The logs you are already collecting have a wealth of information that can help you catch malware, botnets, and compromised systems on your network and egress traffic from APTs to their command and control servers.
The secret is in the IP addresses, URLs, file names and more embedded in all kinds of events in your log. You've got IP addresses in all kinds of logs:
- Windows firewall logs
- Windows logon events
- Firewall logs
- Netflow
- Router logs
- NIDS/NIPS
Of course, how do you know which IPs and other data are bad? Wouldn't it be nice if lots of people got together and shared threat information they discover on as close to real-time as possible? That's exactly what's happening out there with threat intelligence feeds like the ETOpen feed from emergingthreats.net.
ETOpen is actually a number of different lists of threat intelligence including:
- Known command and control hosts
- Attack response rules – data that systems on your network are likely to send back to a host after they have been compromised
- Compromised hosts
- Systems of known spammers
- Exploit rules for detecting things like Windows exploits, SQL injection, etc.
- User-Agent strings for known malware
- Web server attack detection rules
In this real training for free ™ webinar I'll introduce you to ETOpen specifically and also provide an overview of the growing area of threat intelligence technologies. We'll look at the important standards efforts: TAXII and STIX. STIX is a language for describing threat data like that described above and TAXII is a body of protocols and other standards to securely exchanging STIX data.
But after that I'll focus in on how to really use threat data like that from ETOpen in your SIEM to catch the bad guy. I'll provide specific use cases and examples. A. N. Ananth from our sponsor, EventTracker, will help out by actually demonstrating a SIEM by actively using threat data to detect and respond to attacks and compromised systems.
This will be an interesting, technical event. Don't miss it. Please register now.