A Simple, Free, and Fast Open Source Workflow For Processing Indicators

Open sources provide a wealth of valuable intelligence and, often times, network- and host-based indicators to enable detection and further investigation.

I’m interested in indicators from an investigative perspective. What overlaps or “centers of gravity” can we uncover? Do any of these provide other collection opportunities (e.g., tracking a particular domain registrant) or detection opportunities (e.g., a small netblock hosting dedicated C2 infrastructure)?

My investigative process around information culled from open sources used to be manual. Copying and pasting, one-by-one, indicators from blog posts into TXT and / or CSV documents. Querying indicators against various external or internal datasets. That process is neither efficient nor fun.

Fortunately, the availability and quality of open source threat intelligence tools have grown in-kind with the quality and quantity of the open source information. Exclusively using free tools, analysts can all but bypass manual processing and dive strait into their investigation within only or a minute or two.

Here’s one way to do that.

Continue reading →

All The Rosetta Stones!

The ancient Rosetta Stone provided an approximate translation between Egyptian hieroglyphics, Egyptian Demotic script, and Ancient Greek. In threat intelligence, we use Rosetta Stones to translate the different names that our sources assign to threat activity groups into our own “native language.” What one source calls “APT1,” another source calls “Unit 61398.” But, in your security operations shop’s “native language,” those names translate to “Comment Crew.” All told, it makes for a confusing situation (that isn’t going away) as analysts juggle and triangulate reports describing threats and malware and their associated reams of indicators.

Continue reading →

Using threat_note To Track Campaigns: Returning to PIVY and PlugX Infrastructure

BLUF: I’m starting to find the sweet spot for threat_note in my at-home research workflow. By taking advantage of threat_note’s VirusTotal integration, I was able to discover some new infrastructure associated with the the activity I documented in my August 8 post on Poison Ivy.

Continue reading →

PCAP Analysis Practice

BLUF: I downloaded a PCAP from this exercise provided by @malware_traffic.  I’m a Wireshark and PCAP n00b, but wanted to see how far I could get with an analysis I’m not used to doing. I think I did pretty well (I was pleased I was able to get one of the Level 3 questions), but got hung up on identifying the exact infection chain and series of redirects.

Continue reading →

Playing with ioc-parser (and practicing python and command line Kung-fu)

BLUF: The ioc-parser python utility is a must-have in your analytic workflow. It automates the parsing of IOC from public reports and neatly outputs the results to a CSV file. You can take these results to conduct further analysis and to provide as potential detection indicators (assuming you’ve done your validation due diligence). It’s a great time-saving tool.

Continue reading →