Improving Threat Detection Using LogRhythm SmartResponse with Lists to Monitor IOCs

Person on lap top hunting for threats

As a security professional, you know all too well the need to continually improve your threat detection techniques and skill set. With today’s expanding attack surface and hackers becoming more sophisticated in their infiltration methods, building a stronger defense is crucial.

In this blog, let’s dive into several use cases for improving your threat detection techniques using LogRhythm’s SmartResponse™ with lists to monitor Indicators of Compromise (IOCs).

Overcoming Threat Detection Challenges

You have just received an alarm for suspicious activity related to a user’s web traffic. You’ve made a case and initiated your Malware Compromise Playbook. You continue to investigate the other events, traffic, and behavior, but no further IOCs have presented themselves.

What happens next? We know that malicious code may not always present itself immediately upon execution and may also lay dormant on the endpoint for a period of time: a day, a week, maybe a month. Adding to the challenge, you may not have complete visibility into the endpoint’s local system activities to draw necessary conclusions.

If you haven’t built any automation or intelligence around monitoring these scenarios, then you’re likely lagging behind and relying on running targeted recurring reports, dashboards, or saved searches to get updates on the endpoint or user’s activity: all of these greatly delay your detection and response times. In some cases, you might have other high confidence AI Engine alarms that indicate something worse, but by then, it’s too late. In those situations, it’s also likely you have other less notable events or correlations occurring for your users and assets but without linking the early indicators of compromise to subsequent events, the persistent threat may not be immediately obvious.

This is where the importance of IOC Inspect comes into play.

What is IOC Inspect?

IOC Inspect is a community-developed module that helps simplify monitoring assets, users, and their activity after initial indicators of compromise.

The module comprises of a set of AI Engine rules, Lists, and a SmartResponse that work together to help streamline the threat detection and monitoring processes after initial IOC has been identified such as when a computer or user has communicated with high confidence threat intelligence data and no further indicators of compromise present themselves (e.g., domains, URLs, addresses, or the execution of a suspicious new file hash with unusual characteristics).

Download IOC Inspect Shareable

Threat Detection Use Cases

Use Case 1: Detecting Abnormal Behavior with IP Addresses

Your company has been noticing persistent and aggressive external IP addresses scanning on your public IP address space over the week. You’ve taken the time to raise the concern and have implemented some firewall policies to drop the traffic, but you’d like some additional piece of mind. Wouldn’t you like to be readily alerted if any of your assets indicate any suspicious activity with these external IP addresses? Instead of going through the workflow to create a specific alarm or rule to watch for this specific scenario, you can make use of IOC Inspect to do the lifting.

By leveraging SmartResponse, you can add a comma-separated list of IP addresses to the module’s observation lists in a single submission. The backend AI Engine rules and LogRhythm Lists are all established to work together. By adding in the IP addresses of our external actor through SmartResponse, the IOC Inspect will now trigger an alarm if any asset within your environment signals a suspicious event with this external actor.

This scenario can be applied in multiple ways. The external actor doesn’t need to be represented as an IP address, as expressed in this example. The same capability can be applied to Domain Names or URLs.

Use Case 2: Detecting Phishing Emails

A number of your staff have reported a similar phishing email. and After your security analysts investigate, they determine the links and/or files are all strong indicators of malicious intent, whether it’s for capturing credentials or something even more mischievous such as planting some malicious code on the endpoint.

So far there hasn’t been any evidence of attempted or blocked access to the indicators, but you want to keep an eye on it over the next week to see if anything comes up should the email or campaign reach other users. Using the IOC Inspect SmartResponse plugin, you execute the Add URL and Domain functions to add the indicators to the applicable lists to monitor for further attempted use or access.

The next day the IOC Inspect Watched IOC URL/Domain AI Engine rules notifies you of attempted access by another employee. The AI Engine rules custom SmartResponse actions also adds the endpoint, user, and IP address details to the IOC Inspect lists to keep a closer eye on that host’s activity for the predefined period of time.

Shortly after the endpoint and user identifiers are added to the watch lists, the user’s computer also starts displaying behaviors caught by the IOC Watchlist. By themselves, the behaviors aren’t alarming, but with context to the situation, it raises enough concern to initiate the LogRhythm SOAR capabilities.

A case is created and you execute the applicable Playbook for the given scenario. After isolating the host and further analyzing the threat, you identify that the threat had changed its attack vector slightly. Not only were they using suspicious links, but they attached a maliciously crafted document used to grant access to the endpoint which the user also opened after receiving the email.

Get Started with the IOC Inspect Shareable

Now that we have explored some in-depth scenarios, here’s how you can get started with the IOC Inspect Shareable.

Download IOC Inspect Shareable

  1. Login to the LogRhythm Community then head on over to the SmartResponse Shareables article IOC Inspect – Using LogRhythm’s SmartResponse™ with lists to monitor Indicators of Compromise (IOCs).
  2. Download and extract the IOC Inspect content to a folder of your choosing which includes
    • SmartResponse Build Scripts
    • Smart Response Plugin Guide
  3. Define appropriate list expiration periods for the dynamic list entries, this value helps reduce maintenance long term by auto-removing monitored list entries after the expiration period ends, see list criteria for recommendations.
  4. Create each of the AI Engine Rules as per the AI Engine Rule Criteria section.
    • Watched Email Sender Continued IoC Activity
    • Watched Host (Impacted) Continued IoC Activity
    • Watched Host (Origin) Continued IoC Activity
    • Watched Hostname (Impacted) Continued IoC Activity
    • Watched Hostname (Origin) Continued IoC Activity
    • Watched IP (Impacted) Continued IoC Activity
    • Watched IP (Origin) Continued IoC Activity
    • Watched IOC Domain Name Access Attempt
    • Watched IOC URL Accessed
  5. Update the list: Watchlist IoC AI Engine Rules Whitelist to include applicable AI Engine Rules to help identify further IOC activity, this list acts as Primary Criteria filter for 7 of the 9 rules which helps simplify maintenance.
    • These rules are intended to give further insight into future IOC activity for the user, email, IP, domain, URL context you add to the watch lists.
    • Go through your AI Engine rules and include those that would raise any flags such as C2 activity, long-running sessions, connections on high ports to foreign countries, suspicious file access patterns, or any activity you may or may not already be alarming on.
    • If you don’t have many AI Engine rules, check out LogRhythm’s existing threat detection modules found in the Knowledgebase Manager and their accompanying setup guides to build your foundations for threat detection and response.
  6. Customize the rule blocks Primary Criteria for the AI Engine Rules Watched IOC Domain Name Access Attempt, and Watched IOC URL Accessed so that it aligns with your log sources placement of URL and domain name information in the logs (e.g., Domain Impacted, URL, Hostname Impacted, Object). Then update the applicable Log Sources so that the AI Engine rules are only watching relevant data such as DNS Server or Web Proxy log sources.
  7. Complete all steps outlined in the SmartResponse plugin setup guide.

There’s a considerable number of other applications for improving your daily security operation center workflows using LogRhythm’s SmartResponse automation, AI Engine Rules, and Lists.

What are some ways you’ve used these features to improve efficiencies in your organization?