When high-profile threats surface, they are often accompanied by a flurry of information sharing from security researchers and practitioners. The information they share can be delivered in a variety of formats. For example, following the recent malware activity surrounding the COVID-19 outbreak, you could obtain indicators of compromise (IOCs) from places such as:
Additional COVID-19 resources can be found at the end of this post.
If the IOCs are available in a STIX/TAXII feed, LogRhythm customers can use the LogRhythm Threat Intelligence Service (TIS) to ingest them. If the IOCs are not available via STIX/TAXII, you may need to get more creative. In this post, we will explore ingesting IOCs shared via a text file.
Free RiskIQ Observed Host Feed
On March 16, 2020, RiskIQ announced that they will provide a list “of newly observed infrastructure matching coronavirus themes.” They are sharing this list on Amazon Web Service (AWS) as a text file and posting a new file is daily. Thanks, RiskIQ!
Download and Prepare RiskIQ’s COVID-19 Domain List
LogRhythm Labs has prepared a PowerShell script (covid19_domains.ps1) to download the RiskIQ IOCs from AWS and prepare it for integration into the LogRhythm NextGen SIEM Platform.
You can find the script on GitHub and download it to the Platform Manager in your LogRhythm Deployment.
The script performs the following functions:
- Checks https://covid-public-domains.s3-us-west-1.amazonaws.com/ for the most current file and download it.
- Creates a new file in the LogRhythm Job Manager’s list_import directory that is formatted to import into a list.
Note: If you would like the list of IOCs updated daily, you will need to schedule the covid19_domains.ps1 script to run on a daily basis.
Prepare the RiskIQ Data for List Import
You can observe in Figure 1, the data from the RiskIQ file needs to be cleaned up before it is useable as a LogRhythm list. The covid19_domains.ps1 script performs cleaning steps such as removing the search strings and IP addresses from the list.
Figure 1. Excerpt of RiskIQ COVID-19 domain list
After the data is cleaned, your output will look like the results in Figure 2.
Figure 2. Excerpt of RiskIQ COVID-19 domain list prepared for list import
Import the Domain List into a LogRhythm List
The covid19_domains.ps1 script outputs the prepared data to “C:\Program Files\LogRhythm\LogRhythm Job Manager\config\list_import\covid_domains.txt”.
You will need to create a LogRhythm list where the covid_domains.txt will be imported.
In the LogRhythm Console, open the List Manager and create a General Value list (see Figure 3).
Figure 3. Creating a general value list in the List Manager
Next, configure the properties of the list per the screenshots in Figure 4 and Figure 5. Pay special attention to the “Import items as patterns” checkbox. Enabling “Import items as patterns” adds a wildcard to the beginning and end of the domain name. Determine whether the field being evaluated against this rule can be matched exactly to the list items (e.g., the log source parses the domain into a separate field) or whether the domain is only part of the string parsed into a field (e.g., the full URL is parsed into a field). Only pattern match in the latter case, and test for performance impacts, because wildcarding large lists may add significant overhead to AI Engine’s resource requirements.
Figure 4. COVID-19 domain list: basic configuration
Figure 5. COVID-19 domain list: additional settings
Note that the Use Context selections determine which metadata fields in the LogRhythm NextGen SIEM can be compared to the list. Any field that contains domain names in your environment should be selected.
Finish the Integration with the Threat Intelligence Service (TIS) Module
Backgrounder
To complete the integration of the COVID-19 domain list into the LogRhythm SIEM, we are going to take advantage of the structure of the Threat Intelligence Service (TIS) module. This module is available to all LogRhythm customers for free through the LogRhythm Knowledge Base. Deployment information for the TIS modules can be found here and here.
LogRhythm has built-in lists and AI Engine rules to support the detection of known IOCs that were introduced with the release of the TIS modules.
The TIS modules make use of a series of nested lists named “LR Threat List” which are configured for specific Use Contexts (see Figure 6).
Figure 6. A sampling of the LogRhythm Threat Lists included with the TIS module
The nested lists contain lists specific to vendor threat feeds that can be seen in Figure 7. The LR Threat List : URL : Malware list is comprised of malware lists from specific vendors.
Figure 7. Vendor lists nested inside the URL: Malware list
The LogRhythm threat lists are then referenced by AI Engine rules such as the one in Figure 8, which will trigger any time a log’s URL field matches a string in the URL : Malware threat list.
Figure 8. The Malware: Threat List Malware URL rule from the Threat Intelligence Service module
To integrate the COVID-19 list with the TIS module, nest it in the LR Threat Lists whose Use Contexts are appropriate to the logs in your environment. Figure 9 demonstrates an example of nesting.
Figure 9. COVID-19 Young Domains list nested into the URL: Malware list
Finally, enable the AI Engine rules from the TIS module.
Using the COVID-19 Young Domains List in an Investigation
The COVID-19 Young Domain list isn’t just for AI Engine rules — you can also use it in investigations. As mentioned earlier, AI Engine rules that compare values to long lists, especially pattern-matched lists, can introduce resource overhead to the AI Engine. You may want to run periodic investigations instead. Figure 10 shows an example of searching for DNS queries (Event ID 22) in Microsoft Sysmon logs that match the list of COVID-19 young domains.
Figure 10. Search for DNS queries in MS Sysmon logs
Figure 11 shows a result from the query that reveal the user had run a ping request for 911-covid.com.
Figure 11. MS Sysmon log showing a ping to 911-covid.com
In Summary
Threat actors will use the sense of urgency and curiosity that occur during world crises, like COVID-19, to attract users to open a malicious email, visit a malicious website, or spread misleading information. The Threat Intelligence Service (TIS) and Knowledge Base modules provide the necessary framework to incorporate open-source threat intelligence into LogRhythm and help your team access the latest IOCs. Learn how to detect young domain names via Palo Alto Networks here.
Contributors to this blog include the following members of the Labs team: Dan Kaiser, Zack Rowland, Andrew Hollister, Brian Coulson, and James Carder.