Anatomy of a Threat Hunt with Splunk Enterprise Security and Splunk SOAR

Posted: 9th January 2023
By: Meghan McGowan

Find out more about integrating Recorded Future with the SIEM and SOAR tools your security teams are already using. See our on-demand webinar titled Expect More From Your Threat Intelligence with Splunk Enterprise Security and Splunk SOAR.

How do your organization’s security analysts track down and address cyber and physical threats? Is it primarily a manual process involving web research and detection against a flat risk list? Or have you progressed to automated detection based on intelligence and robust context? This post picks up from our article titled “Expect More from Your Intelligence — Starting with Context.” Read on to follow the workflow of a threat hunt using Splunk Enterprise Security and Splunk SOAR, integrated with threat intelligence from Recorded Future. You’ll see the difference that intelligence makes in hunting for threats in each of the main areas of security: Monitoring, Integrating, and Analyzing.

Monitoring: Detecting relevant threats to your organization

Of the numerous kinds of possible attacks, which ones are relevant, given your business and environment? Since you can’t send your security teams down every rabbit hole, monitoring is the process of collecting observations and checking them for the specific threat indicators that are relevant to you. In checking these observations, this workflow uses Technical Links, which are high-confidence, evidence-based threats linked in a meaningful way. Recorded Future summarizes Technical Links from sources of fine-grained technical intelligence, as shown below.

Anatomy of a Threat Hunt 001.png

Recorded Future validates Technical Links by analyzing multiple categories of threat intelligence findings, including the following:

  • Network Traffic — Based on midpoint traffic data on the internet among threat actors, malicious infrastructure, and victims.
  • Malware — Based on file samples, including executable files and documents. Most input samples are sourced from automated data collection and partner data collection. Some samples are uploaded by analysts using Recorded Future’s community-only sandbox. Analysis methods include static file analysis, sandbox execution, and detailed research analysis of code, memory, and sample behavior.
  • Infrastructure Analysis — Based on specific internet infrastructures, such as IP addresses, domains, and URLs. Data collection methods include broad and targeted scanning, and receiving inbound traffic (honeypots, etc.). Analysis methods include pattern-based detections. Recorded Future Intelligence Cards consolidate these findings into Technical Links that provide insights on related threats. They connect the who and the how across hashes (files), malware, malware signatures, MITRE ATT&CK identifiers, internet domain names, IP addresses, network ports, network protocols, URLs, and cyber vulnerabilities (CVEs).

Integrating: Automating triage and initial decision-making

Next, integrate the intelligence and context with your organization’s security tools: in this case, security information and event management (SIEM) tools and security orchestration, automation and response (SOAR) tools. The goal is to replace manual efforts with automatic enrichment of indicators and faster incident response using tools that your security teams already know. To illustrate the anatomy of a threat hunt, we’ll describe the integration between Recorded Future’s Threat Intelligence module and Splunk Enterprise Security. In this example, a company’s security team uses the Recorded Future integration with Splunk Enterprise Security to correlate their own internal telemetry and logs against indicators of compromise (IOCs) that Recorded Future sees as high risk, thus creating a notable event in Splunk Enterprise Security. Through this correlation, the security team is able to identify potentially malicious activity in their own logs that they may have otherwise missed. The integration also automates the process of enriching IOCs with additional context from Recorded Future, including risk score, triggered risk rules and evidence ranked from Unusual to Very Malicious:

Anatomy of a Threat Hunt 002.png

Based on the risk score of 96 assigned by Recorded Future, the analyst at this company sends the notable event to Splunk SOAR to leverage Splunk’s Adaptive Response framework to kick off automated playbooks.

Analyzing: Operationalizing threat intelligence to hunt for malicious activity and exposure

In this example, the company’s security teams have created a Splunk SOAR playbook to hunt for threats to the organization based on the previous notable event that was triggered, leveraging context and Technical Links from Recorded Future to make automatic downstream decisions based on intelligence. The playbook incorporates the intelligence and risk score from Recorded Future and weighs them in a decision block

Since the risk score of 96 falls above the threshold the company has specified, the next step in the playbook is to build lookup table files of all the linked entities, identified through research, including technical sources and findings from Insikt Group, Recorded Future’s threat intelligence research arm.

Anatomy of a Threat Hunt 003.png

Splunk SOAR can then search the company’s Splunk environment for any entities occurring in that lookup table. This step automates the actual hunt by scanning lists, such as firewall logs, for indicators of a threat:

Anatomy of a Threat Hunt 004.png

If the security teams identify a relevant threat in the environment, Splunk SOAR prompts them with an automated response. Options include adding the IP address to a block list, updating the severity rating of the Splunk SOAR event, and adding a note to the event for future context and research:

Anatomy of a Threat Hunt 005.png

Finally, Splunk SOAR uses a template to generate a notification about the threat:

Anatomy of a Threat Hunt 006.png

The notification summarizes and incorporates the intelligence from Recorded Future, including IP address, risk score and linked entities. Splunk SOAR can convey the notification to your threat hunting teams and security operations center (SOC) via email and/or your ticketing platform.

Next step

This example of monitoring, integrating, and analyzing shows how defenders can unlock the full potential of their data and threat intelligence. Recorded Future enables users to:

  • Automate triage of security events with enough context to make informed decisions
  • Identify relevant threats in an environment
  • Improve threat intelligence strategy by hunting for threats instead of reacting to them