Staying Current with Security Threats

3 min read Web Security Fundamentals

Staying Current with Security Threats

Implement threat intelligence integration:

#!/bin/bash
# /usr/local/bin/threat-intelligence-updater.sh

# Threat Intelligence Integration Script
# Updates security rules based on current threat landscape

THREAT_DIR="/var/security/threat-intel"
mkdir -p "$THREAT_DIR"

# Update threat feeds
update_threat_feeds() {
    echo "[$(date)] Updating threat intelligence feeds..."
    
    # Update IP reputation lists
    echo "Downloading IP reputation lists..."
    
    # Emerging Threats compromised IPs
    wget -q -O "$THREAT_DIR/compromised-ips.txt" \
        "https://rules.emergingthreats.net/blockrules/compromised-ips.txt"
    
    # Talos Intelligence
    wget -q -O "$THREAT_DIR/talos-blacklist.txt" \
        "https://www.talosintelligence.com/documents/ip-blacklist"
    
    # SSL Blacklist (SHA1 fingerprints)
    wget -q -O "$THREAT_DIR/ssl-blacklist.txt" \
        "https://sslbl.abuse.ch/blacklist/sslblacklist.csv"
    
    # Update ModSecurity CRS
    if [ -d /etc/modsecurity ]; then
        cd /etc/modsecurity
        git pull origin master
    fi
}

# Process threat intelligence
process_threat_intel() {
    echo "Processing threat intelligence..."
    
    # Create IP blacklist for firewall
    cat "$THREAT_DIR"/*.txt 2>/dev/null | \
        grep -E '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | \
        sort -u > "$THREAT_DIR/consolidated-blacklist.txt"
    
    # Update firewall rules
    if [ -s "$THREAT_DIR/consolidated-blacklist.txt" ]; then
        # Create ipset for threat IPs
        ipset create threat_ips hash:ip -exist
        
        # Add IPs to set
        while read ip; do
            ipset add threat_ips "$ip" -exist
        done < "$THREAT_DIR/consolidated-blacklist.txt"
        
        # Apply firewall rule
        iptables -I INPUT -m set --match-set threat_ips src -j DROP
    fi
}

# Update security configurations
update_security_configs() {
    echo "Updating security configurations based on threats..."
    
    # Update Apache ModSecurity rules
    if [ -f /etc/apache2/mods-enabled/security2.conf ]; then
        # Add custom rules based on current threats
        cat > /etc/modsecurity/custom-threats.conf << 'EOF'
# Custom threat rules based on current intelligence
# Updated: $(date)

# Block recent exploit attempts
SecRule REQUEST_URI "@contains /cgi-bin/%%32%65%%32%65/" \
    "id:9999001,\
    phase:1,\
    deny,\
    msg:'CVE-2021-41773 Apache Path Traversal Attempt',\
    severity:CRITICAL"

# Block cryptocurrency miners
SecRule REQUEST_HEADERS:User-Agent "@pmFromFile crypto-miners.data" \
    "id:9999002,\
    phase:1,\
    deny,\
    msg:'Cryptocurrency Miner Detected',\
    severity:HIGH"
EOF
    fi
    
    # Update Nginx configurations
    if [ -d /etc/nginx ]; then
        # Generate dynamic block list
        cat > /etc/nginx/conf.d/threat-blocks.conf << EOF
# Threat-based blocking rules
# Updated: $(date)

# Block known bad user agents
map \$http_user_agent \$blocked_agent {
    default 0;
    ~*malicious 1;
    ~*scanner 1;
    ~*crawler 1;
}

# Block if agent is blocked
if (\$blocked_agent) {
    return 403;
}
EOF
    fi
}

# Generate threat report
generate_threat_report() {
    REPORT_FILE="$THREAT_DIR/threat-report-$(date +%Y%m%d).html"
    
    cat > "$REPORT_FILE" << EOF
<!DOCTYPE html>
<html>
<head>
    <title>Threat Intelligence Report - $(date +%Y-%m-%d)</title>
    <style>
        body { font-family: Arial, sans-serif; margin: 20px; }
        .threat { background: #ffebee; padding: 10px; margin: 10px 0; }
        .mitigated { background: #e8f5e9; padding: 10px; margin: 10px 0; }
    </style>
</head>
<body>
    <h1>Threat Intelligence Report</h1>
    <p>Generated: $(date)</p>
    
    <h2>Threat Summary</h2>
    <div class="threat">
        <strong>Total Threat IPs Blocked:</strong> $(wc -l < "$THREAT_DIR/consolidated-blacklist.txt")
    </div>
    
    <h2>Recent Threats</h2>
    <div class="threat">
        <strong>Apache Path Traversal (CVE-2021-41773):</strong> Active exploitation detected
    </div>
    <div class="threat">
        <strong>Log4j (CVE-2021-44228):</strong> Continued scanning activity
    </div>
    
    <h2>Mitigation Status</h2>
    <div class="mitigated">
        <strong>Firewall Rules Updated:</strong> $(iptables -L -n | grep -c DROP)
    </div>
    <div class="mitigated">
        <strong>ModSecurity Rules Updated:</strong> Yes
    </div>
    
    <h2>Recommendations</h2>
    <ul>
        <li>Review and update all Apache/Nginx installations</li>
        <li>Ensure all security patches are applied</li>
        <li>Monitor logs for exploitation attempts</li>
        <li>Conduct security awareness training on current threats</li>
    </ul>
</body>
</html>
EOF
    
    # Email report
    mail -s "Threat Intelligence Report - $(date +%Y%m%d)" \
         -a "$REPORT_FILE" \
         [email protected] < /dev/null
}

# Main execution
echo "=== Threat Intelligence Update ==="
echo "Started: $(date)"

update_threat_feeds
process_threat_intel
update_security_configs
generate_threat_report

echo "Completed: $(date)"

# Schedule regular updates
CRON_ENTRY="0 */6 * * * /usr/local/bin/threat-intelligence-updater.sh"
if ! crontab -l 2>/dev/null | grep -q "threat-intelligence-updater"; then
    (crontab -l 2>/dev/null; echo "$CRON_ENTRY") | crontab -
fi