Skip to main content
Version: 1.6

Threat Intelligence Engine

Threat Intelligence Engine

The Threat Intelligence engine generates alerts based on correlation network flow attributes with external and internal IoCs. XNS regularly updates more than 30 security feeds of malicious IP addresses and suspicious countries. The Threat Intelligence mechanism consists of two parts:

External Threat Intelligence, which uses automatically updated feeds downloaded from the Internet

Internal Threat Intelligence, which uses manually created and updated feeds.

Both subsystems generate the following security alerts:

• Connection with Suspicious IP

• Connection with Suspicious Country

• Connection with Open Proxy

• Connection with Open DNS

• Connection with TOR.

Each of these alerts can be triggered by many reputational feeds.

Threat Intelligence Feeds

The Threat Intelligence of XNS consists of external and internal (custom) feeds.

Feed idNameScoreDescriptionMITRE TacticMITRE Techniqe
IP_CRYPTO_MININGSuspicious IP6The alert is triggered as a result of detection traffic with CRYPTO MINING IP address.ImpactResource Hijacking
IP_MALWAREMalicious IP10The alert is triggered as a result of detection traffic with MALWARE IP address.Command and ControlApplication Layer Protocol
IP_OPEN_DNSSuspicious IP3The alert is triggered as a result of detection traffic with OPEN DNS IP address.Command and ControlApplication Layer Protocol
IP_PHISHINGSuspicious IP9The alert is triggered as a result of detection traffic with PHISHING IP address.Initial AccessPhishing
IP_PROXYAnonymous Proxy4The alert is triggered as a result of detection traffic with PROXY IP address.Command and ControlProxy
IP_SCANNERSuspicious IP4The alert is triggered as a result of detection traffic with SCANNER IP address.DiscoveryNetwork Service Scanning
IP_SPAMSuspicious IP5The alert is triggered as a result of detection traffic with SPAM IP address.Initial AccessPhishing
IP_SYCOPE_COMMUNITYMalicious IP8The alert is triggered as a result of detection traffic with malicious IP address noticed by Sycope Community members.Command and ControlApplication Layer Protocol
IP_TORTOR Activity7The alert is triggered as a result of detection traffic with TOR IP address.Command and ControlProxy

Tab. 3.1.1 Threat Intelligence - External Feeds.

Feed idNameScoreDescriptionMITRE TacticMITRE Techniqe
ThreatIntelligence_customSuspicious IP8Internal Threat Intelligence - Custom Feed.Command and ControlApplication Layer Protocol
WhitelistIPException1IP WhitelistCommand and ControlApplication Layer Protocol
Country_customSuspicious Country6The Worst Botnet Countries based on custom list.Command and ControlApplication Layer Protocol
Sunburst2Suspicious IP - Sunburst (Sig2)10The feed includes malicious IPs regarding the Sunburst backdoor. Attacker leverages SolarWinds supply chain to compromise multiple global victims with this backdoor.Lateral MovementRemote Services

Tab. 3.1.2 Sample of Threat Intelligence - Internal Feeds.

Initial Configuration

Feed management is only possible from the system administrator level. To change any feed, go to the Settings/Security/External Threat Intelligence or Settings/Security/Internal Threat Intelligence, and then select the feed for which you want to change parameters.

Note: In order for external feeds to be constantly updated, it is necessary to allow communication to the addresses of individual feeds. For more information please contact Support.

2020-11-06_11-30-36

Fig. 3.2.1 XNS External Threat Intelligence.

The External Threat Intelligence rules contain the following attributes: Enabled, Alert Name, Feed Id, Data Type, Threat Category, MITRE Tactic, MITRE Technique, Score, Refresh Interval, Last Refresh Time and Alert Description.

AttributeDescriptionPossible ValuesModifiable
EnabledThe attribute indicates the status of the rule. Disabled rules do not generate security alerts.Enabled, Disabled
Alert NameThe attribute indicating the name of the rule.Connection with a Suspicious IP, Connection with a Suspicious Country, Connection with Open Proxy, Connection with TOR
Feed IdThe attribute indicating the Feed Id for each Threat Intelligence rule. Each rule has a unique value of the Feed Id attribute.
Data TypeThe attribute indicating the type of collected data for each feed.IP, Country
Threat CategoryThe attribute indicating the category of feed related to types of security threats.Bot, Botnet, C2, Feodo, Malicious Malware, Open Proxy, Ransomware, Rogue DNS, SNMP BL, SSH BL, Telnet BL, TOR, Zeus
MITRE TacticThe attribute indicating the tactic of MITRE ATT&CK related to a security rule.Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access Discovery, Lateral Movement Collection, Command and Control, Exfiltration, Impact
MITRE TechniqueThe attribute indicating the Technique of MITRE ATT&CK related to a security rule. There are about about 200 techniques - more details ATT&CK MITRE.
ScoreAttribute indicating the importance of the feed on a scale of 1 to 10.{1..10}
Refresh IntervalAttribute indicating the time interval, how often (in minutes) a feed should be updated.{0..32767}OK_S
Last Refresh TimeAttribute indicating the last feed update in format YYYYMMDDhhmm.NOT_OK_S
Alert DescriptionAttribute indicating the description of the feed.NOT_OK_S

Tab. 3.2.1 External Threat Intelligence Feed Attributes.

image-20201106113501294

Fig. 3.2.2 External Threat Intelligence Alert Configuration.

The Internal Threat Intelligence engine correlates custom feeds with some attributes of network flows. For this type of alert, all attributes except the alert name can be modified.

AttributeDescriptionPossible ValuesModifiable
EnabledThe attribute indicates the status of the rule. Disabled rules do not generate security alerts.Enabled, DisabledOK_S
Alert NameThe attribute indicating the name of the rule. The attribute can be set only once when creating a new custom feed.NOT_OK_S
Feed IdThe attribute indicating the Feed Id for each rule. Each rule has a unique value of the Feed Id attribute.OK_S
Data TypeThe attribute indicating the type of collected data for each feed.IP, CountryOK_S
Threat CategoryThe attribute indicating the category of feed related to types of security threats.Bot, Botnet, C2, Feodo, Malicious Malware, Open Proxy, Ransomware, Rogue DNS, SNMP BL, SSH BL, Telnet BL, TOR, ZeusOK_S
MITRE TacticThe attribute indicating a Tactic of MITRE ATT&CK related to a security rule.Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access Discovery, Lateral Movement Collection, Command and Control, Exfiltration, ImpactOK_S
MITRE TechniqueThe attribute indicating a Technique of MITRE ATT&CK related to a security rule. There are about about 200 techniques - more details ATT&CK MITRE.OK_S
ScoreAttribute indicating the importance of the feed on a scale of 1 to 10.{1..10}OK_S
Alert DescriptionAttribute indicating the description of the feed.OK_S
Feed Data ListAttribute indicating the values of custom feeds (IP address or Country), one value per line.OK_S

Tab. 3.2.2 Internal Threat Intelligence Feed Attributes.

image-20201106113620656

Fig. 3.2.3 Internal Threat Intelligence Alert Configuration.

Creating a custom feed

Below are the steps to create custom feeds:

1) In the Settings -> Security -> Internal Threat Intelligence click ADD NEW option.

2020-11-06_11-37-25

Fig. 3.2.1.1 Creating a custom feed - step 1.

2) Fill in the attributes of the new feed and click apply.

2020-11-06_11-48-26

Fig. 3.2.1.2 Creating a custom feed - step 2.

Note: Please remember that only enabled rules generate alerts.

Adding IP addresses to the Whitelist

Below are the steps of adding IP addresses to the Whitelist IP for Threat Intelligence rules :

1) In the Settings -> Security -> Internal Threat Intelligence choose the WhitelistIP_whitelist feed.

image-20201106115217466

Fig. 3.2.3.1 Adding IPs to the Whitelist - step 1.

2) Edit the feed and add list of IPs which should be ignored by Threat Intelligence engine into the Feed Data List area.

image-20201106115547370

Fig. 3.2.3.2 Adding IPs to the Whitelist - step 2.