IP Address Alert Investigations: Correlating and Mapping with MITRE ATT&CK

An Internet Protocol (IP) address is the digital equivalent of your home address. Your home has a unique identification number that gives information about your physical geographic location, like road, city, state, and country. An IP address provides similar information about the people and devices connected to a network.

As you build out your incident detection and response capabilities, you should consider how IP address alert investigations map to the MITRE ATT&CK Framework and how to correlate these alerts with other information generated by your environment.

Why are IP addresses important to security alerts?

An IP address links a device connected to a network with a physical location. Incorporating IP addresses into security alerts provides insight into:

• Device’s or user’s geographic location, like state, city, country
• Other alerts related to the address
• Devices in the organization communicating with the IP address
• Information about the IP address, like the number of devices communicating with it, when it was first seen or last seen

Mapping IP Address Information to ATT&CK

Mapping threat detection and incident response (TDIR) activities to the ATT&CK Framework enables you to correlate the information that your logs provide with attackers’ tactics, techniques, and procedures (TTPs). By understanding the threat actors’ objectives, you can more rapidly investigate a security incident since you can make a hypothesis about what they plan to do.

Typically, IP address activity maps to the Initial Access tactic, but it can also correlate across others. Some alerts related to IP addresses that indicate a malicious actor potentially trying to gain unauthorized initial access to systems and networks include:

• Activity from an anonymous IP address: Attackers often use anonymous IP addresses to hide a device and malicious activity.
• Activity from an abnormal country: Profiling your environment and typical user access enables you to identify activity from a country that users rarely visit and can indicate potential malicious actor access.
• Activity from a suspicious IP address: Threat intelligence feeds and other resources can provide insight into IP addresses considered “risky” as they have been linked to malicious activities, like password spray attacks or command and control (C2) servers.
• Impossible travel: Individual user activity generated in two different geographic locations within a time frame shorter than traveling between them would take.

Additional Events to Correlate with Suspicious IP Address Alerts

IP address alerts are only the first activity indicating a potential security incident. By correlating alerts and activity across the various ATT&CK tactics, you can create a more complete picture of what malicious actors might do and how to reduce an incident’s impact.

Execution

Execution means that the threat actors are trying to run malicious code on a local or remote system, often using it to achieve broader objectives.

When correlated with IP address alerts, some additional alerts and indicators that can help you detect these activities include:

• Multiple storage deletion: A single user deleting an abnormal number of cloud storage or database resources, like Azure blobs or AWS S3 buckets.
• Multiple Virtual Machine (VM) creations: A user creates an abnormal number of VMs compared to the established baseline activity, potentially indicating a security incident like crypto mining.
• Suspicious creation activity in the abnormal geographic region: A user creates new resources in a geographic region, like an AWS region, that deviates from their established baseline activity, potentially indicating a security incident like crypto mining.

Persistence

Persistence means that the threat actor is trying to maintain access to systems even when the organization attempts to restart devices, change credentials, or engage in other containment or eradication activities.

When correlated with IP address alerts, some additional alerts and indicators that can help you detect these activities include:

• Terminated user performing activity: Activity detected from users whose employment was terminated might be a malicious insider or threat actors using stolen/leaked credentials.
• Unauthorized changes to logging services: Attempts to disable logging may indicate a potential threat actor trying to hide activities.
• Suspicious email deletion: User permanently deletes emails, often done from an abnormal IP address or geographic region, can indicate a potential attempt to hide emails related to phishing or spam activities.
• Suspicious inbox manipulation: Rules that manipulate emails, like deleting or moving messages from an inbox, might indicate attempts to prevent users from noticing that threat actors are using the email address for malicious purposes, like spam or phishing activities.

Privilege escalation

Privilege escalation means that the threat actors are trying to gain higher level access permissions within a target system or network so that they can access sensitive data or gain control over resources or devices.

When correlated with IP address alerts, additional alerts or indicators that can help you detect these activities include:

• Unusual administrator activity: A potential account compromise or malicious privilege escalation typically involves abnormal actions taken by the administrative user’s account, like changing a security setting or creating new, unauthorized privileged accounts.
• Unusual access by standard account: A standard user account accesses privileged resources or makes system changes outside of its normal activity, like a standard user accessing a database containing sensitive customer information or using root access.

Credential access

Credential access means the threat actors are trying to steal user IDs and passwords so they can hide their unauthorized access as legitimate users.

When correlated with IP address alerts, additional alerts or indicators that can help you detect these activities include:

• Multiple failed login attempts: Failed login attempts can be either an end user error with their password or malicious actors trying stolen/leaked credentials so the organization should have a baseline of normal user activity.
• Abnormal user behavior: User accounts accessing resources outside of working hours or accessing typically unused resources may indicate malicious actors using stolen/leaked credentials.

Collection

Collection means that threat actors are attempting to gather data to achieve their objective, often as part of exfiltration.

When correlated with IP address alerts, additional alerts or indicators that can help you detect these activities include:

• Multiple resources shared: Abnormal user behavior that includes sharing multiple or unrelated resources during a single session can indicate a potential security incident.
• Suspicious resource sharing: A user sharing files that contain sensitive information, like personally identifiable information (PII) or financial information, may indicate a potential security incident.
• Abnormal network traffic spikes: High volumes of “east-west” network traffic beyond known baseline activity may indicate a potential security incident, like a virus or worm on the network.

Exfiltration

Exfiltration means that the threat actors are attempting to steal data, typically manipulating file size or using encryption to evade detection.

When correlated with IP address alerts, additional alerts or indicators that can help you detect these activities include:

• Suspicious email forwarding: Manipulation rules, like forwarding all or forwarding specific messages, may indicate that malicious actors have gained control of a user’s inbox or account.
• Unusual file download: Users downloading files containing sensitive data from cloud resources may indicate that malicious actors are stealing data.
• Unusual file share activity: Users sharing files from a cloud resource may indicate that malicious actors have unauthorized access and are attempting to share data with another account that they control.

Graylog: Faster Threat Detection and Incident Response (TDIR) for IP Address Alert Investigations

With Graylog Security, you can use prebuilt content to map security events to MITRE ATT&CK. By combining Sigma rules and MITRE ATT&CK, you can create high-fidelity alerting rules that enable robust threat detection, lightning-fast investigations, and streamlined threat hunting. For example, with Graylog’s security analytics, you can monitor user activity for anomalous behavior indicating a potential security incident. By mapping this activity to the MITRE ATT&CK Framework, you can detect and investigate adversary attempts at using Valid Accounts to gain Initial Access, mitigating risk by isolating compromised accounts earlier in the attack path and reducing impact.

Graylog’s risk scoring capabilities enable you to streamline your TDIR by aggregating and correlating the severity of the log message and event definitions with the associated asset, reducing alert fatigue and allowing security teams to focus on high-value, high-risk issues.