Operationalizing Threat Intelligence for Cybersecurity Breach Detection & Analytics

On the assumption that attackers have already found a way into the network, Breach Analytics in Lumeta Spectre (formerly ESI) will monitor the network in real time for the telltale signs of nefarious activity, and then prioritize findings for investigation and action. Threat intelligence is made actionable by utilizing existing capabilities of Lumeta Spectre to correlate a comprehensive index of an enterprise’s IP address space against known threats, as new threat intelligence becomes available and as new devices connect to the network.Threat Flows – NetFlow Correlation to Malware C2 Sespectre-breachrvers

  • Determine if cyber controls are preventing malware call back, C2 channels, and data exfiltration.
  • Lumeta SpectreI ingests NetFlow traffic from the enterprise network as well as external intelligence feeds, and executes real-time correlation between them.
  • Lumeta Spectre with NetFlow ingestion allows real-time and forensic analysis of actual conversations occurring between devices on your network and known bad actor IP addresses supplied by an ingested threat feed. Spectre validates communications are occurring from specific devices inside your network to these addresses now, or when those communications occurred historically.

 

Zombie/Bot Hunting

  • Determine whether or not any trusted/enterprise assets are malware infected infrastructure (participating in C2 botnet) or part of blacklists / Dropnets / Shadowserver / attacker lists.
  • Lumeta Spectre correlates its full index of the enterprise IP address space against known bad IP addresses to find enterprise assets that are blacklisted (listed in threat intelligence as malware/botnet machines). It raises a flag regarding any potentially compromised machines.

 

Internal Use/Accessibility of Known Trojan/Malware Ports

  • Determine whether or not any trusted/enterprise assets are utilizing ports known to be associated with Trojans, malware, and attack lateralization.
  • Lumeta Spectre parses open source and closed source intelligence feeds and repositories to enumerate known bad ports and services. It then performs Spectre Port Discovery scans internally against that port list. Open bad ports indicate possible malware is running on the system. Closed ports may indicate steganography based port knocking exists.

 

Identification of Internal TOR Relays/Bridges

  • Determine whether or not any trusted/enterprise assets are acting as current or past TOR relays/bridges, potentially for nefarious purposes.
  • Lumeta Spectre correlates its full index of the enterprise IP address space against TOR relay IP addresses to find enterprise assets that are listed as an active (or historical) TOR relay. It flags devices that are behaving as relays/bridges.

Read more in our Lumeta Solution Brief: Real-Time Network Behavior Analytics and Cybersecurity Breach Detection