Analytics Story: Brand Monitoring
Description
Detect and investigate activity that may indicate that an adversary is using faux domains to mislead users into interacting with malicious infrastructure. Monitor DNS, email, and web traffic for permutations of your brand name.
Why it matters
While you can educate your users and customers about the risks and threats posed by typosquatting, phishing, and corporate espionage, human error is a persistent fact of life. Of course, your adversaries are all too aware of this reality and will happily leverage it for nefarious purposes whenever possible3phishing with lookalike addresses, embedding faux command-and-control domains in malware, and hosting malicious content on domains that closely mimic your corporate servers. This is where brand monitoring comes in.
You can use our adaptation of DNSTwist
, together with the support searches in this Analytic Story, to generate permutations of specified brands and external domains. Splunk can monitor email, DNS requests, and web traffic for these permutations and provide you with early warnings and situational awareness--powerful elements of an effective defense.
Notable events will include IP addresses, URLs, and user data. Drilling down can provide you with even more actionable intelligence, including likely geographic information, contextual searches to help you scope the problem, and investigative searches.
Detections
Name | Technique | Type |
---|---|---|
Monitor Email For Brand Abuse | None | TTP |
Monitor DNS For Brand Abuse | None | TTP |
Monitor Web Traffic For Brand Abuse | None | TTP |
Data Sources
Name | Platform | Sourcetype | Source |
---|
References
- https://www.zerofox.com/blog/what-is-digital-risk-monitoring/
- https://securingtomorrow.mcafee.com/consumer/family-safety/what-is-typosquatting/
- https://blog.malwarebytes.com/cybercrime/2016/06/explained-typosquatting/
Source: GitHub | Version: 1