Episode 1: Eating Your Own Dog Food
Pure Signal Use Cases, From Team Cymru’s Security Operations Team
Introduction
Have you ever heard the phrase "eat your own dog food" - roughly translating to "use your own products"? I'll be honest with you reader, it gives me the ick. I have a dog and I've seen what he'll eat... Anyway, working in SecOps at Team Cymru is more like eating your own delicious chocolate cake. Much better, no? And here in the Pure Signal Threat Intelligence bistro, it's quite the buffet.
Gaining fast threat insights
As an amuse bouche, our Scout threat hunting tool is a great place for us to begin. Investigating an alert from your SIEM? Just enter a URL or public IP into the Scout search bar to get started. Here we have some useful information at a glance.
For instance, in the screenshot below we can see this IP is associated with the Quasar malware family.
Even better, check if your SIEM vendor has a Team Cymru Scout integration available yet! If not, you can always code your own to interact with Scout's API (read on for more).
Expanding on initial threat insights
Now for the main course.
Scout and Recon are both excellent tools for day-to-day SecOps tasks. For example, the SecOps team is often called upon to investigate suspicious emails. These emails may include URLs or attachments that need analysis, and we may find more useful information in the headers. Scout is an excellent place to start for this kind of work because it helps us focus and get fast insights, before sinking our teeth further into our investigation.
Taking what we can quickly gain from Scout, we can pivot into Recon for more detailed information if necessary. It’s good to note that Scout can look back up to 90 days, but is limited to a 30 day window to support the emphasis on speed, with Recon I can take larger bites and query across all of the available time window.
For example, to investigate attachments we can deploy Recon's malware add-on to sandbox the file (if it doesn't already exist in our extensive database of malware samples).
On a more proactive front, the SecOps team also leverages Scout and Recon for threat reconnaissance, a term we’ve coined for hunting outside your network borders. Using OSINT information gleaned from cyber news (including Dragon News Bytes - more on that later) we hunt for unusual activity involving Team Cymru public IP space.
For example, after reading about the abuse of Discord for C2 communications, we can search for comms.tag = "discord" comms.peer = "*CIDR of interest*" in Scout to identify similar traffic. If the query returns any results, we can switch to Recon for more granular information.
To avoid drinking from the fire hose, reoccurring and multistage workflows can be automated with some scripting and the Scout API. For example, using the /scout/search API endpoint and a similar query to the one above, we can list OST (Offensive Security Tool) tagged IPs communicating with our public IP space. Our script can then query for more information about the IPs on that list using the /scout/ips endpoint. Alternatively, we could graph out the results to identify trends, as we have with scanners.
Icing on the cake
Let's finish with something sweet. Team Cymru offers a wealth of no-cost Community Services for network operators and ISPs, yet some others are for everyone that I use all the time.
Our curated cybersecurity news mailing list, Dragon News Bytes (DNB) is an excellent resource for tracking down articles with IoCs. I’m often alerted to threats I was unaware of, which makes me want to investigate and establish if Team Cymru, or one of our suppliers, is potentially going to be impacted.
I think a lot of people don’t know about our malware utility, Malware Hash Registry (MHR). It’s a neat way to enhance your malware analysis workflows without the complexity of adding multiple AV scanners. You can read more and sign up here.
Don’t forget to check out the full menu of our free-to-use Community Services here.
Conclusion
And there you have it. Remember, you don't have to work for Team Cymru to get access to all these brilliant tools (and more!)
This is the first in the series, so I hope you enjoyed your first taste of things to come, sign up for our newsletter so you don’t miss the next blog!