brand_monitoring.yml

name: Brand Monitoring
id: 91c676cf-0b23-438d-abee-f6335e1fce78
version: 1
date: '2017-12-19'
author: David Dorsey, Splunk
description: Detect and investigate activity that may indicate that an adversary is
  using faux domains to mislead users into interacting with malicious infrastructure.
  Monitor DNS, email, and web traffic for permutations of your brand name.
narrative: 'While you can educate your users and customers about the risks and threats
  posed by typosquatting, phishing, and corporate espionage, human error is a persistent
  fact of life. Of course, your adversaries are all too aware of this reality and
  will happily leverage it for nefarious purposes whenever possible3phishing with
  lookalike addresses, embedding faux command-and-control domains in malware, and
  hosting malicious content on domains that closely mimic your corporate servers.
  This is where brand monitoring comes in.\

  You can use our adaptation of `DNSTwist`, together with the support searches in
  this Analytic Story, to generate permutations of specified brands and external domains.
  Splunk can monitor email, DNS requests, and web traffic for these permutations and
  provide you with early warnings and situational awareness--powerful elements of
  an effective defense.\

  Notable events will include IP addresses, URLs, and user data. Drilling down can
  provide you with even more actionable intelligence, including likely geographic
  information, contextual searches to help you scope the problem, and investigative
  searches.'
references:
- https://www.zerofox.com/blog/what-is-digital-risk-monitoring/
- https://securingtomorrow.mcafee.com/consumer/family-safety/what-is-typosquatting/
- https://blog.malwarebytes.com/cybercrime/2016/06/explained-typosquatting/
tags:
  analytic_story: Brand Monitoring
  category:
  - Abuse
  product:
  - Splunk Enterprise
  - Splunk Enterprise Security
  - Splunk Cloud
  usecase: Advanced Threat Detection