Blog post

A Tactical Netsec Threat Intelligence Exercise

By Matthew Wollenweber | October 01, 2015 | 0 Comments

Threat intelligence is a hot topic in infosec, but what “threat intel” means is variable and its appropriateness for any given organization is unclear. Anton argues “threat intel doesn’t help people who don’t help themselves.” The best way to determine readiness is to work through a basic use case.

One of the most rudimentary netsec monitoring tools is netflow. In this exercise, I’ll use SiLK (a free and awesome netflow toolkit) and the Emerging Threats (ET) blocklist to find suspicious traffic. I made these choices because the tools and data are free and publicly available, but any netflow tool and blocklist should work in a similar manner. If you have a SIEM, there’s a good chance a lot of this work is automated in a nice web portal.


#Get the list
wget https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt

#convert the list into a format that SiLK can use
rwsetbuild emerging-Block-IPs.txt emerging-Block-IPs.set

#find netflows between your network and the blocklist
rwfilter --class=all --proto=0-255 --start-date=2015/09/01 --anyset=et.set --pass=stdout | rwcut --fields=1-4,6,7

sIP| dIP|sPort|dPort| packets| bytes|
199.203.59.117| 10.43.101.44|26600| 80| 1| 62|199.203.59.117| 10.42.26.14|26600| 80| 1| 62|
199.203.59.117| 10.43.54.54|26600| 80| 1| 66|
199.203.59.118| 10.42.127.11|32951| 80| 1| 62|
199.203.59.121| 10.43.64.26| 3714| 22| 2| 58|66.240.236.33|10.42.248.179| 443|53714| 3| 24|
66.240.236.33|10.42.248.179| 443|53698| 3| 251|
66.240.236.33|10.42.248.179| 443|53706| 2| 132|
66.240.236.33|10.42.248.179| 443|53703| 5| 694|
103.230.146.212| 128.164.80.136|37006| 25| 2| 74|
199.203.59.121| 161.253.28.61| 3714| 22| 1| 4|
199.203.59.121| 161.253.64.26| 3714| 22| 2| 58|
193.105.134.220|161.253.123.170|48399| 8080| 3| 120|
193.105.134.220| 161.253.53.232|48399| 8080| 1| 60|


Any traffic involving a blocklist is suspicious, but if you have a large network getting scanned is inevitable. The more important check is if your network sent data back to the malicious host. To check that we follow up and alter the command to only check for matches with the blocklist as the destination:

#Filter only on ET destination hosts
rwfilter --class=all --proto=0-255 --start-date=2015/09/01 --dipset=et.set --pass=stdout | rwcut --fields=1-4,6,7

In this case, there are no callbacks or traffic sent back to the malicious hosts and we can probably relax a little. This is a nice exercise for several reasons. First, the tools and data are free and it’s an easy way to find suspicious traffic. Second, if you’re considering paying for a threat intelligence feed, you should know that you can use the data before you start paying. IP addresses are one of the most basic and common indicators shared via threat intel. This exercise can help you verify that your organization is ready and begin to define a threat intelligence strategy.

Leave a Comment