEM in Threat Hunting
11/06/2024
Analyzing security threats is a constant, ever-evolving job. Information from events and logging come in many different forms, and insights you’ve discovered about actors and infrastructure in the past may not hold true today. This means analysts are required to not only organize the information needed, but also understand the historical context. Nothing does that better than a Security Information and Event Management (SIEM) platform.
SIEMs provide real-time analysis and integration of security alerts, and play a crucial role in detecting, analyzing, and responding to threats.
Challenges and considerations when using SIEMs
In threat investigations based on data from your SIEM, it’s crucial to focus on relevant data points that can lead to actionable insights. The problem is that certain types of relationships identified by automated tools—like shared IPs, domains linked through common services, or compromised infrastructure—are often misleading or irrelevant. By understanding these limitations, you can eliminate dead-end investigations and ensure that time and resources are directed towards more meaningful and effective analyses.
Here are a few examples.
Malicious domains and IPs with sinkholes
When a malicious domain or IP address is identified, cybersecurity teams or law enforcement may “sinkhole” it, meaning they take control of it to prevent further malicious activity, redirecting it to a server that logs and analyzes any connections to it.
Open-source intelligence (OSINT) tools might show relationships between the sinkholed domain and other infrastructure. However, the relationships might not be relevant to your investigation because these domains and IPs are no longer under the adversary’s control but are instead part of the sinkhole infrastructure. This makes it irrelevant to your investigation.
IP addresses belonging to VPNs and VPSs
IP addresses used by Virtual Private Networks (VPNs) and Virtual Private Servers (VPSs) are often shared among many users. This makes it difficult to attribute any specific activity to a particular user based on the IP alone. Shifting the investigation to focus on these shared IPs is usually not useful because the same IP might be used by different users for legitimate or malicious purposes. Therefore, it doesn’t provide actionable intelligence and could waste resources.
Third-party domain registrars
Third party domain registrars like GoDaddy, Hover, and DreamHost manage reservations of domain names for many different users. If an adversary uses one of these services to register a domain, investigating other domains registered through the same service will likely not yield relevant information, as these domains are likely unrelated to the threat.
Dynamic DNS (DDNS) usage
Dynamic DNS services allow a domain name to be mapped to different IP addresses over a short period. This can make it hard to track the real origin of the threat. Investigating the IP addresses linked to a domain using DDNS won’t be effective, as these addresses change frequently and are not necessarily tied to the adversary.
Compromised legitimate sites
Sometimes, adversaries compromise legitimate websites to use them for command and control (C2), data exfiltration, or malware delivery. The registrant information of these compromised sites will belong to the legitimate site owner, not the attacker. Therefore, this information is not relevant to the investigation of the threat actor.
How to balance heuristics and details using SIEMs
Heuristics without details are ineffective and details without heuristics are paralyzing. SIEMs allow us to combine the right details with the right heuristics, allowing threat hunters to take vast amounts of information and parry it down to the small number of key observations and artifacts they need to successfully complete their investigation.
SIEMs are used to collect and organize information in a way that threat hunters can more easily extract out the authentic observations needed for decision-making. Here are the key elements:
- Point of origin: SIEMs help establish where the information comes from, whether it’s security tools, event logs, or conclusions drawn from other information. Understanding the source is crucial for assessing the credibility and relevance of the data.
- Agent: In SIEMs, the agent refers to the entity initiating an action. This could be an IP address, a device, a file, a process, or a set of credentials. Identifying the agent helps in understanding who or what is behind an event or activity.
- Context: Context provides the circumstances surrounding an agent’s actions. SIEMs help correlate events with context, such as whether the behavior is normal or abnormal, the frequency of the events, and any evasion techniques used. This helps threat hunters assess whether an activity is benign or malicious.
- Effort: This refers to the specific behavior or action performed by the agent, such as an exploit, code execution, or an authentication process. SIEMs track these efforts to understand the tactics and techniques used by threat actors.
- Result: The result is the outcome of the effort, such as data exfiltration, credential compromise, or installation of a backdoor. SIEMs help in correlating the effort with its result to determine the impact of the threat.
The beauty of SIEMs is the ability to organize and correlate data in a way that allows threat hunters to focus on the most relevant information, facilitating quicker and more effective threat detection and response.
Contact us today to learn how to unlock the full potential of your SIEM in threat hunting.