One technique that performs a combination of filtering and manual log review is utilizing scripting languages such as Python. These scripts can parse through firewall logs or other inputs to highlight specific areas of focus for the analyst. One such script is DNS blacklists, which is available at https://bitbucket.org/ethanr/dns-blacklists/. This script takes a text file created by the log source or analyst and compares it to lists of IP addresses and domains that have been blacklisted.

The folder containing the script contains two other folders that are compared against each other. One folder contains the text files of IP and domain blacklists. These blacklists can be obtained from open sources or threat intelligence providers. (Chapter 13, Leveraging Threat Intelligence will address how threat intelligence sources can be leveraged for incident response.) The script runs the suspicious log files or IP addresses against the blacklists to determine whether there are any matches.

In the following example, a list of known Emotet URLs and IP addresses are going to be compared to a raw firewall log that has been obtained. Once the data is placed into the appropriate folders, the following command is entered into the Terminal:

dfir@ubuntu:~/python dns_blacklists.py bad_lists/ traffic_directory/

This command runs the script with the Emotet blacklists contained in the Bad Lists folder against the log files or IP addresses in the Traffic Directory folder. The command produces the following output:

The output indicates that the rozhan-hse.com URL was found on one of the Emotet IOC blacklists. DNS_Blacklists is a good tool to perform an initial triage of log files. The efficacy of the results, though, is largely dependent on what data is placed within the Blacklist folder. The more up to date and accurate those are, the better the results will be. Positive results should be followed up via additional searching.