Cyber Threat Intel Quest with OpenCTI -Part II

Search and ingestion..

Update : 07/04/24 add gitlab source

Welcome to the exciting continuation of our exploration of OpenCTI! Having established the foundation with a successful installation, we now enter a crucial phase: enriching your platform with relevant and actionable data. In this article, we’ll dive into enrichment strategies, exploring techniques like integrating RSS feeds, using connectors, and much more.

Data enrichment is an essential step to maximizing the value of your OpenCTI platform. By populating your threat intelligence base with data from a variety of sources, you strengthen your ability to proactively anticipate, detect, and respond to threats.

Get ready to learn how to leverage RSS feeds, leverage connectors to automate data ingestion, and enrich your database with crucial information. Let’s dive together into the art of data enrichment in OpenCTI, where each addition helps strengthen your security posture and refine your understanding of the threat landscape.

Here are some steps you can take:

Integration of external sources:
Configure integrations with external threat intelligence sources, such as intelligence feeds, IP reputation databases, threat intelligence services, and more. OpenCTI supports multiple connectors to facilitate these integrations.

Automation of enrichment tasks:
Use scripts or automation tools to collect and add data on a regular basis. For example, you can automate the retrieval of information about domains, IP addresses, hashes, etc.

Manual enrichment:
Encourage analysts to manually enrich data by adding specific information they find relevant. Human analytics can often provide important contextual details.

Using the OpenCTI API:
Explore using the OpenCTI API to import data from other internal sources or security tools already deployed in your infrastructure.

Customizing entity templates:
Customize entity templates in OpenCTI to include specific fields that can be enriched. For example, you could add fields for geolocation information, attack techniques, attacker motivations, etc.

Data correlation:
Use OpenCTI’s correlation features to identify connections between different entities and enrich data accordingly.

Validation of sources:
Make sure the sources you enrich your data from are reliable and relevant to your environment. Avoid incorporating unverified or unreliable data that could lead to errors or incorrect analysis.

Continuous assessment:
Perform a regular data quality assessment in your platform. Remove outdated or incorrect data and update information when necessary.

Here are some examples of data enrichment in OpenCTI, with detailed explanations:

IP address enrichment:

• Use WHOIS lookup services to obtain information about IP address ownership, geographic location, and associated contacts. Integrate this data into OpenCTI IP entities for a better understanding of the source.

{
 "type": "IPv4-Addr",
 "value": "192.168.1.1",
 "description": "Serveur de commandement et de contrôle",
 "createdByRef": "<IDENTIFIANT_DE_LA_SOURCE>",
 "created": "2024–02–23T12:00:00Z",
 "objectMarking": ["TLP:WHITE"]
 }

Domain enrichment:

• Use WHOIS lookup services to obtain information about the domain owner, creation date, and other relevant details. Add this data to domain entities in OpenCTI.

{
 "type": "Domain",
 "value": "example.com",
 "description": "Domaine associé à une campagne de phishing",
 "createdByRef": "<IDENTIFIANT_DE_LA_SOURCE>",
 "created": "2024–02–23T12:00:00Z",
 "objectMarking": ["TLP:AMBER"]
 }

Enrichment of Indicators of Compromise (IoC):

• Research IoC reputation information using threat intelligence services. Add reputation scores or contextual information to IoC entities.

{
 "type": "Indicator",
 "indicator_types": ["malicious-activity"],
 "pattern": "file-hash-sha256 = 'abcdef123456…'",
 "description": "Fichier malveillant téléchargé depuis un site compromis",
 "createdByRef": "<IDENTIFIANT_DE_LA_SOURCE>",
 "created": "2024–02–23T12:00:00Z",
 "objectMarking": ["TLP:RED"]
 }

Attack enrichment:

• Find contextual information about current or past attacks, such as the tactics, techniques, and procedures (TTP) used. Integrate this data into attack entities in OpenCTI.

{
 "type": "Attack-Pattern",
 "name": "Phishing via spearphishing attachment",
 "description": "Utilisation de pièces jointes de spearphishing pour diffuser des malwares",
 "createdByRef": "<IDENTIFIANT_DE_LA_SOURCE>",
 "created": "2024–02–23T12:00:00Z",
 "objectMarking": ["TLP:GREEN"]
 }

Vulnerability enrichment:

• Use vulnerability databases to find information about vulnerabilities associated with current attacks. Integrate this data into vulnerability entities in OpenCTI.

{
 "type": "Vulnerability",
 "name": "CVE-2024–1234",
 "description": "Vulnérabilité dans le logiciel XYZ permettant une exécution de code à distance",
 "createdByRef": "<IDENTIFIANT_DE_LA_SOURCE>",
 "created": "2024–02–23T12:00:00Z",
 "objectMarking": ["TLP:WHITE"]
 }

Manual enrichment:

• Add contextual information manually using the OpenCTI GUI. This may include notes, additional relationships, and other specific details that you have identified.

{
 "type": "Note",
 "abstract": "L'attaquant utilise des techniques de spearphishing basées sur des documents Word malveillants.",
 "createdByRef": "<IDENTIFIANT_DE_LA_SOURCE>",
 "created": "2024–02–23T12:00:00Z",
 "objectMarking": ["TLP:AMBER"]
 }

To do this you will have to search for flows, create scripts, etc.
We’re all going to do this together

RSS Feed

RSS feeds can be utilized as a source of threat intelligence data. RSS (Rich Site Summary or Really Simple Syndication) is a web feed format commonly used for publishing frequently updated content, such as news headlines, blog posts, or other types of information. In OpenCTI, you can leverage RSS feeds to automatically import and integrate threat intelligence data from various sources.

Let’s start by looking for known rss feeds. Here is a first exhaustive list :

http://feeds.trendmicro.com/TrendMicroSimplySecurity http://www.theregister.co.uk/security/headlines.atom http://thehackernews.com/feeds/posts/default
https://thedfirreport.com/feed/ SecurityWeek
http://feeds.feedburner.com/Securityweek
http://securityaffairs.co/wordpress/feed
https://securelist.com/feed/
https://blogs.sans.org/computer-forensics/feed/
http://researchcenter.paloaltonetworks.com/feed/ http://packetstormsecurity.org/headlines.xml
http://blogs.technet.com/msrc/rss.xml
http://blogs.technet.com/mmpc/rss.xml
http://blog.malwarebytes.org/feed/
http://blog.zeltser.com/rss
http://krebsonsecurity.com/feed/
http://www.hexacorn.com/blog/feed/
http://feeds.feedburner.com/hackread
http://feeds.feedburner.com/darknethackers
http://www.darkreading.com/rss/all.xml
http://vrt-sourcefire.blogspot.com/feeds/posts/default
https://www.us-cert.gov/ncas/alerts.xml
http://www.bleepingcomputer.com/feed/
http://feeds.trendmicro.com/Anti-MalwareBlog/

Once imported, remember to start them..

Now let’s look for other resources, we will look at the concept of OpenCTI

OpenCTI Ecosystem | Notion

Connectors

Connectors are plugins or modules that facilitate the integration of external tools, services, or datasets with the OpenCTI platform. These connectors enable OpenCTI to interact with external systems, import threat intelligence data, and export information, creating a more comprehensive and interconnected threat intelligence environment.

Connectors

Key aspects of connectors in OpenCTI include:

Data Ingestion:

• Connectors allow OpenCTI to ingest data from various external sources. This can include feeds from threat intelligence providers, information from external databases, or data collected from different security tools.

Enrichment:

• Connectors play a role in enriching existing data within OpenCTI by fetching additional context or details from external services. This enrichment enhances the overall quality and relevance of the threat intelligence data.

Automation:

• Connectors support automation by enabling OpenCTI to automatically fetch, update, and synchronize threat intelligence data with external sources. This helps in maintaining real-time and up-to-date information within the platform.

Integration with External Tools:

• Connectors facilitate integration with external security tools and platforms. This ensures seamless collaboration between OpenCTI and other cybersecurity solutions, allowing for a more unified and efficient threat intelligence workflow.

Customization:

• OpenCTI supports the creation of custom connectors to tailor integrations based on specific organizational needs. Organizations can develop connectors to interact with proprietary systems or sources not covered by standard connectors.

Examples of connectors in OpenCTI might include integrations with threat intelligence feeds, SIEM (Security Information and Event Management) systems, incident response platforms, or other cybersecurity tools.

The use of connectors in OpenCTI enhances its capabilities for collecting, analyzing, and disseminating threat intelligence, creating a more comprehensive and collaborative approach to cybersecurity.

Let’s Start …

Mittre

The MITRE ATT&CK framework has become widely used in the cybersecurity community for threat intelligence, red teaming, and blue teaming activities. It assists organizations in understanding the tactics and techniques that threat actors may employ during different stages of the cyber kill chain.

In summary, MITRE is a significant organization that contributes to various areas of research and development, including cybersecurity through the MITRE ATT&CK framework.

connectors/external-import/mitre/docker-compose.yml at master · OpenCTI-Platform/connectors

AbuseIP

AbuseIPDB is a service that provides a public database of IP addresses associated with malicious activities or abusive behavior. The service allows users to report and check IP addresses that have been involved in activities such as hacking, spamming, or other forms of malicious behavior. The goal is to help organizations and individuals identify and block potentially harmful IP addresses from their networks.

You can create a connector from this service, you juste have to create an API Key,

Afterwards all you have to do is add the service in your docker-compose.yml :

Abuse SSL

The SSL Blacklist (SSLBL) is a project of abuse.ch with the goal of detecting malicious SSL connections, by identifying and blacklisting SSL certificates used by botnet C&C servers. In addition, SSLBL identifies JA3 fingerprints that helps you to detect & block malware botnet C&C communication on the TCP layer.

If everything works you should see this:

Alienvault

AlienVault is a cybersecurity company that provides threat detection and response solutions for businesses. The company is known for its Unified Security Management (USM) platform, which integrates essential security capabilities into a single platform to help organizations detect and respond to threats more efficiently.

CISA

CISA is a U.S. federal agency under the Department of Homeland Security (DHS). Its mission is to enhance the cybersecurity posture of the nation’s infrastructure and ensure the protection of critical infrastructure from physical and cyber threats. CISA provides a range of services, including risk assessments, incident response assistance, and the dissemination of cybersecurity information to both public and private sector partners.

Crowdstrike Console

You have to create an account for personal use only

CrowdSec Console

URLScan.IO

Urlscan.io is an online service that provides a platform for scanning and analyzing websites for potential security threats and malicious activities. The primary purpose of urlscan.io is to help cybersecurity professionals, researchers, and the community at large in identifying and understanding potential risks associated with specific URLs or websites.

Key features of urlscan.io include:

Web Page Scanning:

• Users can submit URLs to urlscan.io for analysis. The service then retrieves and scans the content of the specified webpage, examining various elements such as HTML, JavaScript, and other resources.

Screenshot Capture:

• urlscan.io captures screenshots of the analyzed web pages, providing a visual representation of how the webpage appears to users.

Behavioral Analysis:

• The service conducts behavioral analysis by emulating the webpage in a controlled environment to identify any potentially malicious or suspicious behavior.

Domain and IP Information:

• urlscan.io provides information about the domain and IP address associated with the scanned URL, aiding in the identification of potentially malicious infrastructure.

Submission API:

• urlscan.io offers an API (Application Programming Interface) that allows users to programmatically submit URLs for analysis and retrieve the results. This is particularly useful for incorporating urlscan.io into automated workflows or security solutions.

1. Search and Analysis Tools:

• Users can search the urlscan.io database for historical scan results and leverage analysis tools to explore relationships between different URLs, domains, and IP addresses.

Overall, urlscan.io is a valuable tool in the cybersecurity community for conducting web page analysis, identifying potential threats, and sharing threat intelligence. It serves as a resource for security professionals to enhance their understanding of the threat landscape and take proactive measures to protect against malicious activities.

URLHaus

URLhaus is a cybersecurity service and online database that focuses on collecting, sharing, and analyzing malicious URLs (Uniform Resource Locators) associated with various cyber threats. The primary goal of URLhaus is to provide a platform for the cybersecurity community to collaboratively combat online threats by sharing information about malicious URLs and the malware they host.

URLhaus API

ThreatFox

ThreatFox is a service that provides information about various types of cyber threats, particularly related to malicious infrastructure on the internet. ThreatFox focuses on monitoring and cataloging data related to malicious domains, IP addresses, and other indicators of compromise.

ThreatFox API

TAXII

Cyware

https://cyware.com/resources/threat-intel-feeds

I will update these elements if I find others.

Concluding this article on data enrichment in OpenCTI, you have taken a significant step in strengthening your cybersecurity arsenal. By incorporating RSS feeds, leveraging connectors, and enriching your platform with diverse data, you have expanded your ability to identify and understand the threats looming over your environment.

It is important to emphasize that the dynamic nature of the cyber landscape requires constant updating of your data. With OpenCTI, you’re prepared to meet this challenge by integrating new information, adjusting your enrichment flows, and maintaining an up-to-date understanding of threat trends.

Stay tuned for our next article, where we will explore the OpenCTI platform overview in detail. We’ll cover advanced features, best practices for day-to-day management, and how to maximize the effectiveness of your use of OpenCTI. Together, let’s continue to strengthen your security posture and elevate your ability to anticipate and counter future threats.

GitLab Source

In order to save time for the connectors, I created a git repository with the connectors and even the environment variables, just put your credentials

https://gitlab.com/opencti/opencti_source

Will be updated as time goes on…

Next step in Part III…