Skip to main content

Accessible Threat Intelligence

October 15, 2015

Threat intelligence is a term that has entered our vocabulary as security practitioners over the last couple of years. As stated in a previous Optiv blog post, a threat intelligence program “is an enterprise capability to leverage data, tools, and processes together with human assets to approach security in a smarter way.” 

Several organizations have emerged to try to address this issue. Threat lists containing destination IPs, URLs, and domain names of interest are not new. For a long time, there hasn’t been a standard way to store, distribute and categorize data. There are some newer standards getting built such as TAXII and STIX, but the adoption rate is not as rapid as it could be. 

Splunk is a fantastic tool for making sense of your operations and security data. There have been threat intelligence apps published by others in the past, but many of them required proprietary add-ons such as appliances, API keys or subscriptions. Others are excellent, but require complicated tuning or even database configuration, adding to the time and cost to implement. None of the free apps were hitting the mark, so I decided to write one. 

The goal of the app is to provide accessible threat intelligence in a curated setting, with little to no need for configuration or search language knowledge. In five minutes or less, one can download and install the free app and start collecting and correlating actionable threat intelligence with their organization’s machine data.

Starting at the main screen, we see a summary of the threat intelligence that has been gathered automatically for the day, and how it compares to yesterday.

Next, we can browse to the index search dashboard. The dropdown list automatically populates and we can go hunting for suspicious network activity:

In this case, we find some activity from a source on our threat list also connecting to our honeypot.

Lastly, we can visualize on a globe where the bulk of attacks tend to originate from.

Optiv Threat Intel is a new Splunk app, available for free download at https://splunkbase.splunk.com/app/2837/.

With a few mouse clicks, we can start correlating our organization’s machine data with many open threat lists.


    Derek Arnold

By: Derek Arnold

Principal Consultant

See More

Related Blogs

January 25, 2017

Escape and Evasion Egressing Restricted Networks

A command kill chain consists of payload delivery, code execution on a target system, and establishing a command and control (C2) channel outside of a...

See Details

February 07, 2018

Intelligence Bulletin – When Cryptomining Attacks

Optiv has seen a continuation of attacks based off the usage of CryptoNight miner, in this case likely mining Monero cryptocurrency for the attackers....

See Details

October 15, 2015

Accessible Threat Intelligence

Threat intelligence is a term that has entered our vocabulary as security practitioners over the last couple of years. According to Gartner, threat in...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

Related Insights

April 17, 2012

SIEM Selection Guidance

Whether the need for a Security Information and Event Management (SIEM) is based on requirements for centralized repository and reporting or complianc...

See Details

July 21, 2015

Data Security Solutions

Learn how we can help secure your date throughout its lifecycle.

See Details

October 15, 2015

Accessible Threat Intelligence

Threat intelligence is a term that has entered our vocabulary as security practitioners over the last couple of years. According to Gartner, threat in...

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cybersecurity Events in your area.