How to Prioritize Threat Alerts with API Integrations
This post lists three ways to sift through security alerts using a variety of domain and IP intelligence APIs.
12:23 30 April 2021
Alert fatigue affects 83% of security professionals, according to 427 IT heads surveyed for a 2020 state of security operations report. One way to alleviate this challenge is by finding alternatives to prioritize alerts. This post lists three ways to sift through security alerts using a variety of domain and IP intelligence APIs.
3 Ways to Prioritize Threat Alerts
Use a Domain Reputation API or an IP Reputation API
If your security platform alerted you to the 10 domains and IP addresses below, how do you know which one to analyze first and consequently block access to and from?
Checking the domains and IPs for their reputation with a tool such as https://threatintelligenceplatform.com/domain-reputation-api can help. Querying the list on one would tell you that all five domains are malware-infected.
But your afobal[.]cl query will have four other warnings (i.e., Secure Sockets Layer [SSL], WHOIS, mail exchanger [MX], and nameserver [NS] misconfigurations) while the remaining four have only four (i.e., no MX alert). That said, prioritizing the analysis for afobal[.]cl and blocking access to and from it first might make the most sense.
Meanwhile, performing the same query for the IP addresses would tell you that only two (i.e., 152[.]32[.]253[.]189 and 117[.]111[.]1[.]229) are malware-laced. All five also raised red flags for SSL misconfigurations so you can analyze and block access to and from the remaining three IP addresses should they prove malicious next.
Use an IP Geolocation API
If your security platform alerted you to the 20 IP addresses and you are currently having a spam-related problem, you can consult a list of the country sources known for spam activity such as this one published by Spamhaus and prioritize from there.
An IP geolocation tool, for instance, would tell you that one each points to Argentina, Colombia, Germany, Italy, the Netherlands, Russia, Uganda, and Vietnam; two each point to Hong Kong, Mexico, and South Korea; and three each point to China and the U.S.
Consulting the top 10 worst spam countries list, a possible approach would be to start blocking access to and from IP addresses from top 1 country China (i.e., 118[.]24[.]104[.]38, 222[.]187[.]239[.]107, and 49[.]88[.]112[.]72). Next, you may want to move on to those from the top 2 country, the U.S. (i.e., 68[.]183[.]19[.]221, 138[.]91[.]121[.]55, and 162[.]247[.]74[.]201). Then proceed on down the line to cover the next eight countries (i.e., Russia, South Korea, Japan, India, Hong Kong, Turkey, Vietnam, and the Dominican Republic). Finally, investigate and block the remaining IP addresses, if necessary.
Use a WHOIS History API
In some cases, threat actors reuse their infrastructure for different attacks. If you keep track of most wanted cybercriminals lists or take note of criminals’ names connected to attacks your company suffered from in the past, then WHOIS history API queries can help you prioritize alerts. With a list of domains such as that below from your security platform, you can focus on those owned by known cyber attackers first.
In this sample, a WHOIS history API would tell you that two of the domains (i.e., cungong[.]bid and zzzhaoran[.]top) belonged to an individual named Zhang Haoran and another three (i.e., mezzo[.]cc, const[.]pw, and radostdetyam[.]com) were onced owned by Konstantin Volchkov. These two names are part of the Most Wanted Cyber List of the Federal Bureau of Investigation (FBI). Haoran is part of a Chinese hacking group known as “APT 41” and “BARIUM.” Volchkov, meanwhile, is wanted for his involvement in a hacking campaign using the GozNym malware.
When integrated into security platforms, tools like domain reputation API, IP geolocation API, and WHOIS history API can help teams prioritize threat alerts, thus alleviating potential alert fatigue.