Malicious Actors Inside Your Network? Here’s How To Find Them.

As an analyst, context is key.

With hundreds, often thousands, of security incidents raised by modern SIEM products it can make the process of triaging the most serious of them incredibly difficult. Adding context to events that form a security incident can help investigations by reducing both time and effort. Sometimes looking at a Whois record on a domain can rule out a threat (if only it was always that simple!).

Anomali ThreatStream offeres users access to millions of indicators and their associated context. In the latest release of our Splunk ThreatStream App the addition of Threat Actor and Threat Bulletin information aims to simplify security investigations. This post offers an introduction to the new functionality.

See through the noise, know where to focus

The overview pageof the Splunk ThreatStream App provides a great place to start an investigation. I can easily see the critical events that have matched Threatstream Indicators of Comprimise and how serious they are using the confidence and severity rankings assisgned by Threatstream. The app has identified 14 events in my Splunk logs that match known indicators associated with an actor named “Sofacy”. These indicator matches are paticularly interesting as it might indicate the organisation is subjected to a more targetted campaign.

Learn more about actors that are potentially inside your network

Drilling down on the actor “Sofacy” I can see all the known indicators associated to the Actor that have been seen in my environment. Before investigating further, lets first take a look at more information about the Actor in ThreatStream.

In the ThreatStream portal I can see the Sofacy team is an APT group of suspected Russian origin that has been operating since at least 2009. A detailed killchain analysis shows me how they tend to operate, in this case delivery is via malicious files in phising emails that exploit 0-days. I can also see all the indicators asscoiated with the actor Sofacy, campaigns they have been linked to and their Tactics, Techniques and Procedures (TTP’s). Armed with this information I can continue my investigation in Splunk.

Understand where an actor has been inside your network

Knowing that Sofacy uses spearfisiging campaigns to deliver exploits, I start by looking at email matches for this Actor. I can see 3 users in my organisation have reveived numerous emails from known email addresses associated with Sofacy. All 3 malicious email addresses have a high confidence and severity score issued by ThreatStream which alerts me to a more serious threat. I can then drilldown to search through my email logs in Splunk and see the content of messages sent from these addresses.

I am also able to see if any malicious email attachments have been observed in my network, suggesting they have been opened. In fact, I can see 3 machines in my organisation that have a file hash that matches a known malware file hash associated with Sofacy phising emails. Upon further inspection in Splunk I can see these machines are owned by the users who recieved emails from the know malicious email addresses.

Using all of this data I can then decide upon the next steps to take; perhaps contiuing to investigate futher, quarentining these machines from the wider network, or blocking the destinations the malware is communicating with.

Get started with ThreatStream today

Within minutes I have been able to:

  • Identify a potential Threat Actor in my network
  • Quickly research the Threat Actor including their behaviour and motives
  • Understand the risk the Threat Actor poses
  • Assess where the Threat Actor has been inside my network

And this is the start of what’s possible. To learn more about how you can integrate Threat Intelligence with your SIEM head over to:

Originally published at