TruSTAR Project Balerion — Embrace Your Inner Scientist

For the past few years TruSTAR has been pioneering a new way for organizations and operators to exchange incidents anonymously and make faster and better operational decisions. That objective is constantly driving us to think about cyber data differently, and today we are releasing an internally developed tool -Project Balerion- to the community. We will also be presenting a session at ShmooCon this year to walk through the framework.

What is Project Balerion?

Like it or not cybersecurity professionals are scientists — we collect evidence, set up a hypothesis, analyze it and drive to a conclusion and decision. But what is ubiquitous in any scientist’s toolkit, namely statistical inference frameworks, is generally missing from a cyber operator’s analysis toolkit. We don’t believe the reason for this to be a lack of desire on part of the cyber community, but rather there hasn’t been a focus on how to make these statistical frameworks more pragmatic and operator friendly.

Project Balerion aims to lower the barrier to entry for those interested in exploring application of statistics to everyday cyber analysis. Project Balerion was designed specifically for Remote Access Tool (RAT) hunting and providing cyber operators a consistent way of reducing uncertainty in their analysis. Our implementation utilizes Fidelis’ Barncat Intelligence Database to provide operators with probabilities of classifying an IoC of interest based on a set of previously observed RATs or malware campaigns. To learn more about the underlying computational model you can read this blog.

How do I use it?

If you have a set of IoCs and you are interested in learning about the probability of the IoC’s being used by two or more RAT’s or campaigns you are in luck! There are 2 different ways you can take advantage of Project Balerion.

1. Download Project Balerion from our Github repository and run it on localhost. There are two ways to do this:

• You can download our pre-populated Neo4j graph db with a subset of the complete Fidelis Barncat samples, or
• You can request the full dataset from Fidelis and populate the graph db. Please note a full data upload can take a few days.

2. Go to the TruSTAR hosted implementation (to be released next week) of Project Balerion and input your IoC’s through the webapp and see the results.

Ongoing Support

We would love for the community to dive in and make this their own. We have setup a #Slack channel to facilitate discussion among Project Balerion users and we will also be actively monitoring this channel to provide support.

Whats Next?

We plan on releasing more tools to the community that help us think about data analysis in a more consistent and logical way. We would love to hear about the kind of challenges where quantitative reasoning would help you with everyday operations.