Enriching the data in the Resilmesh framework

What is data enrichment?

Data enrichment is a threat intelligence mechanism that allows security teams to pinpoint the origin,
function and risk level of a domain or IP address, by applying multiple categories and sub-categories
that provide significantly more context than standard DNS lookups and queries are able to provide.
Enrichment is less about volume, and more about creating meaningful relationships between billions
of disparate data points. Each enrichment category is designed to help defenders and threat hunters
track attacker infrastructure across the IPv4 and IPv6 space.
Think about data enrichment as filling in a puzzle, where each unique piece of enriched data helps to
create a wholistic image of an observable (i.e., a domain, URL or IP address).

Why is data enrichment important to security operations?

Stale, unenriched DNS data cannot be truly relied upon as an actionable intelligence source. Security
teams who don’t perform data enrichment as part of their threat analysis procedures are working with
incomplete datasets, which can lead to flawed decision making and a higher risk of intrusion.

Data enrichment with Silent Push

To map out attacker infrastructure, Silent Push collects information across 100+ domain and IP
enrichment categories that contextualize an observable’s presence on the Internet, including risk
level, web content (headers, hash values, on-page data), certificates, geographic location, passive
DNS data, and the reputation of associated infrastructure.
Defenders and threat hunters are able to use enriched data to join the dots across the global IPv4 and
IPv6 space, and track the underlying infrastructure behind an attack, rather than solely relying on
publicly available post-breach IOCs that rely on a single point in time.

Silent Push data enrichment in the Resilmesh Framework

The introduction of Silent Push Data Enrichment into the Resilmesh Framework strives to enhance
the contextual understanding of an individual piece of domain, IP or URL data.
Inserting this enrichment function into the SOAPA framework required a wholistic understanding of
the framework’s function.
In the Resilmesh SOAPA framework, the Aggregation Plane is the second tier after the Infrastructure
Plane. This is where various models are introduced to collect, process, stream and store data for
meaningful use, and where our data enrichment function lies.
1.   An IP, domain or URL is logged

2.   Data is enriched by Silent Push using the power of its first-party database, which constantly
contextualizes an observable’s presence on the Internet, including risk level, web content (headers,
hash values, on-page data), certificates, geographic location, passive DNS data, and the reputation of
associated infrastructure.

3.   Enriched data is then outputted via Wazuh, where it will be ingested into the Collaboration
Mesh tier of the framework.

From here, security teams are able to use this enriched data to map out additional infrastructure – by
identifying threat patterns across 100+ unique data fields relating to the overarching categories of:
• Domain information
• WHOIS information
• DNS records
• IP Diversity
• Nameserver Information
• Nameserver Changes

At a glance, users can also immediately understand the overall risk level of an observable – using
Silent Push’s risk and reputation scoring system, which is embedded in the enrichment process.

The resulting enriched data can then be ingested into the user’s existing security stack, whether it be
to monitor live threats, collate observables into a feed or block them with a blocking service.

download the article below:

The Consortium

Coordinator: Technological University of the Shannon: Midlands Midwest (IE)

Partners: GMV Innovating Solutions (ES), Masaryk University (CZ), Silent Push Limited (IE), F6S Network Ireland Limited (IE), Joanneum Research (AT), University of Murcia  (ES), Jamk University of Applied Sciences (FI), Alias Robotics (ES), ALWA (IT),  Regional Government Of Murcia (ES), Center for Security Studies (EL), Montimage Eurl (FR), Royal Holloway, University of London (UK)