Listen to this Post
Introduction:
Salesforce’s security team has set a new benchmark in threat intelligence sharing by releasing a detailed report on a Gainsight app compromise, suspected to be the work of groups like Scattered Spider or Lapsus$. Unlike typical, sterile lists of Indicators of Compromise (IOCs), this report provides enriched, contextualized data including timestamps of when each IOC was active and specific tagging of the associated infrastructure. This granularity transforms raw data into actionable intelligence, empowering Security Operations Center (SOC) and threat hunting teams to conduct precise, retrospective searches and quickly determine the maliciousness of observed activity.
Learning Objectives:
- Understand how to parse and operationalize enriched IOC reports like Salesforce’s.
- Learn to hunt for specific threats across network and endpoint logs using provided IOCs.
- Develop proactive detection rules based on advanced threat intelligence.
You Should Know:
- Decoding the Salesforce IOC Report: From Data to Action
The power of Salesforce’s report lies in its context. Instead of just an IP address, they provided `172.113.237.48` with the note it was a residential proxy, and `104.3.11.1` as another potential proxy, along with the timestamps these were active during the intrusion. This immediately tells defenders that the attack originated from proxy infrastructure, a common technique to blend in with normal user traffic. The first step is to acquire and understand this data.
Step-by-Step Guide:
Step 1: Acquire the IOCs. The IOCs are hosted on the Salesforce Help portal at the provided URL: `https://help.salesforce.com/s/articleView?id=005229029&type=1`. Security teams should bookmark this and similar pages from other vendors.
Step 2: Parse the Data. Manually review the report, but for operationalization, you need to extract the IOCs into a machine-readable format (e.g., a CSV or a STIX/TAXII feed). You can use simple command-line tools to start building your blocklists or hunting queries.
On a Linux system, you could quickly create a list of IPs for analysis:
Create a simple text file of IOCs for scripting echo "172.113.237.48" > salesforce_iocs_ips.txt echo "104.3.11.1" >> salesforce_iocs_ips.txt
Step 3: Contextualize the IOCs. Research the provided tags. As noted by analysts, `172.113.237.48` is linked to residential proxy services like NSocks. This means simple IP-based blocking might be less effective, as the attacker can rotate through the proxy pool. The focus must shift to detecting the behavior that originates from these IPs.
- Threat Hunting with Enriched IOCs in Your Network
With the contextualized IOCs, you can now search your own network logs for evidence of compromise or reconnaissance. The provided timestamps are critical; you only need to look for activity that occurred within that specific window, drastically reducing false positives.
Step-by-Step Guide:
Step 1: Query Your Firewall and Proxy Logs. Search for outbound or inbound connections to the listed IPs during the active time frames.
Example Splunk Query for Proxy Logs:
index=proxy (src_ip=172.113.237.48 OR src_ip=104.3.11.1) earliest="06/01/2024:00:00:00" latest="06/15/2024:23:59:59" | table _time, src_ip, dest_host, url, user_agent
Linux Command Line (using `grep` on access logs):
grep -E "172.113.237.48|104.3.11.1" /var/log/nginx/access.log | awk -v d1="[01/Jun/2024" -v d2="[15/Jun/2024" '$4 >= d1 && $4 <= d2'
Windows Command (using PowerShell):
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=5156; StartTime='06/01/2024'; EndTime='06/15/2024'} | Where-Object {$<em>.Message -like "172.113.237.48" -or $</em>.Message -like "104.3.11.1"}
Step 2: Correlate Findings. Any hits must be investigated. Check what user or system initiated the connection, what was accessed, and if it aligns with known legitimate traffic patterns.
3. Endpoint Investigation for Associated Artifacts
While the initial report may focus on network IOCs, attacks leave traces on endpoints. Hunt for processes that communicated with these IPs or for related file hashes and registry keys that might be included in the full report.
Step-by-Step Guide:
Step 1: Check Network Connections on Endpoints. Use built-in OS tools to look for established connections or recent connections to the suspect IPs.
On Linux:
Check for established connections netstat -tulnp | grep 172.113.237.48 Check for any recent connections in logs journalctl --since="2024-06-01" --until="2024-06-15" | grep -i "172.113.237.48"
On Windows (PowerShell):
Get active TCP connections
Get-NetTCPConnection | Where-Object {$_.RemoteAddress -eq "172.113.237.48"}
Step 2: Process Creation Logging. Use Windows Security Auditing (Event ID 4688) or Linux auditd to investigate processes that were spawned around the time of the network connections. Look for suspicious parent-child process relationships, like `cmd.exe` spawning whoami.exe.
4. Building Proactive Detections for Residential Proxy Use
Since the attacker used residential proxies, creating a detection for this specific technique is a powerful long-term defense.
Step-by-Step Guide:
Step 1: Leverage Threat Intelligence Feeds. Subscribe to feeds that tag IP addresses as belonging to residential proxy networks (e.g., CrowdStrike, VirusTotal, or specialized services).
Step 2: Create a Correlation Rule. In your SIEM, build a rule that alerts when a corporate internal IP (not from a VPN range) makes an outbound connection to a known residential proxy IP. This could indicate a compromised machine being used as an exit node or a user violating policy.
Example Sigma Rule (YAML):
title: Outbound Connection to Residential Proxy status: experimental description: Detects outbound connections to known residential proxy IP ranges. logsource: category: firewall detection: selection: dest_ip: - '172.113.237.0/24' Example from report Add other ranges from intel feeds condition: selection falsepositives: - Legitimate traffic from users who have installed P2P software. level: medium
Step 3: Tune and Refine. This rule will have false positives. Work with your network team to identify and whitelist any legitimate uses of such services.
5. Integrating IOC Context into Your Security Playbooks
The final step is to ensure this new standard of intelligence is baked into your incident response (IR) process.
Step-by-Step Guide:
Step 1: Update IOC Management Procedures. Mandate that any IOCs ingested into your Threat Intelligence Platform (TIP) or SIEM must be enriched with context like campaign, first-seen/last-seen timestamps, and confidence level, mirroring the Salesforce report.
Step 2: Automate Enrichment. Use APIs from services like VirusTotal, Shodan, or AbuseIPDB to automatically append context to any new IOCs your team handles.
Step 3: Train the SOC. Ensure your Tier 1 and Tier 2 analysts understand the difference between a raw IP and a “residential proxy IP active during the Gainsight campaign.” This context allows them to prioritize alerts correctly and respond with greater confidence.
What Undercode Say:
- Context is the King of Threat Intelligence. Raw IOCs are commodities; their associated context—timestamps, infrastructure type, and TTPs—is what provides true defensive value and enables efficient hunting.
- Transparency Elevates the Entire Ecosystem. When industry leaders like Salesforce share detailed, actionable intelligence, they create a rising tide that lifts all security boats, forcing adversaries to work harder and increasing collective resilience.
The analysis from the cybersecurity community underscores a critical shift. For years, defenders have been inundated with data but starved for intelligence. Salesforce’s move demonstrates a mature understanding of what defenders actually need to be effective. It’s not about providing more data, but about providing smarter data. This approach directly counters the tactics of groups like Scattered Spider, who rely on obfuscation and living-off-the-land techniques. By tagging infrastructure as “residential proxy,” the report immediately directs defenders to hunt for a specific, sophisticated technique rather than just a generic malicious IP. This sets a precedent that will put pressure on other vendors to follow suit, ultimately leading to a more intelligence-driven security posture across the industry.
Prediction:
This act of detailed, contextualized intelligence sharing by Salesforce will catalyze a industry-wide shift. Within the next 12-18 months, we predict that the majority of major technology and cloud service providers will adopt a similar standard for their public-facing incident reports. This will force advanced persistent threat (APT) groups and e-crime gangs to adapt their infrastructure acquisition and operational security (OpSec) strategies significantly. The cost and complexity of mounting attacks will increase as defenders become faster and more accurate at identifying and ejecting them, thanks to high-fidelity, context-rich intelligence. This marks a pivotal step towards a more collaborative and proactive cybersecurity paradigm.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Eliwood Salesforces – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
