A couple of weeks ago, we covered how Stamus Security Platform (SSP) users can harness the power of shared threat intelligence by integrating their existing SSP deployment with the Malware Information Sharing Platform (MISP). This week, we want to share how non-SSP users can enjoy those same benefits paired with the impressive security monitoring capabilities provided by SELKS.
For those unfamiliar, MISP is an open-source software solution that allows organizations to store, share, and collaborate on threat intelligence data. MISP is open-source software, which means that it is free to use, download, and modify. The source code is publicly available under the AGPLv3 license, which allows anyone to use, distribute, and modify the software for any purpose, including commercial use. For an introduction to shared threat intelligence with MISP, read our blog “Harness the Power of Shared Threat Intelligence with MISP”.
SELKS – built by Stamus Networks, the global leaders in Suricata-based network security – is a turnkey Suricata-based intrusion detection system (IDS) and network security monitoring (NSM) tool and threat hunting system. Also an open-source tool, SELKS is free to use and includes impressive capabilities from Suricata, the Elastic Stack, Stamus Community Edition (CE), Arkime, EveBox, and CyberChef.
Together, these two platforms provide a powerful combination for threat intelligence and security monitoring. This blog will detail not only the benefits of integrating MISP and SELKS, but also how to optimize the performance of Suricata rules for SELKS to make the most utility out of information gathered through MISP.
The Benefits of Combining MISP and SELKS
Combining these two open-source platforms can provide greater network security efficacy than you would otherwise have using only one. MISP allows organizations to identify and share threat indicators while also enabling collaboration with other organizations and colleagues, providing access to a wider range of threat intelligence. This means that information on threats is more readily available, making your organization’s security strategy more proactive than reactive.
SELKS, on the other hand, provides real-time network monitoring and intrusion detection capabilities that are completely open source. It can be a suitable production solution for a small-to-medium sized organization that doesn’t have the resources to build or buy a full commercial product like network detection and response (NDR).
By integrating MISP and SELKS, organizations can leverage the strengths of both platforms to improve their overall security posture. SELKS uses the full power of Suricata, a highly capable IDS, and when paired with shared threat intelligence, the combination can give some fairly thorough insights into an organization’s network security.
The Problem with the Existing Integration
While this blog is about MISP and SELKS, it is important to note that SELKS is built around the Suricata detection engine. Because of this, many SELKS detections come from Suricata signatures. MISP has an existing Suricata extension that can be implemented in SELKS, but it is ineffective. It will generate one single signature for every IoC item. This could mean that even a small MISP instance can generate hundreds of thousands of signatures which can slow down the whole engine and impact performance.
The “Dataset” Concept
The vast amount of metadata available in SELKS produced by Suricata allows us to lookup and use the NSM data pool. At our disposal we have key IoC elements (such as domain, TLS certificate, HTTP host/user agent/server JA3, JA3S file checksums, etc). This, together with the dataset concept in Suricata, can create a powerful combination. The dataset in SELKS is a very convenient Suricata feature . Datasets are used to store and match efficiently on big volumes (milions) of IoC custom data. It’s a list matching on sticky buffer keywords. This way we can match a list against extracted metadata. It can definitely do the job of IoC matching as well. This ability could be used to collect data from the network on the same principle and create a database – for example, new domains seen on the network.
More on the subject could be found here: https://youtu.be/dUUPwgHkuvo
When defining datasets, the data must be encoded with base64, which is a format that can be easily used in various contexts. SELKS will accept strings in the dataset that are only base64 encoded. This way it can ensure the integrity of the data and be loaded and used without causing syntax errors or other issues that might arise from including non-ASCII or non-printable characters.
Bringing it all together – MISP and SELKS
The integration between MISP and SELKS is facilitated by Stamus CE, a web interface that allows for the management of Suricata rules and alerts. Stamus CE can be used to configure Suricata to use threat intelligence data from MISP to detect potential threats in real-time. When a potential threat is detected, SELKS can then generate an alert and notify security personnel, enabling them to take appropriate action to mitigate the threat.
Now we need an appropriate signature to load the dataset collected from MISP so it will hit on any matches. We can add the rules file via the same page.
This Suricata signature will accomplish that:
alert dns $HOME_NET any -> any any (msg:"Detected DNS query to very bad domains"; flow:established,to_server; dns.query; dataset:isset,dataset-domains,type string,load dataset-domains,memcap 150mb,hashsize 1000000; classtype:unknown; flowbits:set, stamus.misp.domain; target:src_ip; sid:123456; rev:1; metadata:stamus_misp_domain dns.query.rrname, stamus_misp_domain src_ip, stamus_classification dataset-domains, provider Stamus, created_at 2023_02_24, updated_at 2023_02_24;)
Now SELKS can fully take advantage of MISP. When we have a hit on a domain in the list, we should see something like:
Improved Threat Intelligence with MISP and SELKS
Since MISP and SELKS are both open-source and free to use, they are very accessible to organizations with limited resources. Additionally, both platforms have active communities and support, ensuring that they remain up-to-date and continue to improve over time.
In summary, MISP and SELKS are two powerful open-source solutions that, when used together, can provide organizations with robust threat intelligence and security monitoring capabilities. By integrating MISP with SELKS, organizations can enhance their ability to detect and respond to potential security threats in real-time, ultimately improving their overall security posture.