Threat intelligence providers will often provide CSIRT and SOC teams with threat intelligence that can be easily fed into their SIEM of choice. This allows these teams to enhance their detective capability with intelligence that is timely, possibly allowing them to keep pace with the current threats and increase the probability that they will detect one or more of these threats before damage can be done.
In the MISP platform, events with specific IOCs can have those IOCs converted into several different types of detective rules. For example, an organization is concerned about ransomware impacting the organization and wants to enhance their detective capability. Event number 225 in the MISP platform is associated with the Locky ransomware campaign. Clicking on the event number produces the following screen:
Navigate to the left-hand column and click on Download as.... This produces the following window:
From a proactive/detective perspective, responders can export the IOCs as a rule for three open source network intrusion detection systems. In this case, rules can be exported for Suricata, Snort, or Bro. Each of these is an open source network intrusion detection system that examines network traffic and compares that traffic against a defined ruleset.
Each of these tools has a specific syntax for the detection rules. For example, the Snort rule will be reviewed. Download the Snort rule associated with this event by clicking on Download Snort rules. The file will be downloaded. Once completed, open the file with a text editor and the various rules associated with the event can be seen:
There are a number of rules that can be set with this download. Examining line 14, for example, indicates that the particular rule is setting Snort to alert you if there is any attempted connection over UDP port 53 to the 101otechnologies.com host. This host is, in some fashion, associated with this ransomware campaign. If this rule is incorporated, an organization would be alerted to this type of connection and be able to respond much quicker than finding out about ransomware activity when a user contacts the helpdesk indicating that their files have been encrypted.
The advantage that Snort rules have is that a great deal of commercial IDS/IPS vendors have the capability to ingest Snort rules into their own proprietary platform. This allows SOC and CSIRT personnel to load these rules from various sources, thereby enhancing their capabilities without having to have several different platforms to maintain.