The Cyber-threat attacks faced by Organizations are increasing in diversity and continue to evolve due to the vast motivations behind them and the complex innovation in attack techniques. And to top it off, toolkits, exploits, ransomware and every other tool in existence, are readily available within the cyber-criminal community. To better prevent organizations from attacks, we need better visibility and all the expertise available to receive intelligence on the existing and emerging threats.

Elastic Stack

Elastic Stack (Previously ELK) is a combination of the much popular Elasticsearch, Logstash and Kibana.  It can generate actionable insights in near real-time from any data sources, be it structured or unstructured.

ELK Stack requires a smaller initial capital to set up, as it is open source technology. A typical SIEM will cost around $1.2 million on average, due to which numerous small and mid-size organizations are implementing the ELK stack as a cost optimized solution.

The ELK stack offers flexible search capabilities, enabling analysis of data from a wide range of security tools in a central location. The dashboards are custom made, selecting your preferred metrics from the data received from your sensors.

Threat Intel in Elastic Stack

The simplest method would be to feed the threat intelligence data to Elasticsearch and convert it into .CSV format and use the .CSV file in the Logstash translate filter. The Logstash translate filter will check the .CSV file for matches and then take a predefined action, if the CSV contains the value. This method is convenient if known phishing email addresses or blacklisted IPs, should be added to Elastic Stack.

Below are a few other possibilities which enables Elastic Stack to work with threat intelligence.

1.     SweetSecurity

Sweet Security is a network security monitoring tool which exposes malicious network traffic. It makes use of the translate filters available in Logstash and generate alerts based on the data in blacklists.
Github repo: github.com/TravisFSmith/SweetSecurity.

2.     Combine

Combine is an open source tool which read, normalize and parses the data from various publicly available threat intelligence feeds and blacklists to create a combined list of blacklisted IPs and domains. Currently the outputs are available only in CSV and JSON formats.
Github repo: github.com/mlsecproject/combine

3.     Blueliv

Blueliv is an enterprise solution to ingest threat intelligence feeds into Elastic Stack. It has a plugin for Logstash which provides actionable threat intelligence data near real-time. It also provides unique threat Intel about verified online crime servers, malicious bot IPs, hacktivism and malware hashes. The user will get information about the attack vectors, potential indicators of compromise and mitigation solutions.
website: www.blueliv.com