Recently, Stamus Networks introduced outgoing webhook capabilities to its Stamus NDR. As we explained in an earlier blog post, this feature is more than simply a new mechanism to send network security alert logs to a third party system.
Stamus NDR identifies, enriches and logs numerous individual threat indicators using its broad spectrum of detection mechanisms, including signatures and behavioral anomalies. These detailed logs form the foundation for proactive threat hunting and incident investigation within the system. And while we refer to them as ‘alerts”, they are not - on their own - intended to trigger an immediate response.
With the launch of Scirius Threat Radar (now referred to as Stamus NDR), we introduced the concept of “Stamus Threats” which represent a new level of automated detection. These high-confidence threat events are associated with specific assets in the network and are tracked along the stages of the cyber kill chain.Stamus Threats include various forms of botnets, policy violations, phishing, remote access trojans (RAT), data theft, CnC, ransomware, lateral movement, advanced persistent threats (APT), exploit kits, and custom defined events. By definition,Stamus Threats have an ultra-low rate of false positives and can therefore be used to trigger an immediate response.
The webhook interface is designed to send notifications when these high-confidence “Stamus Threats” are detected or when they change stages in the cyber kill chain.
This powerful feature has two primary use cases:
- Send notifications to a channel-based chat system such as Slack or Mattermost to alert security personnel when Stamus NDR has detected an attack milestone associated with a critical asset.
- Trigger an action with an incident response (IR) or security orchestration, automation and response (SOAR) system such IBM Resilience, ServiceNow or TheHive when Stamus NDR has detected an attack milestone associated with a critical asset.
In this article, we focus on the second use case through an integration with a popular open source incident response system -- TheHive. As a result of this integration, security teams are able to automate the initial stages of their incident response and ensure that relevant data associated with the incident is available to help with the investigation.
Background on TheHive
According to the organization's website, TheHive is “a scalable, open source and free Security Incident Response Platform, tightly integrated with MISP (Malware Information Sharing Platform), designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly.”
Development on TheHive Project began in 2014, and it has since become widely adopted throughout the world, particularly in Europe where a number of our customers are using it.
One of the key concepts embraced by the project is that of “observables.” Observables are artifacts associated with an incident that aid in an investigation. An IP address, a file hash, a URL, a domain are all examples of observables. TheHive collects these artifacts and enriches them using the Cortex analysis and response engine.
For example, Cortex may trigger Whois and Onyphe queries on an FQDN observable and use the results to create an entirely new set of observables. Thus providing the incident response team even more enrichment and context on a given case.
TheHive Observables and Stamus NDR
We know that observables are a key component of incident response within TheHive. Therefore when considering an integration with Stamus NDR, it is crucial that Stamus NDR delivers meaningful observables with any webhook notification for a Stamus Threat. Doing so is key to ensuring a timely incident response.
Before we explore that concept further, we must first decide what type of objects Stamus NDR should create in TheHive through the REST API. It turns out that the “Alert” object in TheHive is the ideal endpoint with which to connect the two systems. Alerts are presented to the user as notifications, the user can readily view the complete alert list, and any meaningful alert may be converted into an incident or added to an existing incident.
Conveniently, alerts may embed any number of related artifacts and it is therefore perfectly suited to receive all the context associated with a Stamus Threat.
The screenshot below shows the resulting observables for a single Stamus Threat alert created using the template provided in the Stamus NDR documentation:
We can see the alert message and a series of attached artifacts containing all the information from the original Stamus Threat event. Specifically for this case, we have:
- IP addresses (offenders and target)
- FQDN (based on HTTP hostname used in the request triggering the alert)
Webhook Message Template Definitions
The Stamus NDR webhook integration uses a powerful Jinja2-based template system which allows for logical construction using Python-like constructs to create complex variables. Stamus Networks has developed a number of ready-to-use templates for integrating with popular third-party systems including Slack, Mattermost, ServiceNow and TheHive.
Using the template, you may embed custom logic to extract the specific data elements (observables) you wish to include in the notification.
In the example below, you can see that we are configuring Stamus NDR to extract all the relevant fields and assign them a precise type when it encounters an SSL Samus Threat containing a TLS sub-object:
By doing this in the template for all supported protocols, we are able to extract all available artifacts and provide them to TheHive for a more complete insight and more efficient incident response.
The screenshot below shows how this configuration -- including the template set up -- may be performed in the SSP management interface:
Looking further at the above example, when Stamus NDR detects a Trickbot-related Stamus Threat containing a TLS protocol transaction, the following observables are included in the result.
Note: in the above screenshot, the eye icon in the left indicates that the observable has been observed in an existing case.
Stamus NDR allows you to choose whether to create a webhook to notify TheHive when a new Stamus Threat is first detected on an asset or when an already known Stamus Threat has advanced stages along the kill chain. And because events may arrive asynchronously, Stamus NDR also provides a webhook for any changes in the kill chain phase of a known Stamus Threat - so you won’t miss an event that would come late.
As we’ve seen in this example, integrating Stamus NDR with an IR or SOAR system via webhooks, can bring many benefits beyond a simple notification, including powerful automation and enrichment of the incident records. And the powerful template system provided by Stamus NDR enables substantial artifacts (observables) to be conveyed with each notification.