Threat Level: green Handler on Duty: Lorna Hutcheson

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Are Your Hunting Rules Still Working?

Published: 2018-06-21
Last Updated: 2018-06-21 12:00:04 UTC
by Xavier Mertens (Version: 1)
1 comment(s)

You are working in an organization which implemented good security practices: log events are collected then indexed by a nice powerful tool. The next step is usually to enrich this (huge) amount of data with external sources. You collect IOC's, you get feeds from OSINT. Good! You start to create many reports and rules to be notified when something weird is happening. Everybody agrees on the fact that receiving too many alerts is bad and people won't get their attention to them if they are constantly flooded. So, you fine-tuned your rules to get a correct amount of alerts with a low (read: acceptable) rate of false positives. But are your rules still relevant or properly implemented? Is it normal to never get a notification?

In physical security, it is mandatory to perform a regular test of fire alarms in big buildings. Here, in Belgium, it is usually scheduled at noon every first Thursday of the month. And what about infosec? I met a C-level who was always asking:

"Hey Guys, anything suspicious detected on our infrastructure?"
"Nothing special, we are fine!"
"Hmmm, maybe I should be scared of this answer!"

As our infrastructures are quickly changing, it could be a good idea to implement the same kind of regular check-up to trigger your hunting rules. Are you looking for suspicious DNS traffic, then schedule a monthly DNS resolution of a pre-defined FQDN. It must trigger your rule. If it's not the case, you're in trouble and you're maybe missing real suspicious traffic.

We hate to be flooded with false positives but never get one is even more suspicious! And it keeps your security analysts awake! 

Did you implement suck controls? Feel free to share!

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant

1 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Secure Phishing: Netflix Phishing Goes TLS
Jun 20th 2018
1 day ago by Johannes (0 comments)

PowerShell: ScriptBlock Logging... Or Not?
Jun 19th 2018
2 days ago by Xme (1 comment)

Malicious JavaScript Targeting Mobile Browsers
Jun 18th 2018
3 days ago by Xme (0 comments)

Encrypted Office Documents
Jun 17th 2018
4 days ago by DidierStevens (0 comments)

Anomaly Detection & Threat Hunting with Anomalize
Jun 16th 2018
5 days ago by Russ McRee (0 comments)

SMTP Strangeness - Possible C2
Jun 15th 2018
6 days ago by Lorna (5 comments)

View All Diaries →

Latest Discussions

Simple SMTP/network routing questions
created Jun 14th 2018
1 week ago by Anonymous (0 replies)

HTTP Headers Illicit Characters
created Jun 13th 2018
1 week ago by David (2 replies)

NagiosXI 5.2.6 – 5.4.12 unauthenticated exploit chain leads to root access
created May 11th 2018
1 month ago by Remco (0 replies)

MinerPool Threat Feed info
created Apr 4th 2018
2 months ago by Anonymous (0 replies)

DShield on RPi returns no mySQL when running /home/pi/install/dshield/bin/
created Mar 29th 2018
2 months ago by nekton89 (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
11 months ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
10 months ago by Johannes (16 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
6 months ago by Russ McRee (2 comments)

Maldoc with auto-updated link
Aug 17th 2017
10 months ago by Xme (2 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
9 months ago by Renato (0 comments)