Using Open-Source Intelligence to Detect Attacks Using Newly Created Domain Names

RiskIQ COVID-19 Domain List

When high-profile threats surface, they are often accompanied by a flurry of information sharing from security researchers and practitioners. The information they share can be delivered in a variety of formats. For example, following the recent malware activity surrounding the COVID-19 outbreak, you could obtain indicators of compromise (IOCs) from places such as:

Additional COVID-19 resources can be found at the end of this post.

If the IOCs are available in a STIX/TAXII feed, LogRhythm customers can use the LogRhythm Threat Intelligence Service (TIS) to ingest them. If the IOCs are not available via STIX/TAXII, you may need to get more creative. In this post, we will explore ingesting IOCs shared via a text file.

Free RiskIQ Observed Host Feed

On March 16, 2020, RiskIQ announced that they will provide a list “of newly observed infrastructure matching coronavirus themes.” They are sharing this list on Amazon Web Service (AWS) as a text file and posting a new file is daily. Thanks, RiskIQ!

Download and Prepare RiskIQ’s COVID-19 Domain List

LogRhythm Labs has prepared a PowerShell script (covid19_domains.ps1) to download the RiskIQ IOCs from AWS and prepare it for integration into the LogRhythm NextGen SIEM Platform.

You can find the script on GitHub and download it to the Platform Manager in your LogRhythm Deployment.

The script performs the following functions:

Note: If you would like the list of IOCs updated daily, you will need to schedule the covid19_domains.ps1 script to run on a daily basis.

Prepare the RiskIQ Data for List Import

You can observe in Figure 1, the data from the RiskIQ file needs to be cleaned up before it is useable as a LogRhythm list. The covid19_domains.ps1 script performs cleaning steps such as removing the search strings and IP addresses from the list.

RiskIQ COVID-19 Domain List

Figure 1. Excerpt of RiskIQ COVID-19 domain list

After the data is cleaned, your output will look like the results in Figure 2.

RiskIQ COVID-19 domain list prepared for list import

Figure 2. Excerpt of RiskIQ COVID-19 domain list prepared for list import

Import the Domain List into a LogRhythm List

The covid19_domains.ps1 script outputs the prepared data to “C:\Program Files\LogRhythm\LogRhythm Job Manager\config\list_import\covid_domains.txt”.

You will need to create a LogRhythm list where the covid_domains.txt will be imported.

In the LogRhythm Console, open the List Manager and create a General Value list (see Figure 3).

General value list in the List Manager

Figure 3. Creating a general value list in the List Manager

Next, configure the properties of the list per the screenshots in Figure 4 and Figure 5. Pay special attention to the “Import items as patterns” checkbox. Enabling “Import items as patterns” adds a wildcard to the beginning and end of the domain name. Determine whether the field being evaluated against this rule can be matched exactly to the list items (e.g., the log source parses the domain into a separate field) or whether the domain is only part of the string parsed into a field (e.g., the full URL is parsed into a field). Only pattern match in the latter case, and test for performance impacts, because wildcarding large lists may add significant overhead to AI Engine’s resource requirements.

COVID-19 domain list: basic configuration

Figure 4. COVID-19 domain list: basic configuration

COVID-19 domain list: additional settings

Figure 5. COVID-19 domain list: additional settings

Note that the Use Context selections determine which metadata fields in the LogRhythm NextGen SIEM can be compared to the list. Any field that contains domain names in your environment should be selected.

Finish the Integration with the Threat Intelligence Service (TIS) Module

Backgrounder

To complete the integration of the COVID-19 domain list into the LogRhythm SIEM, we are going to take advantage of the structure of the Threat Intelligence Service (TIS) module. This module is available to all LogRhythm customers for free through the LogRhythm Knowledge Base. Deployment information for the TIS modules can be found here and here.

LogRhythm has built-in lists and AI Engine rules to support the detection of known IOCs that were introduced with the release of the TIS modules.

The TIS modules make use of a series of nested lists named “LR Threat List” which are configured for specific Use Contexts (see Figure 6).

LogRhythm Threat Lists included with the TIS module

Figure 6. A sampling of the LogRhythm Threat Lists included with the TIS module

The nested lists contain lists specific to vendor threat feeds that can be seen in Figure 7. The LR Threat List : URL : Malware list is comprised of malware lists from specific vendors.

Vendor lists nested inside the URL: Malware list

Figure 7. Vendor lists nested inside the URL: Malware list

The LogRhythm threat lists are then referenced by AI Engine rules such as the one in Figure 8, which will trigger any time a log’s URL field matches a string in the URL : Malware threat list.

Threat List Malware URL rule from the Threat Intelligence Service module

Figure 8. The Malware: Threat List Malware URL rule from the Threat Intelligence Service module

To integrate the COVID-19 list with the TIS module, nest it in the LR Threat Lists whose Use Contexts are appropriate to the logs in your environment. Figure 9 demonstrates an example of nesting.

Figure 9. COVID-19 Young Domains list nested into the URL: Malware list

Finally, enable the AI Engine rules from the TIS module.

Using the COVID-19 Young Domains List in an Investigation

The COVID-19 Young Domain list isn’t just for AI Engine rules — you can also use it in investigations. As mentioned earlier, AI Engine rules that compare values to long lists, especially pattern-matched lists, can introduce resource overhead to the AI Engine. You may want to run periodic investigations instead. Figure 10 shows an example of searching for DNS queries (Event ID 22) in Microsoft Sysmon logs that match the list of COVID-19 young domains.

Search for DNS queries in MS SysMon logs

Figure 10. Search for DNS queries in MS Sysmon logs

Figure 11 shows a result from the query that reveal the user had run a ping request for 911-covid.com.

MS SysMon log showing a ping to 911-covid.com

Figure 11. MS Sysmon log showing a ping to 911-covid.com

In Summary

Threat actors will use the sense of urgency and curiosity that occur during world crises, like COVID-19, to attract users to open a malicious email, visit a malicious website, or spread misleading information. The Threat Intelligence Service (TIS) and Knowledge Base modules provide the necessary framework to incorporate open-source threat intelligence into LogRhythm and help your team access the latest IOCs. Learn how to detect young domain names via Palo Alto Networks here.

Contributors to this blog include the following members of the Labs team: Dan Kaiser, Zack Rowland, Andrew Hollister, Brian Coulson, and James Carder.