A Simple, Free, and Fast Open Source Workflow For Processing Indicators

Open sources provide a wealth of valuable intelligence and, often times, network- and host-based indicators to enable detection and further investigation.

I’m interested in indicators from an investigative perspective. What overlaps or “centers of gravity” can we uncover? Do any of these provide other collection opportunities (e.g., tracking a particular domain registrant) or detection opportunities (e.g., a small netblock hosting dedicated C2 infrastructure)?

My investigative process around information culled from open sources used to be manual. Copying and pasting, one-by-one, indicators from blog posts into TXT and / or CSV documents. Querying indicators against various external or internal datasets. That process is neither efficient nor fun.

Fortunately, the availability and quality of open source threat intelligence tools have grown in-kind with the quality and quantity of the open source information. Exclusively using free tools, analysts can all but bypass manual processing and dive strait into their investigation within only or a minute or two.

Here’s one way to do that.

Use RSS or Twitter to Identify an Interesting Source(s)

This is a no-brainer. Individual analysts or teams can use shared RSS and Twitter accounts to centralize basic collection of vendor and independent blogs/sources. For RSS, I use Feedly, but any RSS reader will do. If you follow the accounts of those same sources on Twitter, you can just as easily use Twitter to give you can excellent view into the available open source information.

While I usually prioritize review of closed-source information first, be sure to spend time over your morning cup of coffee to scroll through your Twitter or RSS feed.

In this example, I’ve found an interesting post about the 9002 RAT from Palo Alto Networks. (More importantly, in this example, this information meets already-established requirements and key questions formed around various malware tools that pose a threat to CYINT_dude Labs, a new cybersecurity venture expected to reach a $1 billion valuation.)

Use AlienVault OTX To Process IOC For You

AlienVault provides one of the best free threat intelligence tools. AlienVault Open Threat Exchange is a simple community-based tool. Users submit and share sources and OTX automatically harvests the IOC, drops them in a table, and makes them available for download as CSV (or STIX or OpenIOC).

So if you have an open source with IOC you’d like to investigate, I recommend submitting it to OTX. You get the IOC you need and the rest of the community benefits too.

Similar to using a shared RSS and Twitter account, threat intelligence teams could also create a shared OTX account and use it as a “processing tool” to mine IOC from open sources. More often than not, another user will have already submitted the source you’re interested in. That means all you need to do is click “download” and select your format of choice. I downloaded the 9002 RAT IOC as a CSV file.

screen-shot-2016-09-11-at-1-50-00-pm

From there we can open the file, grab the content and throw it into a spreadsheet to separate the values.

screen-shot-2016-09-11-at-1-54-26-pm

screen-shot-2016-09-11-at-2-01-32-pm

Use Free Maltego Transforms to Investigate The IOC

Now the fun part.

Maltego is a great platform for investigating indicators. What is more, using free transform sets (available in Maltego’s Transform Hub) like ThreatCrowd and ThreatMiner allow you to tap multiple open sources to enrich your IOC with data from pDNS, WHOIS, malware database, and other sources.

From the spreadsheet, you can copy your indicators into Maltego. Generally Maltego does a good job of recognizing the entity types. But in a lot of cases you’ll need to manually change the entities into the appropriate types. When pasting hash values into Maltego, they usually default to the “Phrase” entity. To change them, click “Select by Type” (located above your graph), and then click “Phrase.” You can also manually select the Phrase entities, but be careful not to accidently corral values that you don’t want changed.

screen-shot-2016-09-11-at-3-25-47-pm

Then, right click on your graph, click “Change Type,” and then chose the appropriate entitiy. Now we can use our transforms that require Hash input values.

screen-shot-2016-09-11-at-3-25-17-pm

Once you’ve reached this step, the investigative path you take is up to you. But it’s best to avoid going transform-crazy in Maltego, which can quickly lead you into a confusing briar-patch of linked nodes and relationships. Instead, write-down a few specific questions you want to answer that can help you move up the Pyramid of Pain. To do this, you can frame your questions by keeping the Diamond Model of Intrusion Analysis in mind.

  • Who registered the C2 domains (Infrastructure to Adversary)?
  • What IP addresses have the C2 domains historically resolved to? Are there any patterns or centers of gravity with respect to the hosting environments (Infrastructure to Infrastructure)?
  • What do the file names of the malicious files suggest, if anything, about who was targeted (Capability to Victim)?

screen-shot-2016-09-11-at-3-08-41-pm

I recommend isolating one or two questions per Maltego graph to avoid getting overwhelmed with results and reviewing results after each transform run.

A Final Note: Going Beyond IOC

The above process is fast, easy, and (mostly) free. (Purchasing a Maltego client is worth the initial $750 investment if you plan on using it at your day job.)

We investigate IOC to move up the Pyramid of Pain and identify patterns in threat activity. But there’s more to threat analysis than just indicators. The 9002 RAT blog post contained valuable nuggets of intelligence on TTP. For example:

  • Persistence: The malware creates two mutexes, F16ME and widfasdf, and creates two registry keys. It sets Software\Microsoft\Windows\CurrentVersion\Run\RealNetwork to run the legitimate realnetwork.exe software. And it sets HKCU\Software\Microsoft\F6\uid where it will store the %USERPROFILE% directory path. The malware will look to this path for configuration information.
  • Command-and-Control: The malware uses a custom HTTP protocol with initial beacons containing the string 9002. Follow-on beacons will contain the strings jackhex and 2016. The malware also uses the User Agent lynx.

The blog post is full other other unique methods and detection opportunities.

Having a simple workflow to process IOC from open sources should give you more time to not only investigate those IOC, but also to process, capture, and build detection for unique TTP.

Questions or comments? Feel free to get in touch with me on Twitter @CYINT_dude!

UPDATE: I should also point out that while OTX is indeed a great tool, there are other IOC processing tools that exist: