Derek Arnold has spent the last 12 years securing large retail, medical device, and insurance companies. He has worked on large, diverse enterprises in the Fortune 500. His key specialties include security operations, threat intelligence, physical security and SIEM. As a principal consultant for Optiv, he helps organizations solve their unique security challenges using Splunk Enterprise.
Accessible Threat Intelligence
Threat intelligence is a term that has entered our vocabulary as security practitioners over the last couple of years. As stated in a previous Optiv blog post, a threat intelligence program “is an enterprise capability to leverage data, tools, and processes together with human assets to approach security in a smarter way.”
Several organizations have emerged to try to address this issue. Threat lists containing destination IPs, URLs, and domain names of interest are not new. For a long time, there hasn’t been a standard way to store, distribute and categorize data. There are some newer standards getting built such as TAXII and STIX, but the adoption rate is not as rapid as it could be.
Splunk is a fantastic tool for making sense of your operations and security data. There have been threat intelligence apps published by others in the past, but many of them required proprietary add-ons such as appliances, API keys or subscriptions. Others are excellent, but require complicated tuning or even database configuration, adding to the time and cost to implement. None of the free apps were hitting the mark, so I decided to write one.
The goal of the app is to provide accessible threat intelligence in a curated setting, with little to no need for configuration or search language knowledge. In five minutes or less, one can download and install the free app and start collecting and correlating actionable threat intelligence with their organization’s machine data.
Starting at the main screen, we see a summary of the threat intelligence that has been gathered automatically for the day, and how it compares to yesterday.
Next, we can browse to the index search dashboard. The dropdown list automatically populates and we can go hunting for suspicious network activity:
In this case, we find some activity from a source on our threat list also connecting to our honeypot.
Lastly, we can visualize on a globe where the bulk of attacks tend to originate from.
Optiv Threat Intel is a new Splunk app, available for free download at https://splunkbase.splunk.com/app/2837/.
With a few mouse clicks, we can start correlating our organization’s machine data with many open threat lists.