If you follow me on Twitter then you probably already know I am a Anomali STAXX fan boy. Laying around in a Turkey induced food coma — I thought I would do a quick write up on STAXX. So what exactly is STAXX anyway? STAXX is a quick and very easy way to get multiple threat intelligence feeds via STIX and TAXII pushes pushed into one platform. Some key features are a very easy On-Prem install, free feeds from Anomali LIMO (or bring your own), A very powerful search UI and access to STAXX advanced investigation features.
This post will not touch on the installation of STAXX (it’s pretty much importing a VM and you’re good to go) Below is the opening page Dashboard. This is a quick glance at 7 days of intelligence pushes. You can filter down by various indicators such as phish_url, apt_url, mal_md5, scan_ip etc.
Our SOC team has given us a site that has been lighting the SIEM up with alerts and have asked the Intel team to do a little more research on it. hxxp://jimmyxyz.c0m (don’t visit any of these sites as they are hosting legit malware) Head over to the Activity Page and do a search for Jimmy. As you can see below we have quite a few hits on Jimmyxyz with various php sites some intel we did not previously have.
Now, let’s drill down and get more info on jimmyxyz
We can also use the quick Analysis links to find more information on this site. (Virus Total)
Now we have some file names and SHA256s — Note some that are not currently being detected by any AVs. At this point we could pass this information to the SOC (SIEM) and have them write an alert that searches Payloads for these file names. Adding feeds — By default STAXX comes with Anomali LIMO. Within a few minutes I’ve added in Alien-vault and IBM X-Force feeds.
Each feed can be completely customized — what’s pulled, when it’s pulled etc.
I highly recommend any SOC or Intel analyst spend a little time doing a deep dive into Anomali STAXX. There are some paid features that will unlock some more details on the threats. I am currently only using the free versions as I am on my on dime for all things InfoSec. I have yet to take the time to review their other product line — but I have heard great things about their Enterprise level products. You can check out their full product line here — https://www.anomali.com/platform