Open Source Threat Intelligence
Hello, welcome back with me, Bayu Aji, this time I will write an article about "Threat Intelligence". Yes, I will discuss about OSINT again, but here it is specifically for threats, I usually do this technique for research. For example I want to research a malware I can use this technique to collect more in-depth information and details okok now I will discuss a technique and platform that will be used, so check this out
Cyber threat intelligence (CTI) refers to the collection and analysis of data, the results of which are used to determine what actions are needed to help prevent, detect and respond to cyber threats.
Okok, speaking of OSINT, it's actually very broad. Yes, OSINT can do anything like the article I wrote in the past. There are many uses for OSINT, we can use OSINT for threat intelligence cases, which aims to analyze, detect and prevent cyber threats.
OSINT can also be utilized against Advanced persistent threat (APT). By associating the collected OSINTs with IP addresses, email addresses, hashes, owners and other indicators on their Internet-connected systems, you can identify suspicious activity for deeper investigation and situational awareness. OSINT analysis can also provide clues to security operations for APT (Advanced persistent threat) attack methods and help them gather potentially malicious activity.
While APT attacks can start with infiltration, criminals will expand their presence over time and start extracting data. Through OSINT collection and analysis, it will help us to identify something
Okok, then what is the technique? Hmmm actually the method or technique is almost the same as OSINT (previous article) but there are slight differences, for example platforms, tools and analysis, yes, for the case of threat intelligence, there are several platforms that you can use, such as otx alien vault, exploit db, spider foot, mandiant ioce and others. , here I will describe the technique
# Dorking
Okok, as I said "Dorking is an amazing thing, you can do anything with this technique" Yes dorking is very useful for those of you who want to find out more detailed, in-depth and objective information. As for the docking technique, including:
intitle: Search for specific titles
inurl: Search for specific urls or paths
intext: Search for specific words or contects
filetype: Search for files
site: Search from a specified target
Wildcard or symbol * (star) Find all web pages, for example: seccodeid*
Define:term Search for all things with specified terms, example define:seccodeid
cache page Take a snapshot of an indexed page. Google uses this to find the right page for the query you're looking for. Website or target specifically
example
intext:"hacking" site:seccodeid.com
What are you looking for?
1. Malicious IP address
2. Domain / Website
3. File hash (malware analysis)
4. Industry/victim country
5. IOCs
6. Yara
7. Analyzing
Yes this is a simple example of dorking, you can develop your own dorking to be powerful and objective
# Threat Intelligence Tool
Ok, now I will describe some of the Threat Intelligence tools that are used, this tool can help you make it easier to search, if you feel that using dorking is complicated and long, you can use special Threat Intelligence tools including the following
1. Spiderfoot
SpiderFoot automates OSINT for threat intelligence and mapping your attack surface.
What can spiderfoot do? Found a suspicious IP address or other indicator in your logs that you need to investigate
Features
- Web based UI or CLI
- Over 200 modules (see below)
- Python 3
- CSV/JSON/GEXF export
- API key export/import
- SQLite back-end for custom querying
- Highly configurable
- Fully documented
- Visualisations
- TOR integration for dark web searching
- Dockerfile for Docker-based deployments
- Can call other tools like DNSTwist, Whatweb, Nmap and CMSeeK
- Actively developed since 2012!
SpiderFoot scan:
- IP address
- Domain/sub-domain name
- Hostname
- Network subnet (CIDR)
- ASN
- E-mail address
- Phone number
- Username
- Person's name
- Bitcoin address
- SpiderFoot's 200+ modules feed each other in a publisher/subscriber model to ensure maximum data extraction to do things like:
- Host/sub-domain/TLD enumeration/extraction
- Email address, phone number and human name extraction
- Bitcoin and Ethereum address extraction
- Check for susceptibility to sub-domain hijacking
- DNS zone transfers
- Threat intelligence and Blacklist queries
- API integration with SHODAN, HaveIBeenPwned, GreyNoise, AlienVault, SecurityTrails, etc.
- Social media account enumeration
- S3/Azure/Digitalocean bucket enumeration/scraping
- IP geo-location
- Web scraping, web content analysis
- Image, document and binary file meta data analysis
- Dark web searches
- Port scanning and banner grabbing
- Data breach searches
- So much more...
2. Maltego
Yes, malego can help you to search for information in depth, maltego can be used to search for anything, you can explore this tool to learn it in depth, I personally am still exploring this tool, so I can't talk at length about this tool. In essence, this tool you can use to search for anything
3. Shodan
With Shodan, a powerful search engine, users can search the web for internet-connected devices. Your website can see the image above, I searched for CVE exploits yes shodan can find some exploits that you can use. Shodan can do anything, search for IoT devices, Malware, Exploits, Databases and others
4. Virus total
VirusTotal uses hundreds of antivirus scanners and other resources for analysis and extraction of user-presented data from directories and user URLs. This service can be used to easily check for incidents such as suspected phishing e-mails, and each entry can be stored in its database.
Example :
c16842c992e9570c002523f0531465b3f7808e5711a2e7ceba49c4567c6303cf
5. Mandiant IOC editor
Mandiant Ioc editor that works for you threat hunting, this tool can help to brag Ioc rules or read Ioc. Its function is the same as the code editor but this is specifically for Ioc. I've only been using this tool for 2 months and I'm still trying to find or create my own IOC to help security system experts, if you think you haven't been able to find the threat yourself, you can search for it, in OTX Alien Vault you can see a sample IOC that has been created. for the user manual you can click the link below
Link : https://www.fireeye.com/content/dam/fireeye-www/services/freeware/ug-ioc-editor.pdf
6. Talosintelligence
Talos that informs people of knowledgeable threats, emerging risks, and current vulnerabilities. Talos also offers resources for testing and study
More : https://forum.seccodeid.com/d/fbi-tools-tools-for-gathering-information-and-actions-forensic
# Platform
1. Otx (Open Threat Exchange) Alienvault
AlienVault Open Threat Exchange (OTX) provides open access to a global community of threat researchers and security professionals. It provides community-generated threat data, enables collaborative research, and automates the process of updating your security infrastructure with threat data from any source.
A threat indicator is an entity that indicates a possible attack or compromise of some type. The most common types are file hashes (signatures), and reputation data on domains and IP addresses that have been associated with attacks.
A hash file is a unique identifier of worms, Trojans, keyloggers, and other types of malicious programs. MD-5 or SHA-1 generates a unique fingerprint of the program during the compilation process; Malicious files can be identified using their unique text string. Similarly, certain websites, IPs, and even URLs spread malware; affected users put the entire network at risk. Track malicious websites, blacklist IPs, identify malicious files using hash strings and block access to your technology infrastructure. Risks associated with malicious websites/IPs:
- Spam and phishing pages
- Malware and spyware
- Anonymous proxy tool and P2P network
- Darknet IP Address (using TOR)
- C&C server managing botnet
Use public and private feeds to collect information, analyze it, and block access.
You can also download sample data or pulses from otx
2. Threatcrowd
The search engine for threats allows users to search for and investigate threats related to IPs, websites or organizations. It also provides an API and with the ThreatCrowd API you can search for:
- Domain
- IP Address
- Email address
- Hash files
- Antivirus detection
It retrieves information from Virustotal and malwr.com; it also provides MALTEGO transform to analyze and link data
3. Opencti
OpenCTI is an open source platform that enables organizations to manage their cyber threat intelligence knowledge and observations. It has been created to compile, store, organize and visualize technical and non-technical information about cyber threats.
The data arrangement is done by knowledge schema based on STIX2 standard. It has been designed as a modern web application including GraphQL API and UX oriented frontend. Also, OpenCTI can be integrated with other tools and applications like MISP , TheHive , MITER ATT&CK , etc.