A Simple, Free, and Fast Open Source Workflow For Processing Indicators

Open sources provide a wealth of valuable intelligence and, often times, network- and host-based indicators to enable detection and further investigation.

I’m interested in indicators from an investigative perspective. What overlaps or “centers of gravity” can we uncover? Do any of these provide other collection opportunities (e.g., tracking a particular domain registrant) or detection opportunities (e.g., a small netblock hosting dedicated C2 infrastructure)?

My investigative process around information culled from open sources used to be manual. Copying and pasting, one-by-one, indicators from blog posts into TXT and / or CSV documents. Querying indicators against various external or internal datasets. That process is neither efficient nor fun.

Fortunately, the availability and quality of open source threat intelligence tools have grown in-kind with the quality and quantity of the open source information. Exclusively using free tools, analysts can all but bypass manual processing and dive strait into their investigation within only or a minute or two.

Here’s one way to do that.

Continue reading →

Examining Recent Ransomware Infection Techniques (And Some Thoughts on Consuming Intelligence)

Even though ransomware is one of the threats du-jour, it’s not something I’ve closely studied. So I decided that this weekend was as good a time as any to conduct some research and develop a better understanding of this threat.

I wish I could say I identified novel features of what I discovered were large, multi-wave ransomware campaigns between May and August. But that didn’t happen. The reality is pretty mundane: I pulled together existing research and documented—in my own words—what others have already reported.

As an analyst, I’m okay with that. I’ve found this type of research to be typical. And it brings up thoughts (and tips!) I have on intelligence consumption. But more on those soon… First, let’s look at the recent ransomware activity.

Continue reading →

Write It, Or It Didn’t Happen

BLUF: As intelligence analysts, our customers demand that we know a lot about a lot. However, research from Chris Sanders shows that humans’ working memories are very limited; we can only juggles small volumes of information at once. Even long-term memory can be stressed by the volume of knowledge that analysts must maintain. These cognitive limitations highlight the fundamental importance of capturing knowledge in written reports. If no one writes it down, does the knowledge really exist? Playing on the expression “PCAP, or it didn’t happen,” I offer the expression “write it, or it didn’t happen.

Continue reading →

Using threat_note To Track Campaigns: Returning to PIVY and PlugX Infrastructure

BLUF: I’m starting to find the sweet spot for threat_note in my at-home research workflow. By taking advantage of threat_note’s VirusTotal integration, I was able to discover some new infrastructure associated with the the activity I documented in my August 8 post on Poison Ivy.

Continue reading →

What Analysts Can Learn From Shadowserver’s “Italian Connection” Report

BLUF: The  “Italian Connection” report from The Shadowserver Foundation is exemplary for its adherence to solid analytic tradecraft. The tradecraft is evident in the authors’ writing style, transparent methodologies, and use of structured analytic techniques. As analysts, we can learn from this report by similarly following the analytic standards that it demonstrates.

Continue reading →

Threat Analysis: Poison Ivy and Links to an Extended PlugX Campaign

Key Points & Assessment:

  • Japan CERT identified a new Poison Ivy RAT variant (SHA1 44073031790e5ba419374dc55f6ac1cba688b06c) with updated C2 functionality.
  • The malware was created in September 2014 and uploaded to Virus Total in January 2015. It uses the dynamic DNS-provided C2 getstrings[.]jumpingcrab[.]com. This domain has resolved to at least 3 IP addresses:,, and
  • I identified several decoy documents (see Maltego graph) that deliver the PlugX malware and call-out to one of two IP addresses mentioned above. These documents were reportedly used in a campaign identified by SOPHOS that spanned from September 2014 to February 2015. India was one target of the campaign.
  • Given the infrastructure and timing overlaps, the Poison Ivy sample discussed in this post was likely just one payload involved in a broader campaign targeting India, the Tibetan community, and others, that spanned from approximately September 2014 to February 2015.
  • The Poison Ivy sample in this case thus appears to be tied to attacks by one or more adversaries acting on behalf of Chinese interests.

Continue reading →

A Simple Model For Cyber Threat Targeting

BLUF: There are too many threats, and not enough time. Analysts must therefore prioritize their time on threats that are relevant to their organizations — they must be deliberate about targeting, the process of identifying and focusing on the threats that matter. While many analysts intuitively know what are and are not relevant threats, it’s still helpful to have a simple model to guide such targeting and serve as a repeatable and transparent methodology. Models presented in both a Carnegie Mellon report  (page 8) and a talk from Rick Holland (slide 23) can be adapted as simple frameworks to aid in Cyber Threat Targeting.

Continue reading →