iHash

News and How to's

How to Use RiskIQ to Enrich Detections with Internet Intelligence

by Leave a Comment


Introduction

In this article, we will show you how using the RiskIQ Illuminate app can enrich your CrowdStrike Falcon Insight detections with additional pivot features.

RiskIQ Illuminate integrates with the CrowdStrike Falcon platform seamlessly to give security teams a 360° view of their attack surface helping them better detect threats and defend their enterprise. Available in the CrowdStrike Store, the Illuminate app combines Falcon’s internal endpoint telemetry with petabytes of external Internet data collected for over a decade – enabling security teams to accelerate their investigations, increase visibility, respond more effectively to threats, and maximize the impact of their existing security solutions.

RiskIQ automatically aggregates and correlates the most comprehensive internet data sets available, including passive DNS, email, SSL certificates, host pairs, web trackers, and WHOIS data to deliver insights about the ownership, use, and activity of specific assets involved in an event or attack. When automatically correlated with CrowdStrike Intelligence, this data boosts incident response by enabling researchers to quickly search across an organization’s endpoints for indicators of compromise or find activity related to suspicious indicators they observe on an endpoint.

Video

https://www.youtube.com/watch?v=vnOlUSeU4cs

Benefits

  • Creates complete security visibility by bridging external and internal threat intelligence data in one location and displays CrowdStrike Intelligence directly alongside detailed Internet collection data.
  • Enriches investigations by automatically searching internal endpoints for indicators of compromise as analysts pivot.
  • Accelerates threat hunting and incident response engagements by surfacing related or overlapping infrastructure data.
  • Identifies any visibility gaps within the organization by analyzing CrowdStrike endpoint coverage and comparing it with the organization’s attack surface.

How it Works

Account provisioning is automatically set-up between RiskIQ and CrowdStrike when installing the RiskIQ Illuminate app from the CrowdStrike store. Within the Falcon platform, a RiskIQ icon will be displayed next to network-based indicators including domains and IP addresses.

CrowdStrike DNS Requests

Clicking on the icon for any of the displayed indicators will automatically direct Falcon users to the RiskIQ PassiveTotal platform where results are displayed pertaining to the network indicators.

RiskIQ dropbox resolutions

From here, an analyst can begin to triage the suspect infrastructure. In this case, we are looking at the domain dl2.dropbox-download-eu.com. Right away, we can note a few key details about this infrastructure:

  1. The domain is newly registered and resolving to an IP address
  2. It appears to be passing itself off as a “Dropbox” link
  3. The resolving IP shows up on RiskIQ’s malicious indicator feed
  4. CrowdStrike Falcon associates this domain to criminal activity 
  5. The domain uses a “Let’s Encrypt” certificate
  6. There are hashes associated with the domain in Hybrid Analysis
  7. An endpoint within the organization was seen browsing to this infrastructure

RIskIQ DropboxCrowdStrike tab

Clicking on the CrowdStrike tab reveals two sub-tabs, Endpoints and Intelligence. On the Endpoints tab, we see two systems within our environment has browsed to this specific domain. 

RiskIQ Intel tab

Within CrowdStrike Intelligence, we see related indicators and actor information that provides further context and lets us know we are in fact dealing with something malicious. At this point, it would be prudent to fully explore the infrastructure and identify additional indicators we may want to feed back into CrowdStrike for future detections.

Each tab within RiskIQ PassiveTotal represents a data set where each indicator displayed can be clicked to perform an additional pivot. If we look at the WHOIS record for this domain, we see some suspicious information.

Risk IQ Whois tab

The Hotmail email address used to register this domain is attempting to masquerade as a privacy protection service. Performing a pivot on this indicator reveals hundreds of additional domains registered using this same email address.

RiskIQ whois search

Paging through these results reveals several additional domains that appear to be themed around cloud storage providers. One example that sticks out is onedrive-en-live.com where instead of Dropbox, malicious actors have used Microsoft’s OneDrive as their theme.

RiskIQ onedrive

Similar to our starting point, we can see much of the same characteristics as before, though within the CrowdStrike Endpoint sub-tab, an additional endpoint is revealed. Seeing multiple endpoints communicating with related malicious infrastructure suggests an attempt was made to breach the organization.

The above example is highly summarized, but demonstrates the power of combining internal endpoint telemetry with RiskIQ external Internet intelligence. Within a couple clicks, analysts can immediately identify related infrastructure and coordinate their response efforts. This particular investigation could have easily netted a single analyst within hundreds of IOCs in minutes that could be fed back to CrowdStrike.

Features

  • RiskIQ Illuminate merges external internet intelligence directly with CrowdStrike premium intelligence in order to give analysts a complete picture. Analysts can download CrowdStrike reports, explore OSINT data, pivot on related indicators and identify overlap between malicious actors. 
  • RiskIQ Illuminate leverages the CrowdStrike ThreatGraph to automatically search internal endpoints for a specific indicator. Having this information overlaid with external intelligence from RiskIQ means analysts save time and can stay focused on their investigation.
  •  RiskIQ Illuminate brings over 10 years and multiple petabytes of external internet intelligence directly to the analyst in a simple-to-use interface. Investigations can be created and artifacts added in order to track response and completeness of the clean-up efforts.

Conclusion

Customers of CrowdStrike Falcon can easily test and see the power of this signal-based approach by installing the RiskIQ Illuminate application and starting a free-trial directly from the CrowdStrike Store.

More resources

Content provided by Brandon Dixon of Risk IQ and Janani Nagarajan of CrowdStrike



Source link

Reader Interactions

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.