Heads Up! A Phishing Attack Early Warning System

February 21, 2018 | David Greenwood

You're probably familiar with Anomali's Threat Bulletins. If not, go and have a read of our most recent one covering "TODO." Threat Bulletins provide information about an event to derive information detailing the tactics, techniques, and procedures used by the attacker. This helps you to create profiles of the actors or groups and find new attacks with their associated indicators. All these efforts can be leveraged together to help make better decisions on how to protect your network should adversaries turn their attention to you.

Threat Bulletins can be viewed in a number of ways; via the ThreatStream user interface, downloadable PDFs, or through our Anomali ThreatStream Splunk App.

Earlier this month I spoke to a customer who are heavy users of our Splunk App and were noticing a lot of phishing attempts on their employees. Using the Anomali Splunk App, they were able to see that their email logs regularly matched known phishing threat indicators.

In addition to educating their staff, "DO NOT click on links in emails," and using the Anomali Splunk App they also wanted advanced warning about future phishing attempts in their threat workflow -- predominantly Splunk's Enterprise Security Incident Review dashboard.

As users of the Anomali Splunk App they were already consuming Threat Bulletins into Splunk, so it was just a case of integrating them into ES. Why add them into ES? Splunk's ES Incident Review dashboard was a first-line for their SecOps team, displayed on a big screen in their SOC. Therefore, adding Threat Bulletins to appear in this view meant they would see them immediately and take prompt action when needed. To do this we created Notable Events from Threat Bulletins related to phishing campaigns.

The setup was relatively easy. In fact, I covered the steps in a previous post examining how you could create Splunk ES Correlation Searches and Notable events. Without going over all the steps again, replace the necessary steps "Building a Correlation Search" and "Add Notable Event Action" with the configuration below. Once created you'll start to see Threat Bulletins appear as Notable Events in ES.

Building a Correlation Search

Search Name: Phishing Email Threat Bulletin
Application Context: Enterprise Security
Dispatch Context: Enterprise Security
Description: Phishing Email Threat Bulletins
Search: | inputlookup tm_tipreport where name=\[Email\]* | addinfo | where _time>=info_min_time AND (_time<=info_max_time OR info_max_time="+Infinity") | table _time, id, name, link
Time Range Earliest: -2h@h
Time Range Latest: -1h@h
Cron Schedule: 45 * * * *
Scheduling: Continuous
Window duration: 600s

Note the key part of the search; "| inputlookup tm_tipreport where name=\[Email\]*", where the search limits results to Threat Bulletins whose name contains the word "Email". You can modify this text search as needed.

Add Notable Event Action

I've added some default configuration settings, such as severity, for the Notable Event. All of this can be amended, if required:

Title: Phishing Email Bulletin: $name$
Description: Anomali Threat Bulletin
Security Domain: Threat
Threat Severity: high
Default Owner: (leave as system default)
Default Status: (leave as system default)
Drill-down name: search bulletin $name$
Drill-down search: | inputlookup tm_tipreport where id=$id$
Drill-down earliest offset: $info_min_time$
Drill-down latest offset: $info_max_time$

What next?

In this post and my last I've given some example searches of how to use Anomali's threat intelligence inside of Splunk's Enterprise Security app. If you're feeling brave; why not create your own? You can start with small changes to my examples, perhaps instead of monitoring phishing email Threat Bulletins, you could monitor for Threat Bulletins that have "Malware" in their name.

Alternatively, start creating or customising your own dashboards in the Anomali ThreatStream Splunk app using Splunk's flexible user interface options

Not an Anomali ThreatStream Splunk App user yet? Hear more about why so many of our customers are using it...

David Greenwood
About the Author

David Greenwood

David is a Product Manager at Anomali. He's responsible for developing and executing strategy for integrations to and from the ThreatStream platform, working closely with Anomali customers to help them realize the value that threat intelligence can deliver to their business.

Get the latest threat intelligence news in your email.