We had the pleasure of meeting with fellow Splunk enthusiasts to talk Risk Based Alerting (RBA) as well as security in general. We wanted to share with everyone the detection and prevention quick wins we covered and thought this would be a great place so they can be referenced anytime. These are meant to be ideas and are designed to be approachable but may need adjustments to fit your environment.
Detection
Outside IP Determination - Web Traffic
This is a technique used by attackers to identify what external IP address a computer may have. This takes a lookup of known websites that do this and finds any systems connecting to them and leverage the web data model with Splunk ES. You can easily modify this to whatever your web traffic may be.
Search:
| tstats `summariesonly` count as connection_count, max(_time) as event_time
from datamodel=Web
where
[| inputlookup outside_ip_determination.csv
| fields url
| eval url=url."*"
| rename url as Web.url]
by Web.user, Web.url, Web.src, sourcetype
| `drop_dm_object_name("Web")`
Contents of outside_ip_determination.csv:
url
ip-api.com
ipinfo.io
freegeoip.net
IP-info.org
tracemyip.org
curlmyip.com
ifconfig.co
icanhazip.com
api.ipify.org
Prevention
SANS IP Blocklist - Network Traffic
The idea of using a blocklist on a firewall is not new but continues to be effective at reducing the burden your other security controls have to face. In some environments i have see Intrusion Detection hits from external IP addresses be reduced 60-70% by simply configuring the dshield top 20 blocklist at the firewall. The ripple effect also means fewer alerts for your SOC.
DShield bloclist: https://feeds.dshield.org/block.txt
Below is a post specific to implementing the DShield list with Palo Alto but if you have another platform i hope it helps you see how it works: