Resilmesh Newsletter

October - November 2024

Learn about the Resilmesh project, the key players of the consortium and the aspirations of the project.

What is Enrichment?

Data enrichment is a threat intelligence mechanism that allows security teams to pinpoint the origin, function and risk level of a domain or IP address, by applying multiple categories and sub-categories that provide significantly more context than standard DNS lookups and queries are able to provide.

Enrichment is less about volume, and more about creating meaningful relationships between billions of disparate data points. Each enrichment category is designed to help defenders and threat hunters track attacker infrastructure across the IPv4 and IPv6 space.

Think about data enrichment as filling in a puzzle, where each unique piece of enriched data helps to create a wholistic image of an observable (i.e., a domain, URL or IP address).

Technical explanation

The Silent Push enrichment within the Resilmesh framework is a containerised REST API client, all the heavy logic is in the Silent Push infrastructure. This API client also buffers the events to avoid “NATS slow consumer” state, a condition that happens when NATS is sending events faster than the app can consume, hence “slow consumer”.

Synergy

Regarding the enriched data provided by these endpoints, there are some very important fields that deserve to be highlighted. Some of them use a scoring system that goes from 0 to 100 while some are just an indicator of an alert. Fields are classified by the observable type (Domain and IP). URLs can be enriched as well, but the enriching system enriches only the base of the URL which can be domain or IP.

Domain fields are:
• sp_risk_score: Silent Push Risk Score is a risk indication of the risk score for easy at-glance indication of maliciousness of observables. It is calculated as an observation of all Silent Push scores in enrichment, taken always the highest score as a Silent Push risk score
• asn_diversity: Indicator means how often an IP changes between AS numbers and as high the value is the more changes through different ASNs IP went through
• ip_diversity_all: IP Diversity presents the number of IPs pointed to domain over the last 30 days and higher value could be potential alert
• listing_score: A score is based on the frequency and recency of an observable that exists within Silent Push feeds. If the observable is in Silent Push IOFA (Indicator of the future attack) feed means it should be considered a threat. IOFA feeds are built by the Silent Push Threat Intelligence Lab.
• ns_reputation_score: The NS Reputation score is calculated of blacklisted domains, taken from the total number of domains using the nameserver.
• ns_entropy_score: A score that includes recency, frequency, and the number of NS changes. The more changes domain has between nameservers higher the risk is.

IP fields are:
• asn_reputation: This score presents the ratio of blacklisted IPs, taken from the total number of IPs that have been observed as being active within an ASN, in the last 30 days. If the enriched IP is in the ASN with the higher as reputation score, that IP should be investigated further. In ASN reputation score there are several fields that are explaining the higher ASN reputation score like:
• asn_takedown_reputation: This reputation score is based on the time it takes for the ASN owner to react to takedown requests related to malicious URLs – a higher reputation score indicates the ASN owner is slow to react to takedown requests. As well as ASN Reputation score, there are few fields explaining why the IP has certain ASn Takedown reputation score like:
• subnet_reputation_score: This score is calculated from the ratio of blacklisted IPs, taken from the total number of IPs that have been observed as being active within a particular subnet in the last 30 days
• density: IP Density presents the number of domains pointing to an IP address. Lower number could be potential alert
• sp_risk_score: Silent Push Risk Score is a risk indication of the risk score for easy at-glance indication of maliciousness of observables. It is calculated as an observation of all Silent Push scores in enrichment, taken always the highest score as a Silent Push risk score.

Domain and IP observables in enrichment have a set of web scanner fields which can be a huge
help in investigating the potential threats. These fields are divided into 5 sections:
• Certificate
• Favicon
• Headers
• HTML
• JARM

Contact Information

Coordinator:

Brian Lee Technological University of Shannon (TUS)

Brian.lee@tus.ie

Follow Resilmesh

Download the newsletter below