March 18, 2019 / by Cheryl Dsa / In siem , security-analytics /

Top takeaways from our first DNIFKonnect meetup

  • Do you feel comfortable with with threat hunting?
  • Do you feel enough time is spent searching for emerging and advanced threats in your security operations center (SOC)?
  • Does your security team currently use a threat hunting platform?
  • If you don’t have a threat hunting program in place already, are you planning on building one in the next two or three years?

If your answer to any of these questions was “no” or “not really,” then this post is just for you. With the amount of malware and other attacks in the wild constantly on the rise, relying on detection and other threat management methods isn’t enough. You need to actively seek out anomalies in your network.

Attackers are evolving technologically at an alarming rate. They have smarter ways to execute even well-known attacks to penetrate your network without being detected. Consider a common brute-force attack: it can be easily identified with the right detection tools when the number of failed logins for a particular user exceeds a certain threshold, but what if these login attempts are spread out? They may appear to be normal failed logins from the legitimate account owner, as they’ll be well within the threshold. The attacker will thus avoid generating an alert. Sooner or later, the attacker will acquire the credentials to the account and gain access to the account owner’s information.

These attacks can be difficult to detect, particularly if they’re carried out using different approaches each time. To stay on top of new threats, you need to actively seek out intruders in your network and identify threats before they have a chance to cause any damage.

The old approach to threat management

Traditional SIEM platforms can be useful for detecting known outliers; however, they cannot cope with today’s ever-evolving attacks. In order to understand the importance of saying goodbye to the old and hello to the new, we had our very first virtual meetup, #DNIFKonnect, to explore the new world of cyberdefense. We were extremely excited to have Ankit Bose (@ionbasket), an associate at PwC (PricewaterhouseCoopers), Kolkata with us to shed some light on why old-school methods of threat hunting are dying, and what kind of new approaches we need to adopt to keep up with these growing attacks.

A major drawback of the old approach is that traditional SIEM (security information and event management) platforms are based on correlational engines that generate threshold-based alerts. This brings us to a second problem: the threshold-based approach is limited to detecting known, well-understood threats. If an attacker tries an unforeseen strategy, your software will detect nothing, and you will suspect nothing. These threats leave us with the unenviable task of setting thresholds to detect things we can’t see and don’t understand.

Another area where the old system fails is query response times. Suppose you’ve been asked for last week’s log report. That report would probably take a minimum of five hours to generate — that’s if you’re lucky, and if your SIEM tool is optimized. Cumbersome operations like this one take up a lot of time that could be better spent on other tasks. How much time do you spend like this daily, just fetching logs?

A threat, once detected, has to then be validated against threat intelligence feeds from third party vendors. Instead of manually gathering these feeds from separate platforms, why not have them integrated into your security tools? Once integrated, you no longer need to gather threat intelligence feeds, and the entire task of validating threats can be easily automated. This saves analysts valuable hours of their day that they would otherwise spend validating pools of alerts.

old way of threat hunting

Ankit explained these drawbacks of the old approach to threat hunting before showing us the new approach, using data enrichment tools to reduce search times and detect outliers. These tools can automatically retrieve threat intelligence feeds from such sources as the Kaspersky Threat Intelligence Portal. Thanks to these security orchestration and automation tools, analysts can now spend more time on actual investigations and less time on everyday, repetitive tasks.

new approach to threat hunting

Attacks and how to detect them

Ankit had an extremely interesting take on attacks like slow brute-forcing. He came up with some really cool names for these attacks that double as hints for understanding how they work:

  • “Shawshank Redemption”: slow brute-force attacks
  • “The Italian Job”: DNS tunneling
  • “The Mask”: DGA-equipped malware You can try to guess how he settled on these names, or — better yet — you can catch the entire session right here.

Not only did he show us what these attacks are and how they work, but he also gave a complete demonstration of how you can detect them using a modern approach to threat hunting on the DNIF platform.

Sessions from the DNIF team’s finest

Talented members of our own domain engineering and product teams also held a series of interesting demonstrations.

Creating widgets using threat intel feeds

Lenora Agnel, a talented, young security analyst at DNIF, demonstrated how to create different types of widgets on the DNIF console using threat intelligence feeds from integrated threat intelligence providers.

DNIF has several plugins that enrich your log data with information from threat intelligence feeds, making it easy to validate suspicious data. You can also create different types of widgets to better visualize your data, get exact locations for hits on your intel data, view charts by physical location, source country and IP address by using the widget feature for threat intel feeds on the DNIF platform. Watch the entire demo here.

Discovering nonstandard hosts using checkif functionality in DNIF

Ravidutt Purwal (@Mr_Intrusionist), another one of our strong, talented security analysts, demonstrated how to apply conditional logic to your data using the checkif in DNIF. Watch Ravidutt’s demo to see how you can use the checkif directive to compare incoming data to an arbitrary string or regular expression and take an action if a match is found.

What’s next at DNIF?

Apoorv Parvatikar (@aBytes), Engineering and Product Architect at DNIF, gave us a ton to look forward to with the roadmap set for DNIF.

SOC analysts have to deal with so many tools with disparate architectures, and handling all the different components of these tools can be a tedious task. We decided to create a solution to make things easier for you, and the DNIF Command Control (DCC) will help you do just that. It diagnoses issues, detects faults and delivers results. The DCC will streamline your entire management process, automate all your checks and fixes, and much more. There’s also a new feature coming soon that’ll enable you to cross-connect all systems from a single host. For instance, from the data store, you’ll be able to check what’s going on in the adaptor or the correlator, what reports are in the queue and what logs are coming in. All this will be possible with the help of the DCC; most importantly, it’ll be compatible across all versions of DNIF. The next version of DNIF that we’re coming out with is v8.1.0, with a cool feature called case management (you’re going to love that!) and a lot of enhancements.

But that’s not all — the session welcomed everyone to submit their own requests for features that they would like to see in DNIF in the near future, helping to build an innovative roadmap for DNIF. We’d love to hear from you about any new features you think would enhance DNIF, and if you have any questions, ask away on our forum.

We’re all geared up for our next DNIF Konnect meetup on April 4 2019, make sure you register for the same here. Key talking points include:

  • Identify suspicious domains with integrated threat intelligence.
  • Validate these domains with a threat validation plugin like Domain Tools.
  • Block malicious domains and IP address automatically on a Firewall.
  • Automate above steps - threat detection, validation and response.