Threat Feeds to feed the needs - ThreatPinch and Splunk / Sumo Logic / Web frontends for logging

quick-tip
threat_feeds
log-analysis
Tags: #<Tag:0x00007f389e6047e8> #<Tag:0x00007f389e6046a8> #<Tag:0x00007f389e604568>

#1

Is it malicious?

Good question… let’s see what we can do. Friends and family members ask that sometimes. They forward a suspicious mail, which could be a phishing attempt, or even something worse. Luckily nowadays we can lookup collective threat intelligence, and incorporate that into our analysis. We can use Domains (FQDNs) and IPs, check the reports.

For cooperate log intelligence, via IDS / IPS devices for example, the logs often end up in a central log manager. Something like Splunk, Graylog2, ELK or something in the cloud like Sumo Logic. These logs can be searched via the browser. And you can lookup the threat data with a browser extension. That can support security decisions.

First of all... disable prediction services

You really don’t want to open a document or a web page with a set of potentially malicious links in Chrome (assuming that’s your browser) and end up pre-fetching the Malware stuff in the background. Do you?

So take a look at these settings and start thinking.

I use uBlock Origin for various reasons, and it disables pre-fetching by default. The shown settings are not ideal privacy settings. But that is up to you. For the sake of this article my advice is, that you consider disabling pre-fetching. Also think about your corporate web proxy. Does it pre-fetch?

Threat Intelligence as a Chrome Extension

Note: this is a private screenshot. The IP is not suspicious at all.

The Chrome plugin I use to lookup ThreatFeed Infos is ThreatPinch. It supports a lot of APIs, hosted and self-hosted.

ThreatMiner for IPv4, FQDN, MD5 and SHA2 lookups.
Alienvault OTX for IPv4, MD5 and SHA2 lookups.
IBM X-Force Exchange for IPv4, EFQDN lookups.
VirusTotal for MD5, SHA2 and FQDN lookups.
Cymon.io for IPv4 lookups.
CIRCL (Computer Incident Response Center Luxembourg) for CVE Lookups.
PassiveTotal for FQDN Whois Lookups
MISP for MD5 and SHA2 (If you want more submit an issue in this github)

Now load up the infos

In order to use a Threat Feed service you need to register; and eventually contribute to the data sets like other people. Many of the free and openly accessible threat information are community based. That means that you need to take these information with a grain of salt. Policies differ, between companies and cultures. What you deem acceptable, or malicious, may not be what someone else will conclude with.

IBM X-Force

With the Star Wars style name, the Imperium… aeh IBM… has a Threat Intel service, that’s useful to me these days.

IBM X-Force Exchange is a cloud-based threat intelligence sharing platform enabling users to rapidly research the latest security threats, aggregate actionable intelligence and collaborate with peers. IBM X-Force Exchange is supported by human- and machine-generated intelligence leveraging the scale of IBM X-Force.

I have seen it in QRadar as well. Via the Chrome extension X-force can aid security investigations in any log, that can be loaded in Chrome / Chromium. Given that you can load CSVs and TXTs that almost everything.

X-Force supports a variety of integrations with other Threat Feeds.

RiskIQ Passive Total

RiskIQ has advertised its services to me in a way or two. I found their approaches useful, but often generic.

A threat-analysis platform created for analysts, by analysts. Our goal is to provide analysts with as much data as possible in order to prevent attacks before they happen.

They make use of the Emerging Threats data-sets as well, which is very useful if you use the ET rules for your IDS / IPS.

This service has a vast amount of information, which is good for advanced analysis.

OTX

OTX is straight forward, and open.

Threat Miner

Same thing, different service.

This is why ThreatMiner was created. To free analysts from data collection and provide analysts a portal on which they can carry out their tasks, from reading reports to pivoting and data enrichment.
The emphasis of ThreatMiner isn’t just about indicators of compromise (IOCs) but also to provide analysts with contextual information related to the IOC they are looking at.

And there are many more

Obviously. iDefense etc. etc. Ideally you also have your own intelligence on top, via the MISP.

Maltego CE

Maltego supports these feeds as well. But it’s more work to lookup things via Maltego transactions. You can check out the newest Community Edition, add the API keys to it, and perform the lookups. In some cases the graphs look more impressive than the information :slight_smile:

Summary

The combination of Chrome Extensions and Threat Feed APIs allows quick information gathering on threat intelligence information. Just make sure your browser is well configured in case you load a files with a lot of dodgy links.