Saturday, June 2, 2012

ELSA with the Collective Intelligence Framework

The Collective Intelligence Framework (CIF) is an incredible project that I've blogged about previously.  Up until recently, ELSA's integration has been read-only in which search results and batch jobs could be run through CIF to enhance and/or filter the results using CIF's collection of public and private intel.  As of today, ELSA can now add results directly to your local CIF instance through the web interface in either a batch of many results using the "Results" menu button or a single result using the "Info" link next to the record.
"Send to CIF" is now a menu item in the "Plugins" menu.  The optional parameters are a comma separated list of the description and a field override to specify exactly which field in the record you are adding.  By default, ELSA will choose the field for you based on known fields (srcip, dstip, hostname, and site) and will submit the external IP (as long as you've added your local subnets to the config file).  The config file also has a place to specify per-class field defaults for adding.  In the shipped config, the Bro DNS class uses the "hostname" field by default instead of the external IP address, because it's generally the host being queried that is malicious, not the external DNS server.

Once added to CIF, future searches can take advantage of the intel.  For instance, the below screen shot shows a query looking for any IDS alerts which have IP's known to CIF.
The screen shot also illustrates the use of the anonymize transform to obfuscate local IP addresses.

In addition to live queries, automated reports (alerts) can be send to the CIF connector, which means that you can automatically send all external IP's matching given criteria to CIF.   The above example with a Blackhole Suricata alert is a good example.  By clicking the "Results" button and selecting "Alert," you can choose CIF instead of Email as the connector, and from then on, any future results for that search will be classified in CIF. 

It is my hope that by allowing the same interface used for retrieving and processing security data to classify security intel, a significant step can be made towards sharing this intel between organizations.