BLOG

Detecting Infected Hosts Using Splunk & ZeroFox Botnet Threat Intelligence Feeds 

7 minute read

Finding botnet or infostealer malware on a host can be challenging, and security teams often focus on using the latest threat intelligence feeds as a detection mechanism. For example, checking if a host in your network is communicating with an IP address tied to a known Command and Control (C2) node. Alternatively, security teams may query for specific malware hashes used by infostealers such as Redline. However, these methods of detection are not enough.

Using low-level IOCs may not be enough

Years ago, cybersecurity researcher David Bianco proposed the “Pyramid of Pain” as a conceptual model for using Cyber Threat Intelligence in threat detection. Indicators of Compromise (IoCs) including hashes and IP addresses are at the bottom of the Pyramid of Pain as shown in Figure 1 below. Changing these indicators to evade detection is simple for Threat Actors. With minimal changes, a malicious file will have a new hash. On a similar note, threat actors can easily change their IP address for a C2 by leveraging a proxy or spinning up a new server. 

Figure 1 – Pyramid of Pain with Hash Values and IP Addresses at the bottom
Source: https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.htm

Many organizations and individuals have devices infected by malware daily. In 2022 alone, ZeroFox collected IP addresses for over 3 million infected hosts. Once a device is infected, your organization and its data are at risk. Threat actors can remotely control your device or capture sensitive data, like account credentials, through information stealers. With this access, threat actors can exploit your network further. Having automated detection serves as an early warning and can help you take remedial action before more damage is done.

Short-comings of current botnet detection methods

There is a huge shortage of cybersecurity professionals, which makes detecting and responding to evolving threats increasingly difficult. Recently, NIST and NICE published an infographic showing a shortage of more than 2.7 million cybersecurity professionals. Less than 3% of survey respondents believe a new hire would be proficient in one year or less. These stats indicate this problem is widespread and will continue to be a concern for years to come. 

This is where automation really pays off for CISOs. Skilled workers should be removed from queue-watching as much as possible to focus on tasks requiring critical thinking or higher-level skills. This can be achieved with automated tools discussed below. Automation paired with more proactive measures will allow teams to be more effective in thwarting cyber threats. 

Most security teams wait until something is discovered on the deep or dark web to realize they have been breached. This information is definitely valid, but having a parsed infostealer package from hosts infected with malware allows organizations to detect compromise and react sooner. In other words, you can find out you’re compromised before it’s broadly advertised on the deep and dark web.

Using automation to increase your odds of detection

Pushing all log and event data through an automated Security Information and Event Management (SIEM) solution helps create a single pane of glass for security teams. Not all events flowing into your SIEM require human touch. There are some security actions such as blocking network traffic, notifying a system admin, or disabling a user that can be automated via a Security Orchestration, Automation, and Response (SOAR) platform. Splunk is one of many vendors offering these solutions to organizations, helping them scale their security teams. Using these tools in conjunction with a Threat Intelligence feed can help add context to events and allow for more confidence in automated actions or remediation. 

With ZeroFox’s Botnet Threat Intelligence Feed, you can cross-reference infected hosts against your network devices to generate an alert in your SIEM. Furthermore, events can be escalated and the Digital Forensics and Incident Response (DFIR) workflow can be automatically kicked-off by a SOAR solution, even if it’s just sending a ticket to the appropriate team. The IP addresses in ZeroFox’s Botnet feed differ from the IP addresses used by threat actors because it’s the victim’s IP address. Therefore, a threat actor is not able to evade detection by changing an IOC. Using this data is especially effective if you aren’t using shared hosts and your IP space remains fairly static. Following the steps below, you can integrate ZeroFox’s Botnet feed into your instance of Splunk SIEM to detect compromise earlier. 

Here is what you’ll need:

  • Access to the ZeroFox Platform and Threat Intelligence Feeds
  • Access Splunk Cloud or Splunk Enterprise
    • In the example below, I will demonstrate how to use Splunk Cloud

Step 1: Install the ZeroFox app

  • After accessing your Splunk Cloud instance, click “+ Find More Apps” to browse through all Splunk Apps.
  • Search for “ZeroFox” and install the “ZeroFox Data Connector”
Figure 2 – ZeroFox Data Connector App
  • Install the App. After it is installed click “Open the App” 

Step 2: Add your ZeroFox account

  • Within the ZeroFox Data Connector App, click on “Configuration”
  • Click “Add” to add a ZeroFox account
    • Account name: some unique account name (i.e. zf_cti_ user)
    • Username: ZeroFox platform username
    • Password: Personal Access token from the data connectors page on the ZeroFox Platform.
Figure 3 – Adding an account to the ZeroFox Data Connectors App in Splunk Cloud

Step 3: Add ZeroFox Botnet Feed as an input

  • Finally, click on the “Inputs” tab in the App and click the “Create New Input” button . Next click the ZeroFox Botnet Feed
    • Name: add a recognizable name for the data (i.e. zf_botnet_feed)
    • Interval: ZeroFox recommends 3600s
    • Index: pick where you want the events to go. Most likely default
    • Global Account: choose the account you just added above.

Step 4: Search through botnet data and/or set an alert

  • ZeroFox Botnet data is now flowing through your Splunk instance. You can run a query for IPs in your network to see if they are infected.
    • You can also set up an automated alert or follow your typical runbook for events requiring escalation. 
Figure 4 – Searching for IP address in ZeroFox Botnet Feed on Splunk Cloud

Benefits of automating detection of infected hosts

By using automated tools like Splunk SIEM and ZeroFox Threat Intelligence Feeds, you can detect threats sooner to begin remediation. In the use case outlined above this means knowing a device is compromised potentially before it’s disclosed on the dark web or on a paste site. Automation brings critical events such as this to the forefront. 

Even if the host has been compromised and infected with malware, there is an opportunity to mitigate the risk by performing efficient incident response. On the other hand, if your network access and high-value credentials are sold to another party, your organization could be exploited and garner itself some very unwanted attention. 

Don’t let lack of resources deter you 

ZeroFox has built out this integration to alleviate operational burden and potentially a skills gap to integrate Threat Intelligence Feeds into your Splunk security stack. Following the steps outlined in this blog, you can easily get started and increase your chances of detecting infected hosts on your network and across your attack surface. 

Learn more about this integration and how to take the next steps here.

See ZeroFox in action