Have you ever wondered how the FBI or CIA catch cybercriminals? Well, part of it is through their extensive threat-sharing network. DefenseStorm ThreatMatch utilizes that network and gives you access to threat feeds from various companies and government agencies to scan your network for matching activity.
If you want action taken each time a match is found, you can subscribe to the threat feed. Subscribing to a feed allows you to configure options such as email alerts, incident creation, linking policies, assigning severity, etc. If you chose not to subscribe, all relevant data is still displayed, but no automatic action is taken. In the screenshot below, the blue icons to the left of the feed name indicate you are subscribed. As you can see, all data is still displayed for all feeds, regardless of subscription.
Once within the Alerts > ThreatMatch page, all collected data is displayed per feed. This page gives you the option to subscribe, configure, and investigate your ThreatMatch data. For assistance utilizing the feature efficiently, here is a description of the data within each column:
- On/Off Switch: Blue indicates you are subscribed, transparent is unsubscribed.
- Name: Unique identifier provided by creator of the feed.
- Tags: Type of information searched for threats.
- Indicators: Number of possible matches.
- Matches: Total count of matches, including the same matches found over multiple days.
- Unique Matches: Deduplicated count of matches.
For example, you can have 11 matches, 1 unique match. Which means the 1 unique match was found 11 times.
- Last updated: The last time the feed was updated.
To apply configuration settings to the feeds you have subscribed to, click the gear icon towards the top of the ThreatMatch page.
- Email: If you chose to receive email alerts, only a single email is sent the day a match is detected.
- Policy: Associate a policy and control with Threat Match alert findings.
- Severity: Give alerts a severity level.
Creating your own Threat Feed
One of the Threat Match features is the blocking and tracking of indicators of compromise (IOC’s). An IOC is anything from IP addresses, malicious files, or URL’s. If you find specific activity on your network that is an indicator of possible malicious activity, you can upload it to ThreatMatch to begin tracking.
To upload an IOC into ThreatMatch
- Go to Alerts > ThreatMatch > Select the blue plus symbol (+).
- Fill-in all relevant fields:
- Name: Unique identifier for the IOC
- Description: For example: Malcode creates and maintains a list of domains that are known to host malware and spyware.
- URL: The URL associated with your IOC
- Tags: Type of information
- Once a new threat source has been added, a cloud icon displays to the far right of the row; select the icon.
- Fill in all relevant fields:
There are several things to consider when choosing to upload a file instead of typing in each indicator per line:
- The files must be .txt (notepad, etc)
- No combination documents. For example, one document is all domains, one document is all IPs, and one document is all hashes.
- "domain.com" includes only the one domain, no subdomains.
Information you find relevant to the threat sharing source, why you needed to add it is an IOC, etc.
- Threat Source
Name of the threat source.
The URL that needs to be alerted on.
- Date Range
Due to the rapid rate of change in IP addresses, DefenseStorm recommends that you input a date range for IP addresses, that it look no farther than 3 months ahead. We also recommend that it only go back on month. This date range of back 1 month, forward 3 months provides the best range of coverage. Since domains remain constant, putting a date range for them is not necessary and can be removed. You can use the Pop-up or manually type in the date. To remove the date range, make sure there is an indicator, and then highlight the date and delete it.
- Threat Indicator Type
Signature (This is a file hash, like an MD5, SHA1, or SHA256)
- Select Save.
Sometimes ThreatMatch can find matches that have already been denied by your firewall or appropriate system. To dampen the noise while still receiving email alerts, you can exclude events from ThreatMatch by creating a Classifier.
To create a ThreatMatch Classifier
- Go to Events and enter the search query you'd like to exclude. For example: app_name:"Cisco ASA" deny
- Select "Create Classifier"
- Select the Exclude from ThreatMatch checkbox to prevent any alerts on the query. See Classifiers for details on other classifier fields.
- Select Save.