Operationalizing Threat Intelligence for Cybersecurity Breach Detection & Analytics

On the assumption that attackers have already found a way into the network, Breach Analytics in Lumeta ESI will monitor the network in real time for the telltale signs of nefarious activity, and then prioritize findings for investigation and action. Threat intelligence is made actionable by utilizing existing capabilities of Lumeta ESI to correlate a comprehensive index of an enterprise’s IP address space against known threats, as new threat intelligence becomes available and as new devices connect to the network.

Threat Flows – NetFlow Correlation to Malware C2 Servers

Threat Flows – NetFlow Correlation to Malware C2 Servers

  • Determine if cyber controls are preventing malware call back, C2 channels, and data exfiltration.
  • Lumeta ESI ingests NetFlow traffic from the enterprise network as well as external intelligence feeds, and executes real-time correlation between them.
  • Lumeta ESI with NetFlow ingestion allows real-time and forensic analysis of actual conversations occurring between devices on your network and known bad actor IP addresses supplied by an ingested threat feed. ESI validates communications are occurring from specific devices inside your network to these addresses now, or when those communications occurred historically.

Zombie/Bot Hunting

Zombie/Bot Hunting

  • Determine whether or not any trusted/enterprise assets are malware infected infrastructure (participating in C2 botnet) or part of blacklists / Dropnets / Shadowserver / attacker lists.
  • Lumeta ESI correlates its full index of the enterprise IP address space against known bad IP addresses to find enterprise assets that are blacklisted (listed in threat intelligence as malware/botnet machines). It raises a flag regarding any potentially compromised machines.

Internal Use/Accessibility of Known Trojan/Malware Ports

Internal Use/Accessibility of Known Trojan/Malware Ports

  • Determine whether or not any trusted/enterprise assets are utilizing ports known to be associated with Trojans, malware, and attack lateralization.
  • Lumeta ESI parses open source and closed source intelligence feeds and repositories to enumerate known bad ports and services. It then performs ESI Port Discovery scans internally against that port list. Open bad ports indicate possible malware is running on the system. Closed ports may indicate steganography based port knocking exists.

Identification of Internal TOR Relays/Bridges

Identification of Internal TOR Relays/Bridges

  • Determine whether or not any trusted/enterprise assets are acting as current or past TOR relays/bridges, potentially for nefarious purposes.
  • Lumeta ESI correlates its full index of the enterprise IP address space against TOR relay IP addresses to find enterprise assets that are listed as an active (or historical) TOR relay. It flags devices that are behaving as relays/bridges.

Read more in our Lumeta Solution Brief: Real-Time Network Behavior Analytics and Cybersecurity Breach Detection

 

Cyber Threat Probe

Lumeta IPsonar includes a Cyber Threat Probe plugin to help organizations with many of the same use cases as above, the difference being that Lumeta IPsonar does not work in an “always on” real-time mode like Lumeta ESI does. Using the Cyber Threat Probe can help you stem zombie infections and keep other threats and bad actors in check. With the Cyber Threat Probe, threat intelligence is made actionable by utilizing existing capabilities of IPsonar to correlate a comprehensive index of an enterprise’s IP address space against known threats. As soon as new threat intelligence becomes available, IPsonar will report against the new threats and send out notifications.

 

Lumeta_Cyber_Threat_Probe-zombie_hunting

 

 

Zombie/Bot Hunting

  • Determine whether or not any trusted/enterprise assets are malware infected infrastructure (participating in C2 botnet) or part of blacklists / Dropnets / Shadowserver / attacker lists.
  • The Cyber Threat Probe correlates IPsonar’s full index of the enterprise IP address space against known bad IP addresses to find enterprise assets that are blacklisted (listed in threat intelligence as malware/botnet machines). It raises a flag regarding any potentially compromised machines.

 

Lumeta_Cyber_Threat_Probe-TOR_relays_bridges

Identification of Internal TOR Relays/Bridges

  • Determine whether or not any trusted/enterprise assets are acting as current or past TOR relays/bridges, potentially for nefarious purposes.
  • The Cyber Threat Probe correlates IPsonar’s full index of the enterprise IP address space against TOR relay IP addresses to find enterprise assets that are listed as an active (or historical) TOR relay. It flags devices that are behaving as relays/bridges.

 

Lumeta_Cyber_Threat_Probe-prevent_callback_zombieC2

Validation of No Access to Known Malware C2 Servers

  • Determine whether or not active security controls prevent malware callback and data exfiltration to known botnet / command and control (C2) networks and servers.
  • The Cyber Threat Probe ingests threat intelligence feeds and uses that information as the target list for IPsonar to assess whether it can reach known C2 botnets. If those machines can be reached, a red flag is raised.

 

Lumeta_Cyber_Threat_Probe-prevent_callback_TOR_exit_nodes

Validation of No Access to Known TOR Exit Nodes

  • Determine whether or not active security controls prevent call back to TOR exit nodes.
  • The Cyber Threat Probe ingests threat intelligence feeds and uses that information as the target list for IPsonar to reach known TOR exit nodes. If those nodes can be reached, a red flag is raised.

 

 

Lumeta_Cyber_Threat_Probe-known_trojan_malware_ports

Internal Use/Accessibility of Known Trojan/Malware Ports

  • Determine whether or not any trusted/enterprise assets are utilizing ports known to be associated with Trojans, malware, and attack lateralization.
  • The Cyber Threat Probe parses open source and closed source intelligence feeds and repositories to enumerate known bad ports and services. It then performs IPsonar Service Discovery scans internally against that port list. Open bad ports indicate possible malware is running on the system. Closed ports may indicate steganography based port knocking exists.

 

 

Read more in our Lumeta Solution Brief: Operationalizing Threat Intelligence using Lumeta IPsonar plus Cyber Threat Probe