A Simple, Free, and Fast Open Source Workflow For Processing Indicators

Open sources provide a wealth of valuable intelligence and, often times, network- and host-based indicators to enable detection and further investigation.

I’m interested in indicators from an investigative perspective. What overlaps or “centers of gravity” can we uncover? Do any of these provide other collection opportunities (e.g., tracking a particular domain registrant) or detection opportunities (e.g., a small netblock hosting dedicated C2 infrastructure)?

My investigative process around information culled from open sources used to be manual. Copying and pasting, one-by-one, indicators from blog posts into TXT and / or CSV documents. Querying indicators against various external or internal datasets. That process is neither efficient nor fun.

Fortunately, the availability and quality of open source threat intelligence tools have grown in-kind with the quality and quantity of the open source information. Exclusively using free tools, analysts can all but bypass manual processing and dive strait into their investigation within only or a minute or two.

Here’s one way to do that.

Continue reading →

All The Rosetta Stones!

The ancient Rosetta Stone provided an approximate translation between Egyptian hieroglyphics, Egyptian Demotic script, and Ancient Greek. In threat intelligence, we use Rosetta Stones to translate the different names that our sources assign to threat activity groups into our own “native language.” What one source calls “APT1,” another source calls “Unit 61398.” But, in your security operations shop’s “native language,” those names translate to “Comment Crew.” All told, it makes for a confusing situation (that isn’t going away) as analysts juggle and triangulate reports describing threats and malware and their associated reams of indicators.

Continue reading →

Intelligence Technology and Tradecraft in 2015

With 2015 wrapped up, I wanted to reflect on some of the changes I noticed in the cyber threat intelligence (CTI) field over the course of the year. I originally had (overly) ambitious plans for this post, hoping to offer a sweeping and comprehensive review on threat intelligence. But alas. Time has expired–it’s already 2016! Instead, I decided to focus on two aspects of CTI that I’m passionate about: technology and tradecraft.  Continue reading →

Using threat_note To Track Campaigns: Returning to PIVY and PlugX Infrastructure

BLUF: I’m starting to find the sweet spot for threat_note in my at-home research workflow. By taking advantage of threat_note’s VirusTotal integration, I was able to discover some new infrastructure associated with the the activity I documented in my August 8 post on Poison Ivy.

Continue reading →

Playing with ioc-parser (and practicing python and command line Kung-fu)

BLUF: The ioc-parser python utility is a must-have in your analytic workflow. It automates the parsing of IOC from public reports and neatly outputs the results to a CSV file. You can take these results to conduct further analysis and to provide as potential detection indicators (assuming you’ve done your validation due diligence). It’s a great time-saving tool.

Continue reading →