Indicators

An indicator is a pattern type that characterizes network traffic flows or elements in a specific context. For example, the host's IPClosed Internet Protocol address is used to identify traffic to or from the host. File hashes are used to identify files transferred on the network.

The pattern (referred to as an observable or match condition) is defined by type and value. For example, an IP type indicator is defined with IPv4 dotted notation (e.g. 10.0.3.8), whereas an IP_RANGE type could support either CIDRClosed Classless Inter-Domain Routing (e.g. 10.0.3.0/24) or address range (10.0.3.0-10.0.3.255).

In addition to the match condition, the indicator defines context as a set of metadata attributes. These attributes describe the indicator's source, its creation date and last update time, and the flows and entities it describes. In addition, it may prescribe actionable instructions to enforcement devices that match the indicator to network traffic, or to network visualization tools such as Network Detection and Response (NDRClosed Network Detection and Response) Threat Topology analytics view.

Indicator Value

Indicators are keyed by Input Feed, Type, and Value. Therefore, if the same match condition is received from multiple sources, NDR Intel retains multiple copies, each with its associated metadata.

For example, the Behavioral Port AIClosed Artificial Intelligence engine identifies an anomalous burst of emails from a source with an unknown reputation, and signs that source's IP with an IP indicator. The Input Feed for that indicator is specified as "Behavioral". The analyst can edit that indicator as needed, for example, to disable it if it was found to be a false positive. The analyst tags the host with its domain name from the Threat Topology view. This action creates a second indicator with the same Type (IP) and value. The engine keeps both copies, as they associate different metadata attributes with the identified host. The next time the Behavioral engine detects an anomaly on this IP, it refreshes the modification time-stamp for the indicator with the input feed "Behavioral".

Indicator types are interpreted by enforcement points and are therefore mapped to the Check Point Software Blades. Each blade provides support for a set of indicator types. For example, hash types (MD5, HASH_SHA1, HASH_SHA256) only apply to the "Anti-Virus" blade, whereas IP can be matched by both "Anti-Virus" and "Anti-Bot", for pre-infection and post-infection behavior, respectively.

Currently, these indicator types are supported (restrictions apply for some Check Point Security Gateway versions):

  • Indicator types supported by Anti-Virus and Anti-Bot blades, defined in sk132193.

  • Snort - Supported by IPSClosed Intrusion Prevention System blade on some Check Point Security Gateway versions.

  • Experimental (YARA, PCAP, REGEX, TEXT) - Available only by request.

  • None - Used in cases where NDR Intel is used as a repository, for example, to configure threat visualization tag values.

Indicator Metadata

Each indicator is associated with a Name attribute, which link the indicator to its semantics. Multiple indicators can be tagged with the same Name, to support a search for all indicators with that Name through the filtering facility.

Logs generated for Anti-Virus and Anti-Bot blade indicator matches incorporate the Name in the "protection_name" and "observable_name" log fields.

The Description attribute (optional) provides additional free-text context to the indicator. In addition, the description is incorporated in Anti-Virus and Anti-Bot blade logs.

Additional metadata attributes you can enter for an indicator may include:

  • Status (ENABLED/DISABLED) - Controls if the indicator is included in data set output feeds (if it is not expired).

  • Action (DETECT/PREVENT) - A "hint" to the enforcement engine. Determines the URLClosed Uniform Resource Locator on which a data set serves the indicator.

  • Expiration - Date/time after which the indicator is disabled.

    Note - Expired indicators are automatically deleted from NDR Intel after 14 days.

  • Confidence/Severity - Included in log records for some blades' indicator match logs.

  • CVE/Mitre Tactic/Mitre Technique - Connects the indicator to public references.

  • Data Sets - Zero, one, or more output feeds that the indicator is published on (If it is not disabled or expired).

In addition, the system maintains these attributes which cannot be edited by the user:

  • Created/Created_by/Modified/Modified_by - user name and time-stamp

Indicator Management

NDR Intel implements a simple indicator management concept for analysts to manage large quantities of indicators. These operations can be invoked from the portal, or through API commands:

  • New - Create a new indicator, specifying match condition and metadata.

  • Add from File - Bulk-add import into NDR Intel from a file.

  • Delete - Delete the selected indicator(s) from the NDR Intel repository.

  • Edit - Change the attributes of a single indicator.

  • Bulk Edit - Change attributes for multiple selected indicators.

  • PREVENT - Easy to use "red button" to change indicators' Action to PREVENT.

A paging paradigm shows indicators. You can select the page size, the default is to display 20 indicators at a time. The Select All check box selects only the displayed indicators. The bottom of the screen shows which page is currently displayed, and allows you to select a different page.

The Filtering option filters the set of indicators displayed. To sort, click on an individual column heading. You can then select the currently displayed indicator subset and perform bulk edit or bulk delete operations.

This example illustrates this paradigm. A customer wants a staging process, where only vetted indicators are "Enabled" and published to the enforcement points. If an input feed policy specifies that newly created indicators should default to DISABLED status, you can filter the specific Input Feed, Status DISABLED, sort in descending order by modification date, select the indicators to enable, and then click "Bulk Edit":

Notes:

  • The Bulk Edit feature applies changes to the selected indicators only on attributes that are touched on this pane. In this example, the only attribute to be modified is the "Enabled" status.

  • To bulk-disable, click Enabled twice and then click EDIT.

  • The modified data overwrites the existing data. As Data Sets is a multiple-value field, you must specify all indicator data sets associated with the selected indicators, not just new data sets.

Similarly, indicator confidence, severity, and action (DETECT/PREVENT) are defined per Input Feed through Policy. New indicators can be created in DETECT action and upgraded to PREVENT after a suitable triage period in which the false positive ratio is deemed acceptable. You can perform these triage processes manually, or they can also be automated.

Filtering

Filters determine the indicators that are shown on the Indicators tab.

The indicators that match the defined filters are shown in descending order (default) on the Modified time-stamp. Click a column heading to sort that column. Click again to reverse the sort order.

Click the filter button to open the FILTERS tab. By default, no filters are defined, and all indicators are shown. CLEAR FILTERS reverts to that state.

  • Name – Exact match on indicator Name attribute

  • Enabled –Display only Enabled or only Disabled indicators

  • Action – Display only Prevent or only Detect indicators

  • Blade – Select one Blade to show indicators

  • Type – Select multiple check boxes for indicator Type

  • Confidence, Severity – Display a single Confidence and/or Severity attribute

  • Value – Correct match on an indicator Value attribute

  • Description – Prefix match on an indicator Description attribute

  • Created By, Modified By – Exact match on user name (up to @ character)

  • Data Sets – Select multiple check boxes for Data Sets

  • Input Feed – Display indicators from a selected (from drop-down menu) input feed